Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label hacking groups. Show all posts
Researchers
Cyber Attack Exploit Cyber Attacks Hackers hacking groups Logging Tool Ransomware Remote Access Tool Researchers

Experts Detail Logging Tool of DanderSpritz Framework Used by Equation Group Hackers

 

Researchers have provided a detailed look at a system called DoubleFeature, which is dedicated to logging the various stages of post-exploitation resulting from the Equation Group's deployment of DanderSpritz, a full-featured malware architecture. 

DanderSpritz was discovered on April 14, 2017, when a hacker group known as the Shadow Brokers published a report titled "Lost in Translation" that included the exploit tool and others. EternalBlue, a cyberattack exploit created by the US National Security Agency (NSA) that allowed threat actors to carry out the NotPetya ransomware attack on unpatched Windows PCs, was also included in the leaks. 

The tool is a modular, covert, and fully functioning framework for post-exploitation activities on Windows and Linux that depends on dozens of plugins. One of them is DoubleFeature, which serves as a "diagnostic tool for victim machines carrying DanderSpritz," according to Check Point researchers in a new paper released Monday. 

The Israeli cybersecurity firm added, "DoubleFeature could be used as a sort of Rosetta Stone for better understanding DanderSpritz modules, and systems compromised by them. It's an incident response team's pipe dream." 

DoubleFeature is a Python-based dashboard that doubles as a reporting utility to exfiltrate logging information from an infected system to an attacker-controlled server. It's designed to keep track of the types of tools that could be deployed on a target machine. A specific executable named "DoubleFeatureReader.exe" is used to interpret the output. 

Data Breach Prevention 

Some of the plugins monitored by DoubleFeature include remote access tools called UnitedRake (aka EquationDrug) and PeddleCheap, a stealthy data exfiltration backdoor dubbed StraitBizarre, an espionage platform called KillSuit (aka GrayFish), a persistence toolset named DiveBar, a covert network access driver called FlewAvenue, and a validator implant named MistyVeal that verifies if the compromised system is indeed an authentic victim machine and not a research environment. 

The researchers stated, "Sometimes, the world of high-tier APT tools and the world of ordinary malware can seem like two parallel universes." 

"Nation-state actors tend to [maintain] clandestine, gigantic codebases, sporting a huge gamut of features that have been cultivated over decades due to practical need. It turns out we too are still slowly chewing on the 4-year-old leak that revealed DanderSpritz to us, and gaining new insights."
Read more »
Vaccine
APT Group Cobalt Strike Cyberattack hacking groups Healthcare malware Threat Detection Vaccine

Threat Actors Targeting Vaccine Manufacturing Facility with Tardigrade Malware

 

Biomanufacturing facilities in the US are being actively targeted by an anonymous hacking group leveraging a new custom malware called ‘Tardigrade’. 

In a new threat advisory, the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) claimed this week that the first attack was launched using this new malware in spring 2021, followed by the second assault in October.

 New malware strain

According to BIO-ISAC, Tardigrade possesses advanced features and is supposedly the work of an advanced threat detection group or a nation-state intelligence service. The malware is primarily used for espionage though it can also cause other issues including network outages. The recent assaults are also believed to be linked to Covid-19 research as the pandemic has shown just how crucial biomanufacturing research is when creating vaccines and other drugs. 

Tardigrade’s functionality includes a Trojan, keylogger, data theft, and also establishes a backdoor into targeted systems. There is some debate regarding the origins of the code used in Tardigrade as BIO-ISAC believes the malware is based on Smoke Loader, a Windows-based backdoor operated by a hacking group called Smoky Spider. However, security researchers that spoke with Bleeping Computer believe that it is a form of the Cobalt Strike HTTP. 

“The biomanufacturing industry along with other verticals are so far behind in cybersecurity, making them a prime target for bad actors. Cyberattacks mostly happen to those that provide easy access or least path of resistance,” George Gerchow, chief security officer of machine data analytics company Sumo Logic Inc., told SiliconANGLE. 

“This is a blatant example of how attackers are focusing on human health during a time of high anxiety, and bioscience is an easy target. The industry is going to have to move quickly to put proper cyber security controls in place. It is going to be a huge mountain for them to climb as some of the companies in the industry have antiquated technology, lacked the proper skill sets, and relied too much on legacy security tools,” Gerchow added. 

The BIO-ISAC report recommends the following steps for biomanufacturing sites that will enhance the security and response postures (i) Scan your biomanufacturing network segmentation, (ii)  Collaborate with biologists and automation experts to design a full-proof analysis for your firm, (iii) Employ antivirus with behavioral analysis capabilities, (iv) Participate in phishing detection training (v) Stay vigilant.
Read more »
Russian Hackers
Cyber Attacks Germany Elections Hacking hacking groups Russian Hackers

German Election Authority Confirms Probable Cyber Attack

 

Suspected hackers momentarily impacted the website of the authority managing Germany's September 26 federal election, a spokesperson for the agency told AFP on Wednesday. 

The news was originally reported by Business Insider, and it comes as German federal prosecutors investigate suspected cyber assaults on legislators during the election campaign for a new parliament and a successor to Chancellor Angela Merkel's successor. 

In the context of the hacking report, the spokesperson stated, "At the end of August the website of the Federal Returning Officer only had limited accessibility for a few minutes due to a malfunction." 

"The problem was analysed and the technical concepts were further developed accordingly. The information for the public through the website of the Federal Returning Officer was and is ensured." 

According to Business Insider, the website that publishes the official election results was swamped with data requests in a so-called distributed denial of service assault, causing the servers to collapse. 

As per the official sources, IT systems essential for the smooth running of the election were unaffected, presumably due to enhanced safeguards in place. 

Last week, the German government accused Russian intelligence of conducting "phishing" assaults against German lawmakers, prompting the federal prosecutor's office to start an investigation on suspicion of espionage. 

Berlin has accused Russian hackers from the "Ghostwriter" gang, which is said to specialize in propagating disinformation. German intelligence believes they were attempting to obtain entry to the private email accounts of federal and regional MPs, and that the assaults were carried out by Russia's military intelligence organisation GRU. 

The European Union and the United States have frequently accused Moscow of interfering in democratic elections, a charge that Moscow rejects. 

The Russian Foreign Ministry spokesman, Maria Zakharova, stated at a briefing on Thursday, "Despite our repeated appeals through diplomatic channels, our partners in Germany have not provided any evidence of Russia's involvement in these attacks". 

Germany’s Foreign Ministry spokesperson Andrea Sasse said on Wednesday, “The German government regards this unacceptable action as a threat to the security of the Federal Republic of Germany and to the democratic decision-making process, and as a serious burden on bilateral relations. The federal government strongly urges the Russian government to cease these unlawful cyber activities with immediate effect."
Read more »
OceanLotus
APT APT attacks Backdoor hacking groups Mac OS malware OceanLotus

Updated Malware: Vietnamese Hacking Group Targeting MacOS Users

 

Researchers have discovered a new MacOS backdoor that steals credentials and confidential information. As cyber threats continue to rise, the newly discovered malware is believed to be operated by Vietnamese hacking group OceanLotus, colloquially known as APT 32. Other common names include APT-C-00, SeaLotus, and Cobalt Kitty. 
 
The nation-state backed hacking group has been operating across Asia and is known to target governments, media organizations, research institutes, human rights organizations, corporate sector, and political entities across the Philippines, Laos, Vietnam, and Cambodia. Other campaigns by the hacking group also focused on maritime construction companies. Notably, OceanLotus APT also made headlines for distributing malware through Apps on Google Play along with malicious websites. 
 
The attackers found the MacOS backdoor in a malicious Word document that supposedly came via an email. However, there is no information regarding the targets that the campaign is focusing on. In order to set the attack into motion, the victims are encouraged to run a Zip file appearing to be a Word document (disguised as a Word icon). Upon running the Zip file, the app bundled in it carrying the malware gets installed; there are two files in it, one is the shell script and another one is the Word file. The MacOS backdoor is designed by attackers to provide them with a window into the affected system, allowing them to steal sensitive data.

"Like older versions of the OceanLotus backdoor, the new version contains two main functions: one for collecting operating system information and submitting this to its malicious C&C servers and receiving additional C&C communication information, and another for the backdoor capabilities," TrendMicro explained in a blogpost. 

In an analysis, Researchers told, “When a user looks for the fake doc folder via the macOS Finder app or the terminal command line, the folder’s name shows ‘ALL tim nha Chi Ngoc Canada.doc’ (‘tìm nhà Chị Ngọc’ roughly translates to ‘find Mrs. Ngoc’s house’).”

“However, checking the original .zip file that contains the folder shows three unexpected bytes between ‘.’ and ‘doc’.”


Read more »
Technology
China cyber threat hacking groups Technology

Chinese Origin Threat Group Targets Hong Kong Universities with New Backdoor Variant




The Winnti, a China-linked threat group that has been active in the cyberspace since 2009 was found to be employing a new variant of the ShadowPad backdoor (group's new flagship tool) in the recent attacks where it compromised computer systems at two Hong Kong universities during the protests that began around March 2019 in Hong Kong.

The threat group of Chinese origins has largely targeted the gaming industry, while constantly expanding the scope of its targets. Various reports suggest Winnti being operated in link with some other groups including APT17, Ke3chang Axiom, Wicked Panda, BARIUM, LEAD, DeputyDog, Gref, and PlayfullDragon.

According to other sources available, Kaspersky was the first to identify the Winnti group but some researchers attribute its existence to the year 2007.

In October 2019, security researchers at ESET spotted two new backdoors used by the group – Microsoft SQL-targeting skip-2.0 and PortReuse. Later, the same year in November, ESET researchers discovered samples of ShadowPad Launcher Malware on various devices in the two universities. The Winnti was found to be present on these universities' systems a few weeks before the backdoor was confirmed.

“In November 2019, we discovered a new campaign run by the Winnti Group against two Hong Kong universities. We found a new variant of the ShadowPad backdoor, the group’s flagship backdoor, deployed using a new launcher and embedding numerous modules.” as per the analysis done by ESET.

“One can observe that the C&C URL used by both Winnti and ShadowPad complies to the scheme [backdoor_type][target_name].domain.tld:443 where [backdoor_type] is a single letter which is either “w” in the case of the Winnti malware or “b” in the case of ShadowPad.” reads the report.

“From this format, we were able to find several C&C URLs, including three additional Hong Kong universities’ names. The campaign identifiers found in the samples we’ve analyzed match the subdomain part of the C&C server, showing that these samples were really targeted against these universities.”
Read more »
hacking groups
Advanced Persistent Threat APT APT attacks China Cyber Crime hacking groups

Another Chinese state-sponsored hacking groups discovered - would be the fourth one to be found


A group of cyber security analyst, Intrusion Truth have found their fourth Chinese state-sponsored hacking operation APT 40.
"APT groups in China have a common blueprint: contract hackers and specialists, front companies, and an intelligence officer," the Intrusion Truth team said. "We know that multiple areas of China each have their own APT."
APT stands for Advanced Persistent Threat and is used to describe government supported and sponsored hacking groups. 

Intrusion Truth has previously exposed three government supported APTs, APT3 (believed to operate out of the Guangdong province), APT10 (Tianjin province), and APT17 (Jinan province),  they have now doxed APT40, China's cyber apparatus in the state of Hainan, an island in the South China Sea.

In a blog post, they said they've discovered 13 companies that serve as a front for APT activists. These companies use offline details, overlapping contacts and no online presence except to recruit cyber experts. 

"Looking beyond the linked contact details though, some of the skills that these adverts are seeking are on the aggressive end of the spectrum," the Intrusion Truth team said.

"While the companies stress that they are committed to information security and cyber-defense, the technical job adverts that they have placed seek skills that would more likely be suitable for red teaming and conducting cyber-attacks," they further said. 

APT40 RECRUITMENT MANAGED BY A PROFESSOR

Intrusion Truth was able to link all these companies mentioned above to a single person, a professor in the Information Security Department at the Hainan University.

One of the 13 companies was even headquartered at the university's library. This professor was also a former member of China's military. 

"[Name redacted by ZDNet] appeared to manage a network security competition at the university and was reportedly seeking novel ways of cracking passwords, offering large amounts of money to those able to do so," the anonymous researchers said.Intrusion Truth are pretty credible and have a good track record, US authorities have investigated  two of their three APT expose. 
Read more »
Subscribe to: Posts (Atom)