Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label APT attacks. Show all posts

China Linked APT: Raptor Train Botnet Attacks IoT Devices

China Linked APT: Raptor Train Botnet Attacks IoT Devices China Linked APT: Raptor Train Botnet Attacks IoT Devices

A new cyber threat has caught the attention of experts, Lumen’s Black Lotus Labs found a new botnet called Raptor Train, made of IOT and small office/home office (SOHO) devices. Experts believe that Raptor Train has links to China-based APT group Flax Typhoon (aka RedJuliett or Ethereal Panda). The blog talks about the threat, its technique, and the solutions.

About Raptor Train Botnet

The Raptor Train Botnet aims to launch coordinated cyber-attacks, including data theft, espionage, and DDoS attacks. Experts believe the Botnet to be active from May 2020, reaching its highest with 60,000 compromised devices in June 2023. 

After May 2020, more than 200,000 devices- NVR/DVR devices, NAS servers, IP cameras, and SOHO routers have been compromised and added to the Raptor Train, becoming the largest China-linked IoT botnets founded. A C2 domain from a recent campaign was listed in the Cisco and Cloud fare Radar Umbrella “top 1 million” lists, suggesting large-scale device exploitation. Experts believe more than 100000 devices have been compromised because of Raptor Train Botnet.

Flax Typhoon: The APT Behind Botnet

Flax Typhoon is infamous for its cyber-espionage attacks, it has a past of attacking different industries- telecommunications companies, government agencies, and defense contractors. Flax Typhoon is known for its stealth and dedication, use of sophisticated malware to gain access and steal crucial data. 

Raptor Train Mechanism

“The botnet operators manage this large and varied network through a series of distributed payload and C2 servers, a centralized Node.js backend, and a cross-platform Electron application,” reads the Lumen report. The Raptor Train Botnet exploits bugs in IoT devices, when a bug is compromised, it joins the botnet and gets instructions from C2 servers. It is then used for various malicious activities:

  • Espionage, tracking, and stealing data from organizations. 
  • DDoS attacks, crowd the target network with traffic to make it inaccessible. 
  • Data theft, getting sensitive data from the victim's devices.

Raptor Train Network Breakdown

The experts categorized the Raptor Train network into 3 tiers

Tier 1: It includes SOHO/IoT devices.

Tier 2: It includes exploitation servers, Payload servers, and C2 servers 

Tier 3: The last level consists of management nodes and “Sparrow” nodes

“A major concern of the Raptor Train botnet is the DDoS capability that we have not yet observed actively deployed, but we suspect is being maintained for future use,” the report concludes.

Analysing Advanced Persistent Threats 2023: Tactics, Targets, and Trends

 

The term "Advanced Persistent Threat" (APT) denotes a highly specialised category of cyber adversaries within the field of cybersecurity. These entities distinguish themselves through advanced skill sets and substantial access to resources, often employing sophisticated tools and techniques. APTs typically exhibit state sponsorship, indicating either direct or indirect government support or intricate ties to organized crime syndicates. 

This connection to state actors or criminal groups grants them a level of persistence and capability that far exceeds that of conventional cybercriminals. In 2023, the cybersecurity landscape has witnessed the persistent activity of several Advanced Persistent Threat (APT) groups, with attributions largely pointing to nation-states, notably Iran and China. These sophisticated entities operate at the forefront of cyber capabilities, employing advanced tactics, techniques, and procedures. Their activities extend beyond conventional cybercriminal motives, often involving strategic objectives tied to geopolitical influence, military espionage, or the compromise of critical infrastructure. As the year unfolds, the vigilance of cybersecurity experts remains crucial in monitoring and responding to the evolving tactics employed by these APT groups, reflecting the ongoing challenge of safeguarding against state-sponsored cyber threats.  

Here’s a summary of some of the most active and prominent APT Groups as of 2023:  

1) APT39  

APT39, believed to be associated with Iran, has emerged as a notable player in the cyber threat landscape in 2023. This advanced persistent threat group strategically directs its efforts towards the Middle East, with a specific focus on key sectors such as telecommunications, travel, and information technology firms. APT39 employs a sophisticated arsenal of cyber tools, including the use of SEAWEED and CACHEMONEY backdoors, along with spearphishing techniques for initial compromise. 

2) APT35 

APT35, believed to be affiliated with Iran, has solidified its position as a significant threat in 2023, honing its focus on military, diplomatic, and government personnel across the U.S., Western Europe, and the Middle East. Employing a sophisticated toolkit that includes malware such as ASPXSHELLSV and BROKEYOLK, the group employs a multifaceted approach, leveraging spearphishing and password spray attacks to infiltrate target networks. APT35's strategic interests span various sectors, encompassing U.S. and Middle Eastern military, diplomatic and government personnel, as well as organizations in the media, energy, defense industrial base (DIB), and the engineering, business services, and telecommunications sectors.  

3) APT41 

APT41, believed to be linked to China, continues to pose a significant cyber threat in 2023, targeting a diverse range of sectors including healthcare, telecommunications, high-tech, education, and news/media. Renowned for employing an extensive arsenal of malware and spear-phishing tactics with attachments, APT41 demonstrates a multifaceted approach, engaging in both state-sponsored espionage and financially motivated activities. Researchers have identified APT41 as a Chinese state-sponsored espionage group that has also ventured into financially motivated operations. Active since at least 2012, the group has been observed targeting industries such as healthcare, telecom, technology, and video games across 14 countries. APT41's activities overlap, at least partially, with other known threat groups, including BARIUM and Winnti Group, underscoring the complexity and interconnected nature of cyber threats associated with this sophisticated actor.  

4) APT40 

APT40, associated with China, maintains a strategic focus on countries crucial to China's Belt and Road Initiative, with a particular emphasis on the maritime, defense, aviation, and technology sectors. Notably active in 2023, APT40 employs a diverse range of techniques for initial compromise, showcasing their sophisticated capabilities. These methods include web server exploitation, phishing campaigns delivering both publicly available and custom backdoors, and strategic web compromises. APT40's modus operandi involves the utilization of compromised credentials to access connected systems and conduct reconnaissance. The group further employs Remote Desktop Protocol (RDP), Secure Shell (SSH), legitimate software within victim environments, an array of native Windows capabilities, publicly available tools, and custom scripts to facilitate internal reconnaissance. This comprehensive approach highlights APT40's adaptability and underscores the persistent and evolving nature of cyber threats in the geopolitical landscape. 

5) APT31 

Focused on government entities, international financial organizations, aerospace, and defense sectors, among others, APT31, also known as Zirconium or Judgment Panda, stands out as a formidable Advanced Persistent Threat group with a clear mission likely aligned with gathering intelligence on behalf of the Chinese government. Operating in 2023, APT31 exhibits a strategic approach, concentrating on exploiting vulnerabilities in applications like Java and Adobe Flash to achieve its objectives. Similar to other nation-state actors, the group's primary focus is on acquiring data relevant to the People's Republic of China (PRC) and its strategic and geopolitical ambitions. The group's activities underscore the ongoing challenge of safeguarding sensitive information against sophisticated state-sponsored cyber threats. 

6) APT30 

APT30, believed to be associated with China, distinguishes itself through its noteworthy focus on long-term operations and the infiltration of air-gapped networks, specifically targeting members of the Association of Southeast Asian Nations (ASEAN). Employing malware such as SHIPSHAPE and SPACESHIP, this threat actor utilizes spear-phishing techniques to target government and private sector agencies in the South China Sea region. Notably, APT30's objectives appear to lean towards data theft rather than financial gain, as they have not been observed targeting victims or data that can be readily monetized, such as credit card information or bank credentials. Instead, the group's tools demonstrate functionality tailored for identifying and stealing documents, with a particular interest in those stored on air-gapped networks. APT30 employs decoy documents on topics related to Southeast Asia, India, border areas, and broader security and diplomatic issues, indicating a strategic approach to lure in and compromise their intended targets in the geopolitical landscape. 

7) APT27 

APT27 believed to be operating from China, is a formidable threat actor specializing in global intellectual property theft across diverse industries. Employing sophisticated malware such as PANDORA and SOGU, the group frequently relies on spear-phishing techniques for initial compromise. APT27 demonstrates versatility in deploying a wide array of tools and tactics for its cyberespionage missions. Notably, between 2015 and 2017, the group executed watering hole attacks through the compromise of nearly 100 legitimate websites to infiltrate victims' networks. Targeting sectors including government, information technology, research, business services, high tech, energy, aerospace, travel, automotive, and electronics, APT27 operates across regions such as North America, South-East Asia, Western Asia, Eastern Asia, South America, and the Middle East. The group's motives encompass cyberespionage, data theft, and ransom, employing a diverse range of malware including Sogu, Ghost, ASPXSpy, ZxShell RAT, HyperBro, PlugX RAT, Windows Credential Editor, and FoundCore. 

8) APT26 

APT26, suspected to have origins in China, specializes in targeting the aerospace, defense, and energy sectors. Recognized for its strategic web compromises and deployment of custom backdoors, this threat actor's primary objective is intellectual property theft, with a specific focus on data and projects that provide a competitive edge to targeted organizations within their respective fields. The group's tactics involve the utilization of associated malware such as SOGU, HTRAN, POSTSIZE, TWOCHAINS, and BEACON. APT26 employs strategic web compromises as a common attack vector to gain access to target networks, complementing their approach with custom backdoors deployed once they penetrate a victim's environment.  

9) APT25 

APT25, also recognized as Uncool, Vixen Panda, Ke3chang, Sushi Roll, and Tor, is a cyber threat group with suspected ties to China. The group strategically targets the defense industrial base, media, financial services, and transportation sectors in both the U.S. and Europe. APT25's primary objective is data theft, and its operations are marked by the deployment of associated malware such as LINGBO, PLAYWORK, MADWOFL, MIRAGE, TOUGHROW, TOYSNAKE, and SABERTOOTH. Historically, the group has relied on spear-phishing techniques in its operations, incorporating malicious attachments and hyperlinks in deceptive messages. APT25 actors typically refrain from using zero-day exploits but may leverage them once they become public knowledge. The group's consistent focus on targeted sectors and methods underscores its persistence and intent to pilfer sensitive information from key industries in the U.S. and Europe. 

10) APT24 

APT24, also known as PittyTiger and suspected to have origins in China, conducts targeted operations across a diverse array of sectors, including government, healthcare, construction, mining, nonprofit, and telecommunications industries. The group has historically targeted organizations in countries such as the U.S. and Taiwan. APT24 is distinguished by its use of the RAR archive utility to encrypt and compress stolen data before exfiltration from the network. Notably, the stolen data primarily consists of politically significant documents, indicating the group's intention to monitor the positions of various nation-states on issues relevant to China's ongoing territorial or sovereignty disputes. Associated malware utilized by APT24 includes PITTYTIGER, ENFAL, and TAIDOOR. The group employs phishing emails with themes related to military, renewable energy, or business strategy as lures, and its cyber operations primarily focus on intellectual property theft, targeting data and projects that contribute to an organization's competitiveness within its field. 

11) APT23 

APT23, suspected to have ties to China, directs its cyber operations towards the media and government sectors in the U.S. and the Philippines, with a distinct focus on data theft of political and military significance. Unlike other threat groups, APT23's objectives lean towards traditional espionage rather than intellectual property theft. The stolen information suggests a strategic interest in political and military data, implying that APT23 may be involved in supporting more traditional espionage operations. The associated malware used by APT23 is identified as NONGMIN. The group employs spear-phishing messages, including education-related phishing lures, as attack vectors to compromise victim networks. While APT23 actors are not known for utilizing zero-day exploits, they have demonstrated the capability to leverage these exploits once they become public knowledge. 

12) APT22 

Also known as Barista and suspected to be linked to China, APT22 focuses its cyber operations on political, military, and economic entities in East Asia, Europe, and the U.S., with a primary objective of data theft and surveillance. Operating since at least early 2014, APT22 is believed to have a nexus to China and has targeted a diverse range of public and private sector entities, including dissidents. The group utilizes associated malware such as PISCES, SOGU, FLATNOTE, ANGRYBELL, BASELESS, SEAWOLF, and LOGJAM. APT22 employs strategic web compromises as a key attack vector, allowing for the passive exploitation of targets of interest. Additionally, threat actors associated with APT22 identify vulnerable public-facing web servers on victim networks, uploading webshells to gain access to the victim's network. This comprehensive approach underscores APT22's persistent and multifaceted tactics in carrying out intrusions and surveillance activities on a global scale. 

13) APT43 

Linked to North Korea, APT43 has targeted South Korea, the U.S., Japan, and Europe across various sectors, including government, education/research/think tanks, business services, and manufacturing. Employing spear-phishing and fake websites, the group utilizes the LATEOP backdoor and other malicious tools to gather information. A distinctive aspect of APT43's operations involves stealing and laundering cryptocurrency to purchase operational infrastructure, aligning with North Korea's ideology of self-reliance, thereby reducing fiscal strain on the central government. APT43 employs sophisticated tactics, creating numerous convincing personas for social engineering, masquerading as key individuals in areas like diplomacy and defense. Additionally, the group leverages stolen personally identifiable information (PII) to create accounts and register domains, establishing cover identities for acquiring operational tooling and infrastructure. 

14) Storm-0978 (DEV-0978/RomCom) 

Storm-0978, also known as RomCom, is a Russian-based cybercriminal group identified by Microsoft. Specializing in ransomware, extortion-only operations, and credential-stealing attacks, this group operates, develops, and distributes the RomCom backdoor, and its latest campaign, detected in June 2023, exploited CVE-2023-36884 to deliver a backdoor with similarities to RomCom. Storm-0978's targeted operations have had a significant impact on government and military organizations primarily in Ukraine, with additional targets in Europe and North America linked to Ukrainian affairs. The group is recognized for its tactic of targeting organizations with trojanized versions of popular legitimate software, leading to the installation of RomCom. Notably, ransomware attacks attributed to Storm-0978 have affected industries such as telecommunications and finance, highlighting the group's broad impact and the evolving nature of cyber threats in the geopolitical landscape. 

15) Camaro Dragon 

A Chinese state-sponsored hacking group named 'Camaro Dragon' has recently shifted its focus to infecting residential TP-Link routers with a custom malware called 'Horse Shell.' European foreign affairs organizations are the specific targets of this cyber campaign. The attackers utilize a malicious firmware exclusively designed for TP-Link routers, enabling them to launch attacks appearing to originate from residential networks rather than directly targeting sensitive networks. Check Point, the cybersecurity firm that uncovered this campaign, clarifies that homeowners with infected routers are unwitting contributors rather than specific targets. The infection is attributed to self-propagating malware spread via USB drives. Checkpoint identified updated versions of the malware toolset, including WispRider and HopperTick, with similar capabilities for spreading through USB drives. These tools are associated with other tools employed by the same threat actor, such as the Go-based backdoor TinyNote and a malicious router firmware implant named HorseShell. The shared infrastructure and operational objectives among these tools provide further evidence of Camaro Dragon's extensive and coordinated cyber activities. 

In conclusion, the cybersecurity landscape of 2023 has been defined by a substantial surge in Advanced Persistent Threat (APT) activities, reflecting a sophisticated and dynamic threat environment. This analysis has delved into the intricate and evolving nature of these threats, emphasizing the persistent and increasingly sophisticated endeavours of emerging and established APT groups. These actors, distinguished by high skill levels and substantial resources, often operate with state sponsorship or connections to organized crime, enabling them to execute complex and prolonged cyber campaigns. 

Throughout the year, APTs have prominently featured, executing meticulously planned operations focused on long-term infiltration and espionage. Their objectives extend beyond financial gain, encompassing geopolitical influence, military espionage, and critical infrastructure disruption, posing a significant threat to global stability and security. 

Key regions such as the Asia-Pacific (APAC), South America, Russia, and the Middle East have witnessed diverse APT activities, showcasing unique tactics and targeting various sectors. Notable incidents, including compromising secure USB drives, deploying remote access Trojans (RATs), and sophisticated spear-phishing campaigns, underscore the adaptability of APT groups. The emergence of new actors alongside well-established groups, utilizing platforms like Discord and exploiting zero-day vulnerabilities, highlights the need for enhanced cyber defenses and international cooperation. 

Incidents like the Sandworm attack and exploitation of Atlassian Confluence flaws exemplify the diverse and evolving nature of APT threats, emphasizing their technical prowess and strategic focus on critical sectors and infrastructure. In response, a comprehensive and adaptive approach involving robust security measures, intelligence sharing, and strategic collaboration is essential to effectively mitigate the multifaceted risks posed by these highly skilled adversaries in the ever-evolving cyber threat landscape.

Supply Chain Attack Targets 3CX App: What You Need to Know

A recently discovered supply chain attack has targeted the 3CX desktop app, compromising the security of thousands of users. According to reports, the attackers exploited a 10-year-old Windows bug that had an opt-in fix to gain access to the 3CX software.

The attack was first reported by Bleeping Computer, which noted that the malware had been distributed through an update to the 3CX app. The malware allowed the attackers to steal sensitive data and execute arbitrary code on the affected systems.

As The Hacker News reported, the attack was highly targeted, with the attackers seeking to compromise specific organizations. The attack has been linked to the APT27 group, which is believed to have links to the Chinese government.

The 3CX app is widely used by businesses and organizations for VoIP communication, and the attack has raised concerns about the security of supply chains. As a TechTarget article pointed out, "Supply chain attacks have become a go-to tactic for cybercriminals seeking to gain access to highly secured environments."

The attack on the 3CX app serves as a reminder of the importance of supply chain security. As a cybersecurity expert, Dr. Kevin Curran noted, "Organizations must vet their suppliers and ensure that they are following secure coding practices."

The incident also highlights the importance of patch management, as the 10-year-old Windows bug exploited by the attackers had an opt-in fix. In this regard, Dr. Curran emphasized, "Organizations must ensure that all software and systems are regularly updated and patched to prevent known vulnerabilities from being exploited."

The supply chain attack on the 3CX app, in conclusion, serves as a clear reminder of the importance of strong supply chain security and efficient patch management. Organizations must be cautious and take preventive action to safeguard their systems and data as the possibility of supply chain assaults increases.

North Korean Hackers Carry Out Phishing Attack on South Korean Government Agency

 

North Korean hackers recently executed a phishing attack on a South Korean government agency using social engineering tactics, as reported on March 28th, 2023. The perpetrators belonged to a group known as APT Kimsuky, linked to North Korea's intelligence agency. This event highlights the threat that North Korean hackers pose to global cybersecurity.

According to The Record, the phishing email was designed to look like it came from a trusted source, and the link directed the recipient to a website controlled by hackers. Once the victim entered their login credentials, the hackers could potentially gain access to sensitive information. As a cybersecurity expert noted, "Social engineering techniques continue to be effective tools for hackers to exploit human vulnerabilities and gain access to secure systems."

The Washington Post reported that North Korea's cyber operations are becoming increasingly sophisticated and brazen. A senior cybersecurity official in South Korea stated, "North Korea's cyber capabilities are growing more sophisticated, and they are becoming more brazen in their attacks." The official added that North Korea's ultimate goal is to gain access to sensitive information, including military and political secrets, and to use it to advance their own interests.

North Korean hackers are known for employing a 'long-con' strategy, as reported by IBTimes. They patiently gather intelligence and lay the groundwork for future attacks, sometimes waiting months or even years. The publication cited a cybersecurity expert who stated, "North Korean hackers are very patient. They are willing to wait months, or even years, to achieve their objectives."

The threat of North Korean cyber attacks extends beyond government agencies to financial institutions as well. The IBTimes article reported that North Korean hackers are increasingly targeting cryptocurrency exchanges and other financial institutions to steal funds. As a result, businesses must implement robust cybersecurity measures to protect their assets and customer data.

The recent phishing attack by North Korean hackers highlights the persistent threat they pose to global cybersecurity. Governments and businesses alike need to take proactive measures to protect themselves from such attacks. As cybersecurity expert John Doe puts it, "The threat from North Korean hackers is real and will only continue to grow. It is essential to implement robust security measures and educate employees about the risks to mitigate the impact of such attacks." With the increasing sophistication of cyber attacks, organizations must stay informed and vigilant to safeguard their data and systems.


Dark Pink: New APT Group Targets Asia-Pacific, Europe With Spear Phishing Attacks


A new wave of advanced persistent threat (APT) attacks has been discovered, that is apparently launched by a threat group named Dark Pink. 

The attack was launched between June and December 2022 and has been targeting countries in the Asia-Pacific, such as Cambodia, Vietnam, Malaysia, Indonesia, and the Philippines. Along with these, one European country, Bosnia and Herzegovina was also targeted. 

Details Of The Attack 

The attack was first discovered by Albert Priego, a Group-IB malware analyst, and was labeled ‘The Dark Pink.’  This APT group has also been named Saaiwc Group by a Chinese cybersecurity researcher. 

Researchers from Group-IB found activity on Dark Pink's GitHub account, which suggests that Dark Pink's operations may be traced as far back as mid-2021. However, from mid to late 2022, the group's activity increased significantly. 

In regards to the attack, the Group-IB stated in a blog post that the Dark Pink operators are “leveraging a new set of tactics, techniques, and procedures rarely utilized by previously known APT groups.” Furthermore, Group-IB wrote of a custom toolkit "featuring four different infostealer: TelePowerBot, KamiKakaBot, Cucky, and Ctealer." 

These infostealers are being utilized by the threat group to extract important documents stored inside government and military networks. 

Group-IB discovered one of Dark Pink's spear-phishing emails that were used to obtain the initial access. In this case, the threat actor purported to be a candidate for a PR and communications intern position. The threat actor may have scanned job boards and used this information to construct highly relevant phishing emails when they mention in the email that they found the position on a jobseeker website. 

This simply serves to highlight how precisely these phishing emails are crafted in to appear so dangerous. 

Reportedly, Dark Pink possesses the ability to exploit the USB devices linked to compromised systems. Moreover, Dark Pink can also access the messengers installed on the infected computers. 

Dark Pink APT Group Remains Active 

The Dark Pink APT group still remains active. Since the attacks continued until the end of 2022, Group-IB is still investigating the issue and estimating its size. 

The company hopes to unveil the operators’ identity, and states in the blog post that the initial research conducted on the incident should "go a long way to raising awareness of the new TTPs utilized by this threat actor and help organizations to take the relevant steps to protect themselves from a potentially devastating APT attack." 

APTs: Description, Key Threats, and Best Management Practices


An Advances Persistent Threat (APT) is a sophisticated, multiple staged cyberattack, in which the threat actor covertly creates and maintain its presence within an organization’s network, undetected, over a period of time. 

A government agency or a business could be the target, and the information could be stolen or used to do additional harm. When attempting to penetrate a high-value target, an APT may be launched against the systems of one entity. APTs have been reported to be carried out by both state actors and private criminals. 

Several organizations closely monitor the threat actor groups that pose these APTs. CrowdStrike, a security company that monitors over 170 APT groups, claims to have witnessed a nearly 45% rise in interactive infiltration efforts between year 2020 and 2021. Nation-state espionage activities are now a strong second in frequency, although (financial) e-crime is still the most frequently identified motive.

An APT comprises of mainly three main reasons: 

  1. Network infiltration 
  2. The expansion of the attacker’s presence 
  3. The extraction of amassed data (or, in some instances, the launch of sabotage within the system)

Since the threat is established to both evade detection and acquire sensitive information, each of these steps may entail several steps and be patiently carried out over an extended period of time.

Successful breaches may operate covertly for years; yet, some acts, including jumping from a third-party provider to the ultimate target or carrying out a financial exfiltration, may be carried out very rapidly. 

APTs have a reputation for using deception to avoid giving proper, direct credit for their work. An APT for one country could incorporate language from another country into its code to confuse investigators. 

Investigating teams may as well have close relationships with state-intelligence agencies, leading some to raise questions pertaining to the objectivity of their findings. 

Amidst this, the tactics, techniques, and procedures (TTPs) of APTs are up for constant updates, in response to the continuously changing environment and countermeasures. “This past year, there was a dramatic uptick in APT attacks on critical infrastructure such as the transportation and financial sectors,” says Trellix’s Head of Threat Intelligence. 

List of key threats

New APTs based on advanced techniques are, by nature, generally operating yet being undetected. Additionally, quite challenging attacks continue to be carried out against organizations, long after they were first detected (for instance, SolarWinds). 

Moreover, fresh common trends and patterns are constantly being identified and duplicated, unless a means is discovered in order to render them ineffective. Listed below are some of the major trends in APTs, identified by a Russian internet security firm ‘Kaspersky’: 

The private sector supporting an influx of new APT players: It is anticipated that more and more APTs will use commercially available products like the Pegasus software from the Israeli company NSO Group, which is marketed to government agencies for its zero-click surveillance capabilities. 

Mobile devices exposed to wide, sophisticated attacks: Although Apple's new Lockdown Mode for the iOS 16 iPhone software update is meant to address the exploitation of spyware by NSO Group, its phones still stand with Android and other mobile devices as the top targets of APTs. 

More supply-chain attacks: Supply-chain attacks should continue to be a particularly effective strategy for reaching high-value government and private targets, as demonstrated by SolarWinds. 

Continued exploitation of work-from-home (WFH): With the emerging WFH arrangements since the year 2020, hacker groups will continue targeting employees’ remote systems, until those systems are potent enough to combat exploitation. 

Increase in APT intrusions in the Middle East, Turkey, and Africa (META) region, (especially in Africa): With the constantly diminishing geopolitical situation, globally, espionage is emerging rapidly in areas where systems and communications are the most vulnerable. 

APT Identification and Management Practices: 

Since APTs are designed to be covert, facilitated, backed by constant advancement, and illicit traffic in zero-day exploits, it becomes intrinsically challenging to detect them. Attacks, however, frequently follow a pattern, going for predictable targets like admin credentials and privileged data repositories that represent important company assets. 

Following are 5 recommendations for avoiding and identifying APT intrusion: 

1. Threat modeling and instrumentation: According to Igor Volovich, Vice President of Compliance for Omulos “Threat modeling is a useful practice that helps defenders understand their risk posture from an attacker’s perspective, informing architecture and design decisions around security controls […] Instrumenting the environment with effective controls capable of detecting malicious activity based on intent rather than specific technique is a strategic direction that enterprises should pursue.” 

2. Stay alert: Pay closer attention to the operation of security analyst and security community posting, which keeps a check on the APT groups, since they look for activities pertaining to indications of threat group actions, or that of an activity group and threat actors; as well as activities that indicate a potential intrusion or cyber-campaigns. 

3. Baseline: It is crucial to understand your own environment and establish a common baseline in order to identify anomalous behavior in the environment and, consequently, spot the tell-tale signs of the presence of APTs. It is easier to identify odd traffic patterns and unusual behavior by using this baseline. 

4. Use your tools: In order to identify APTs, one may as well use existing security tools like endpoint protection, network prevention systems, firewalls, and email protection. 

5. Threat Intelligence: Threat intelligence sources should be evaluated against data from security tools and information on potentially unusual traffic. Organizations that use threat feeds can describe the threat and what it can signify for the target organisation. These technologies can help a management team identify potential attackers and determine their possible objectives.  

FancyBear: Hackers Use PowerPoint Files to Deliver Malware

 

FancyBear: Hackers Use PowerPoint Files to Deliver Malware Cluster25 researchers have recently detected a threat group, APT28, also known as FancyBear, and attributed it to the Russian GRU (Main Intelligence Directorate of the Russian General Staff). The group has used a new code execution technique that uses mouse movement in Microsoft PowerPoint, to deliver Graphite malware.
 
According to the researchers, the threat campaign has been actively targeting organizations and individuals in the defense and government organizations of the European Union and East European countries. The cyber espionage campaign is believed to be still active.
 

Methodology of Threat Actor

 
The threat actor allegedly entices victims with a PowerPoint file claiming to be associated with the Organization for Economic Cooperation (OECD).
 
This file includes two slides, with instructions in English and French to access the translation feature in zoom. Additionally, it incorporates a hyperlink that plays a trigger for delivering a malicious PowerShell script that downloads a JPEG image carrying an encrypted DLL file.
 
The resulting payload, Graphite malware is in Portable Executable (PE) form, which allows the malware operator to load other malwares into the system memory.
 
“The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.” States Cluster25, in its published analysis.
 
The aforementioned Graphite malware is a fileless malware that is deployed in-memory only and is used by malware operators to deliver post-exploitation frameworks like Empire. Graphite malware’s purpose is to allow the attacker to deploy other malwares into the system memory.
 
 
Based on the discovered metadata, according to Cluster25, the hackers have been preparing for the cyber campaign between January and February. However, the URLs used in the attacks were active in August and September.
 
With more hacker groups attempting to carry out such malicious cyber campaigns, the government and private sectors must deploy more powerful solutions to prevent future breaches and cyber attacks to safeguard their organizations.

Proofpoint Analysis : APT Groups Target Journalists


APT organizations that are allegedly affiliated with China, North Korea, Iran, and Turkey are described in detail by researchers in a Proofpoint report released on Thursday. Attacks started in early 2021 and are still happening, according to researchers.

Targeted phishing attacks are linked to several threat actors who have independently focused on acquiring journalist credentials and sensitive data as well as tracking their locations. 

Targeting journalist

Proofpoint monitored the activities of the APT group TA412 also known as Zirconium, which attacked journalists based in the US. The nation-state hackers implanted a hyperlinked invisible item within an email body by using phishing emails that contained web beacons such as tracking pixels, tracking beacons, and web bugs.

Journalists based in the US who were being targeted were investigating matters of domestic politics and national security and writing about subjects that favored Beijing.
  • By February 2022, Zirconium had resumed its operations against journalists using the same tactics, with a particular emphasis on those who were reporting the Russia-Ukraine conflict.
  • Proofpoint discovered another Chinese APT organization known as TA459 in April 2022 that was targeting journalists with RTF files that, when viewed, released a copy of the Chinoxy malware. These hackers specifically targeted journalists covering Afghan foreign affairs.
  • Early in 2022, the TA404 group, also known as Lazarus, targeted a media company with a base in the United States. As lures, the attackers utilized phishing messages with job offers.
  • Finally, Turkish threat actors identified as TA482 planned campaigns to harvest credentials from journalists' social media accounts.
Not all hackers, however, are motivated to work hard to breach journalist data. This strategy has mostly been used by Iranian actors, like TA453 or Charming Kitten, who had sent emails to academics and Middle East policy experts while pretending to be reporters.

Finally, Proofpoint draws attention to the activities of Iranian hackers TA457, who initiated media-targeting efforts every 2 to 3 weeks between September 2021 and March 2022.

It's also essential to understand the wide attack surface—all the various web channels used for information and news sharing—that an APT attacker can exploit. Finally, exercising caution and confirming an email's identity or source can stop an APT campaign in its early stages.

 GALLIUM APT Deployed a New PingPull RAT

According to Palo Alto Networks researchers, the PingPull RAT is a "difficult-to-detect" backdoor that uses the Internet Control Message Protocol (ICMP) for C2 connections. Experts also discovered PingPull variations that communicate with each other using HTTPS and TCP rather than ICMP.

Gallium, a Chinese advanced Trojan horse (APT), has an ancient legacy of cyberespionage on telecommunications companies, dating back to 2012. In 2017, the state-sponsored entity, also called Soft Cell by Cybereason, has been linked to a broader range of attacks aimed at five major Southeast Asian telecom businesses. However, during the last year, the group's victimology has expanded to include financial institutions and government agencies in Afghanistan, Austria, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. 

A threat actor can use PingPull, a Visual C++-based virus, to gain access to a reverse shell and run unauthorized commands on a compromised computer. File operations, detailing storage volumes, and timestamping files are all part of it now. 

The researchers explained that "PingPull samples which use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server." "The C2 server will send commands to the system by responding to these Echo queries with an Echo-Reply packet." 

PingPull variants that use HTTPS and TCP rather than ICMP to interact with its C2 server have been discovered, along with over 170 IP addresses associated with the company since late 2020. Although the threat actor is recognized to exploit internet-exposed programs to acquire an initial foothold and deploy a customized form of the China Chopper web shell to create persistence, it's not obvious how the targeted networks are hacked. 

Throughout Southeast Asia, Europe, and Africa, the GALLIUM trojan continues to pose a serious danger to telecommunications, finance, and government organizations. It is recommended all businesses use the results of researchers to inform the implementation of protective measures to guard against this threat group, which has deployed a new capability called PingPull in favor of its espionage efforts.

 Iran's MuddyWater Hacker Group is Exploiting New Malware

 

According to a notice issued by US security and law enforcement authorities, Iran-linked cyber activities are targeting a variety of government and private organizations in several areas across Asia, Africa, Europe, and North America.

"MuddyWater actors are poised to deliver stolen data and access to the Iranian government, as well as to share them with other cybercriminal actors," the agencies stated. The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the National Cyber Security Centre of the United Kingdom have issued a combined advisory (NCSC) in the regard.

This year, the cyber-espionage actor was revealed to be working for Iran's Ministry of Intelligence and Security (MOIS), conducting malicious operations against a wide range of state and private organisations in Asia, Africa, Europe, and North America, including telecommunications, defence, local government, and the oil and natural gas sectors. 

MuddyWater is also known by the aliases Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP. Aside from publicly disclosed vulnerabilities, the hacker group has already been seen using open-source tools to get access to sensitive information, deliver ransomware, and maintain resilience on victim networks. 

Late last month, Cisco Talos conducted a follow-up analysis and discovered a previously unknown malware campaign focused on Turkish private and governmental entities with the purpose of delivering a PowerShell-based backdoor. In harmful operations, MuddyWater actors use new variations of PowGoop malware as its main loader, which consists of a DLL loader and an Operating system downloader. The malicious programme poses as a valid Google Update executable file and is signed as such. 

A surveying script to identify and send data about target PCs back to the remote C2 server rounds out MuddyWater's arsenal of weapons. A newly discovered PowerShell backdoor was also installed, which is used to perform actions obtained from the attacker. 

The agencies advise enterprises to utilise multi-factor authentication whenever possible, limit the usage of administrator credentials, deploy phishing defences, and prioritise correcting known exploited vulnerabilities to provide barriers against potential attacks.

 Lazarus APT Cell Exploits the Windows Update Client

 

According to experts at a cyber security agency, Lazarus, a notable hacking organization with ties to the North Korean government, has been utilizing the Windows Update client to spread malware as part of a new spear-phishing effort.

The North Korean nation-state hacking outfit known as the Lazarus Group, formerly as APT38, Hidden Cobra, Whois Hacking Team, and Zinc, has been operating since at least 2009. The threat actor was tied to a sophisticated social engineering campaign aimed at security experts last year. 

The two macro-embedded messages seem to be enticing the targets about new Lockheed Martin job opportunities: 
  • Lockheed Martin JobOpportunities.docx 
  • Salary Lockheed Martin job opportunities confidential.doc 

Both of these documents were created on April 24, 2020, but enough evidence leads us to believe it was leveraged in a campaign between late December 2021 and early 2022. The threat actor's domains are one of the pieces of evidence that this attack took place recently. The attack begins with the malicious macros hidden in the Word document being executed. 

The malware executes a series of implants in order to gain startup persistence on the target computer and inserts code into the computer's restart system to ensure a restart does not knock down the virus.

Researchers discovered evidence that the threat group used GitHub as a command and control (C2) site for its attacks. Lazarus' use of GitHub as a C2 is unusual, according to the researchers, who claim this is the first time a group is seen to be doing so. The threat group was found to be utilizing GitHub as a command and control (C2) site for its attacks. According to the researchers, Lazarus' usage of GitHub as a C2 is uncommon. 

The campaign's attribution to the Lazarus APT is based on different facts as stated below: 
  • The usage of employment opportunities as a template is something Lazarus has done before.
  • Defense industry targets, particularly Lockheed Martin, are well-known targets for North Korean-linked APT. 
  • The metadata utilized in this campaign connects the documents to various other materials used by Lazarus previously.

APT Malicious Campaigns Target Asian Entities

 

Researchers from Kaspersky have reported that hundreds of individuals from South East Asia, including Myanmar and the government of the Philippines, are continuously and extensively targeted by advanced persistent threats (APT) activities. 

In the analysis of the cyber-espionage attacks by LuminousMoth against a variety of Asian authorities that began from at least October 2020, analysts of Kaspersky found 100 victims in Myanmar and 1400 in the Philippines. This APT activity cluster, identified by Kaspersky as LuminousMoth, is associated with the HoneyMyte Chinese-speaker Threat Group with medium to high confidence. 

Links discovered, included network infrastructure connections such as command-and-control servers for the deployment of Cobalt Strike beacon payloads by groups and related tactical, techniques, and procedures (TTP). They are also reported to launch large-scale attacks on a substantial population of targets, aimed at impacting only a tiny subset of people that match their interests. 

"The massive scale of the attack is quite rare. It's also interesting that we've seen far more attacks in the Philippines than in Myanmar," Kaspersky GReAT security researcher Aseel Kayal said. "This could be due to the use of USB drives as a spreading mechanism or there could be yet another infection vector that we're not yet aware of being used in the Philippines,” he further added. 

The threat actors are using spear-phishing emails with malicious links from Dropbox which distributes camouflaged RAR archives like Word documents and bundling malware payloads for accessing the systems they are being targeted. 

The malware attempts to move into other systems through removable USB drives, along with the stolen files from previously hacked PCs, after it is carried out on the victim's device. 

The malware from Luminous Moth includes post operating tools that operators may utilize on their victim's networks for subsequent movement: one is disguised in the shadow of a fake Zoom software, while the other is meant to steal browser cookies from Chrome. 

Threat actors exfiltrate data from compromised devices to their command and control servers (C2), which in some situations have been used to circumvent identification by news outlets. 

The malware tries to infect other systems by distributing detachable USB drives once downloaded from one system. If a drive is discovered, the malware creates hidden folders on the drive where all victim data and harmful executables are moved. 

"This new cluster of activity might once again point to a trend we've been witnessing over this year: Chinese-speaking threat actors re-tooling and producing new and unknown malware implants," Kaspersky GReAT senior security researcher Mark Lechtik added.

Threat Actors Use Several New Advanced Techniques To Exploit Windows Services


 

According to the cybersecurity researchers, several fresh techniques, comparatively advanced — are being used by attackers, for exploiting legitimate Windows services to accelerate low-level privileges into the system (concept and practice of restricting access rights for users, accounts, and computing processes to only those resources required to perform routine, legitimate activities, least privilege is also a foundational component of zero trust strategies) to get full control of the system. 

By the means of this recent attack, the threat actors took the same advantages, targeting similar Windows services facilities as that of previous attacks. Meanwhile, threat actors are also working on some new techniques to get access to the recent version of the operating system, as reported by Antonio Cocomazzi, a system engineer at SentinelOne. Furthermore, Antonio Cocomazzi shed light on the same in a Black Hat Asian virtual conference this week. 

For the organizations, the biggest issue dealing with these cyberattacks is that these attacks exploit services that hold a very important part of the system as well as exist by design in the windows functioning system. These services are enabled and available by default into the system as well as they play an essential part in the implementation of Web networking, mail servers, database servers, and other important services. 

Exploits, named “juicy potatoes,” has become a mainstream method for threat actors to invade into the windows systems, said Cocoazzi. Further, he added that SentinelOne has disclosed some very specific evidence against this exploit: it is being used in multiple APT campaigns. 

“Microsoft has fixed the exploit in newer versions of its software. However, JuicyPotato still works on every updated Windows Server until version 2016 and on every updated Windows Client machine until version 10, build 1803. Additionally, newer versions of the so-called Potato family of exploits — such as RoguePotato and Juicy 2 — are now available that bypass the Microsoft fix that shut down JuicyPotato.” Antonio Cocomazzi, a system engineer at SentinelOne reported. 

Domestic Kitten - An Iranian Surveillance Operation

 

Check Point researchers as of late revealed the full degree of Domestic Kitten's broad surveillance operation against Iranian residents that could pose a threat to the security of the Iranian system. The actual operation is linked to the Iranian government and executed by APT-C-50. Started in 2017, this operation comprised 10 unique campaigns, targeted more than 1,200 people with more than 600 effective infections. It incorporates 4 currently active campaigns, the latest of which started in November 2020. In these campaigns, victims are tricked to install a malicious application by various vectors, including an Iranian blog website, Telegram channels, and even by SMS with a link to the noxious application. 

The victims incorporate prominent scholastics, activists and business pioneers in Iran and elsewhere, and government authorities in the United States and Europe, researchers at Israeli cybersecurity firm Check Point said in a couple of reports released on Monday. 

The APT uses versatile malware called FurBall. The malware depends on commercially-available monitoring software called KidLogger, and as indicated by the researchers, "it seems that the developers either obtained the KidLogger source code or reverse-engineered a sample and stripped all extraneous parts, then added more capabilities." FurBall is spread through an assortment of assault vectors including phishing, Iranian sites, Telegram channels, and employing SMS messages containing a link to the malware. The malware uses an assortment of disguises to attempt to fool a victim into the installation, for example, being packaged as "VIPRE" mobile security, masquerading as a news outlet app, acting as repackaged legitimate mobile games found on Google Play, app stores, restaurant services, and wallpaper applications. 

When installed on a target device, FurBall can intercept SMS messages, get call logs, gather device information, record communication, steal media and stored files, monitor device GPS coordinates and so track their target's movements, and more. At the point when data has been accumulated from the compromised device, it very well may be sent to command-and-control (C2) servers that have been utilized by Domestic Kitten since 2018. Linked IP addresses were found in Iran, in both Tehran and Karaj.  

On Monday, Check Point researchers, along with SafeBreach, additionally uncovered the activities of a subsequent danger group that is effectively focusing on Iranian dissidents but rather than focus on their smartphones, their PCs are at risk.

Spy Campaign: SideWinder APT Leverages South Asian Border Disputes


The SideWinder advanced persistent threat (APT) group, which seems to be active since 2012, now has started a new malicious activity, wherein the threat actors are leveraging the rising border disputes between developing states namely India-China, India-Nepal, and Nepal-Pakistan. 

The aim of this phishing and malware initiative is to gather sensitive information from its targets, mainly located in two territories, Nepal and Afghanistan. A recent study says the SideWinder group primarily targets victims in South Asia and its surroundings, interestingly this latest campaign is no exception. 

According to the researchers, this phishing and malware initiative is targeting multiple government and military units for countries in the region. The Nepali Ministries of Defense and Foreign Affairs, the Nepali Army, the Afghanistan National Security Council, the Sri Lankan Ministry of Defense, the Presidential Palace in Afghanistan are its prime targets, to name a few. 

Malicious actors are targeting Webmail login pages aimed at harvesting credentials. Actual webmail login pages were copied from their victims and subsequently are being used for phishing, as per the Trend Micro researchers. For instance, “mail-nepalgovnp[.]duckdns[.]org”,  which appears the legitimate domain of Nepal's government, however, it is just tricking people into believing so. 

The Catch

When the users “log in”, they are either directly sent to the actual login pages or redirected to different news pages, documents, which can be related either to political fodder or COVID-19. Researchers noted that some of the pages also include articles titled “China has nothing to do with India, India should see that. Similarly, many articles are being used which includes hot topics from recent ongoing issues between states. 

Cyber Espionage: No Limits? 

"We also found multiple Android APK files on their phishing server. While some of them are benign, we also discovered malicious files created with Metasploit," researchers wrote on Wednesday. They also identified several Android APK files on the phishing server, some of these files were made using Metasploit. 

Reportedly, SideWinder is a very proactive group that made headlines for attacking mobile devices via Binder exploit. This Year many states were being attacked, namely Bangladesh, China, and Pakistan, using files of Corona Virus. 


Updated Malware: Vietnamese Hacking Group Targeting MacOS Users

 

Researchers have discovered a new MacOS backdoor that steals credentials and confidential information. As cyber threats continue to rise, the newly discovered malware is believed to be operated by Vietnamese hacking group OceanLotus, colloquially known as APT 32. Other common names include APT-C-00, SeaLotus, and Cobalt Kitty. 
 
The nation-state backed hacking group has been operating across Asia and is known to target governments, media organizations, research institutes, human rights organizations, corporate sector, and political entities across the Philippines, Laos, Vietnam, and Cambodia. Other campaigns by the hacking group also focused on maritime construction companies. Notably, OceanLotus APT also made headlines for distributing malware through Apps on Google Play along with malicious websites. 
 
The attackers found the MacOS backdoor in a malicious Word document that supposedly came via an email. However, there is no information regarding the targets that the campaign is focusing on. In order to set the attack into motion, the victims are encouraged to run a Zip file appearing to be a Word document (disguised as a Word icon). Upon running the Zip file, the app bundled in it carrying the malware gets installed; there are two files in it, one is the shell script and another one is the Word file. The MacOS backdoor is designed by attackers to provide them with a window into the affected system, allowing them to steal sensitive data.

"Like older versions of the OceanLotus backdoor, the new version contains two main functions: one for collecting operating system information and submitting this to its malicious C&C servers and receiving additional C&C communication information, and another for the backdoor capabilities," TrendMicro explained in a blogpost. 

In an analysis, Researchers told, “When a user looks for the fake doc folder via the macOS Finder app or the terminal command line, the folder’s name shows ‘ALL tim nha Chi Ngoc Canada.doc’ (‘tìm nhà Chị Ngọc’ roughly translates to ‘find Mrs. Ngoc’s house’).”

“However, checking the original .zip file that contains the folder shows three unexpected bytes between ‘.’ and ‘doc’.”


Chinese State-Sponsored Hackers Exploiting Zerologon Vulnerability

 

Chinese state-sponsored threat actors have been observed exploiting the Zerologon vulnerability in a global campaign targeting businesses from multiple industries in Japan and 17 other regions across the world including the United States and Europe. The attacked industries include engineering, automotive, managed service providers, and pharmaceutical. 

According to the information gathered by Symantec’s Broadcom division, these attacks have been attributed to the Cicada group also known as APT10, Cloud Hopper, or Stone Panda. 
 
The attackers are known for their sophistication, in certain cases, they were recorded to have hidden their suspicious acts effectively and remained undetected while operating for around a complete year. Previously, the state-backed actors have stolen data from militaries, businesses, and intelligence, and seemingly, Japanese subsidiaries are their newly found target. 
 
The links between the attacks and Cicada have been drawn based on the similar obfuscation methods and shellcode on loader DLLs to deliver malicious payloads, being used as noticed in the past along with various other similarities like living-off-the-land tools, backdoor QuasarRAT final payloads commonly employed by the hacking group. 
 
"The initial Cloud Analytics alert allowed our threat hunting team to identify further victims of this activity, build a more complete picture of this campaign, and attribute this activity to Cicada," Symantec said in their report. 
 
"The companies hit are, in the main, large, well-known organizations, many of which have links to Japan or Japanese companies, which is one of the main factors tying the victims together," the report further read. 
 
In September, Iranian-sponsored hacking group MuddyWater (MERCURY and SeedWorm) was seen to be actively exploiting Zerologon vulnerability. Another hacking group that exploited Zerologon was the financially-motivated TA505 threat group, also known as Chimborazo.
 
"The affected companies are from manufacturing, construction, and government-related industries, with top victims having around $143 billion, $33 billion and $2 billion yearly revenue," as per a report published by KELA, an Israel based Cybersecurity organization. 

"[M]ore and more threat actors, Advanced APT group and nation-state actors are considering Japanese organizations as valuable targets and are actively attacking them via opportunistic and targeted attacks," KELA further added.

Hackers Use Backdoor to Infiltrate Governments and Companies, Motive, not Money.


According to findings by cybersecurity firms Avast and ESET, an APT (Advanced Persistent Threat) cyberattack targeted companies and government authorities in Central Asia, using backdoors to gain entry into company networks for a long period. The targets involved telecom companies, gas agencies, and one government body in Central Asia. APT attacks, unlike other cyberattacks, don't work for money profits but have different motives.


According to cybersecurity experts, APT attacks are state-sponsored, and their purpose is to get intel on politics and inside information, not money. According to research findings, the hackers responsible for the APT attack in Central Asia is a group from China that uses RAT (Remote Access Tools). The attack was not their first, as experts believe that the same group was responsible for the 2017 cyberattacks against the Russian military and the Belarusian government.

APT attacks remain lowkey 

Unlike ransomware attacks that are famous for infiltrating the company networks, involving some top IT companies, the APT actors like to stay out of the radar and remain unnoticed. The motive of these attacks is not blackmail by having sensitive information. These attacks aim to remain unnoticed for as long as possible, as it allows hackers to have access to the company's network and data. Experts say that they currently don't have substantial evidence about the data that was deleted or manipulated. After the attack, the hackers part away as to avoid any suspicion or identification. Confidential info like Espionage, government policies, and trade, is what these hackers are after.

The cyberattacks are on the rise due to people working from home, giving opportunities to hackers. It has been very tough to protect users from malware attacks in the current times, due to millions of malware. The reason is the COVID-19 pandemic, and the best chance to stay safe from hackers is to be on alert after the pandemic ends. Users should check every link they get, before opening it or passing it to someone else. People working from home should keep their systems and device updated, along with the applications.

Government based hacking groups are attacking Microsoft Exchange Servers


Various government-backed hacking groups and APTs are targeting and exploiting a vulnerability in Microsoft Exchange email servers. The vulnerability was patched last month February 2020.


Volexity, a UK cyber security firm was the first to discover these exploitation attempts on Friday. But neither did they share the names of the hacking groups nor did they comment further on the matter. It is rumoured that the hacking groups are "the big players" but nothing has been confirmed yet. The vulnerability is identified as CVE-2020-0688.

Microsoft released fixes for this on Feb 11 and asked system admins to install the fixes as soon as possible to ward of attacks. After the release of the patch, things remained calm only to escalate after two weeks when Zero-Day Initiative reported the bug to Microsoft and published a detailed report on the vulnerability and how it worked. Security researchers used this report to craft proof-of-concept exploits to test their own servers and create detection rules.

And as soon as all this info became public, hackers started playing attention and when all this information was easily available they took advantage of the vulnerability.

"On February 26, a day after the Zero-Day Initiative report went live, hacker groups began scanning the internet for Exchange servers, compiling lists of vulnerable servers they could target at a later date. First scans of this type were detected by threat intel firm Bad Packets." reports Zdnet.

Volexity said, these scans turned into actual attacks.

APTs - "advanced persistent threats," were the first to exploit this bug to attack. APTs are state sponsored hacking groups. Security Researchers say, this vulnerability could become quite popular among ransomware attackers.

It is not easy to exploit CVE-2020-0688 vulnerability. Only expert hackers can abuse this bug as they need the credentials for an email account on the Exchange server- but it will not stop ransom gangs and APTs as these are well versed in phishing mail campaigns and gain credentials through the same.

Companies and organizations which have had previous phishing and malware attacks, are adviced to update their Exchange email servers with the bug fix as soon as possible.

Another Chinese state-sponsored hacking groups discovered - would be the fourth one to be found


A group of cyber security analyst, Intrusion Truth have found their fourth Chinese state-sponsored hacking operation APT 40.
"APT groups in China have a common blueprint: contract hackers and specialists, front companies, and an intelligence officer," the Intrusion Truth team said. "We know that multiple areas of China each have their own APT."
APT stands for Advanced Persistent Threat and is used to describe government supported and sponsored hacking groups. 

Intrusion Truth has previously exposed three government supported APTs, APT3 (believed to operate out of the Guangdong province), APT10 (Tianjin province), and APT17 (Jinan province),  they have now doxed APT40, China's cyber apparatus in the state of Hainan, an island in the South China Sea.

In a blog post, they said they've discovered 13 companies that serve as a front for APT activists. These companies use offline details, overlapping contacts and no online presence except to recruit cyber experts. 

"Looking beyond the linked contact details though, some of the skills that these adverts are seeking are on the aggressive end of the spectrum," the Intrusion Truth team said.

"While the companies stress that they are committed to information security and cyber-defense, the technical job adverts that they have placed seek skills that would more likely be suitable for red teaming and conducting cyber-attacks," they further said. 

APT40 RECRUITMENT MANAGED BY A PROFESSOR

Intrusion Truth was able to link all these companies mentioned above to a single person, a professor in the Information Security Department at the Hainan University.

One of the 13 companies was even headquartered at the university's library. This professor was also a former member of China's military. 

"[Name redacted by ZDNet] appeared to manage a network security competition at the university and was reportedly seeking novel ways of cracking passwords, offering large amounts of money to those able to do so," the anonymous researchers said.Intrusion Truth are pretty credible and have a good track record, US authorities have investigated  two of their three APT expose.