Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Aerospace. Show all posts

APT29 Strikes: WinRAR Exploits in Embassy Cyber Attacks

During the latest wave of cyberattacks, foreign embassies have been the target of a malicious group known as APT29. They have employed a highly complex attack method that takes advantage of weaknesses in WinRAR, a widely used file compression software. There have been shockwaves throughout the cybersecurity world due to this worrisome disclosure, leading to immediate action to strengthen digital defenses.

According to reports from cybersecurity experts, APT29 has ingeniously employed the NGROK feature in conjunction with a WinRAR exploit to infiltrate embassy networks. The NGROK service, designed for secure tunneling to localhost, has been repurposed by hackers to conceal their malicious activities, making detection and attribution a formidable challenge.

WinRAR, a widely used application for compressing and decompressing files, has been targeted due to a specific vulnerability, identified as CVE-2023-38831. This flaw allows the attackers to execute arbitrary code on the targeted systems, giving them unfettered access to sensitive information stored within embassy networks.

The attacks, initially discovered by cybersecurity researchers, have been corroborated by the Ukrainian National Security and Defense Council (RNBO). Their November report outlines the APT29 campaigns, shedding light on the extent of the damage inflicted by these cyber intruders.

The fact that foreign embassies are specifically being targeted by this onslaught is very disturbing. Because these organizations handle so much private, political, and diplomatic data, they are often the focus of state-sponsored cyber espionage. The attackers' capacity to take advantage of flaws in popular software, such as WinRAR, emphasizes the necessity of constant watchfulness and timely software updates to reduce any threats.

Cybersecurity professionals advise companies, particularly those in delicate industries like diplomacy, to conduct extensive security assessments, quickly fix holes, and strengthen their defenses against ever-evolving cyber attacks in reaction to these disclosures. The APT29 attacks highlight the significance of a multi-pronged cybersecurity strategy that incorporates advanced threat detection methods, personnel awareness training, and strong software security procedures.

International cybersecurity organizations must work together as governments struggle with the ever-changing world of cyber threats. The APT29 attacks are a sobering reminder that the digital sphere has turned into a combat zone and that, in order to preserve diplomatic relations and maintain national interests, defense against such threats necessitates a united front.

U.S. Intelligence Reports: Spies and Hackers are Targeting US Space Industry


U.S. intelligence agencies have recently issued a warning against foreign spies who are targeting the American space industry and executing cyberattacks against the country’s satellite infrastructure.

The U.S. Office of the Director of National Intelligence's National Counterintelligence and Security Center (NCSC) issued a bulletin on August 18, alerting the public that foreign intelligence agencies may use cyberattacks, front companies, or traditional espionage to gather sensitive data about American space capabilities or cutting-edge technologies. The threat also mentions the employment of counter space technologies, such as hacking or jamming of satellites, to interfere with or harm American satellite systems.

As noted by the NCSC bulletin, foreign intelligence agencies "recognize the importance of the commercial space industry to the U.S. economy and national security, including the growing dependence of critical infrastructure on space-based assets." 

A set of guidelines is provided in the statement to assist private enterprises in minimizing any potential harm that these espionage attempts may create. The warning comes as funding for the U.S. space sector is rising rapidly with America’s satellite infrastructure expanding at an unparalleled rate.

NCSC further mentions a number of ways that foreign intelligence can seek to gain access to space agencies, to get hold of their insights and new technologies. Some of these methods appeared innocent enough, such as approaching space industry professionals at conferences or getting in touch with them through online forums to get information.

Other methods were more linked to ‘business dealings,’ through which foreign intel agencies frequently try to obtain access to sensitive information by investing in space companies through joint ventures or shell companies, or by buying their way into the supply chain that American aerospace companies rely on for the sourcing of parts and materials.

Some of the other methods mentioned were more explicit in nature, like carrying out cyberattacks or breaching private networks to steal intellectual property.

Moreover, the NCSC's bulletin warned the private space sector and stated that foreign intelligence agencies can compromise American national security by "collecting sensitive data related to satellite payloads, disrupting and degrading U.S. satellite communications, remote sensing and imaging capabilities," and targeting American commercial space infrastructure during interstate hostilities.  

Cyber Spying Seems to be the Predominant Goal of North Korean Hackers

 


According to a new study, an increasingly sophisticated North Korean cyber-espionage unit is using its skills to carry out spying operations on the aerospace and defense industries. 

As per an updated report released by a cyber-intelligence company, North Korean hackers are no longer viewed as sole criminals who commit cybercrimes motivated by financial gain and break into cryptocurrency exchanges. According to the report, instead of focusing on cyber espionage and data collection, they focus more on information collection. 

A group of bad actors connected to potentially criminal activities on the internet has been identified by Google analysts as an advanced persistent threat (APT) or as a group of cybercriminals linked to activities that might be considered criminal. 

In its report, FireEye, a US-based security firm that keeps track of cyber-attackers around the world, examines the threat from North Korean hackers called APT37 (Reaper) and claims to have found that the group uses malware to infiltrate computer networks at home and abroad. This group has been active in the past but has now migrated to an advanced persistent threat. 

Yet another  report published exclusively by Foreign Policy, authored by private cyber-intelligence company Recorded Future, identifies espionage as the primary motivation behind North Korea's cyber program, which experts attribute to a desire for economic advantage. 

Recorded Future says over 14 years there have been 273 cyberattacks associated with state-sponsored groups in North Korean society. Over 70% of the respondents stated that they were motivated primarily by the desire to collect information about government entities and countries in neighboring Asia, as well as to use their skill sets to commit high-profile cryptocurrency heists. 

It is clear from the report that Pyongyang intends to gain a better understanding of how its adversaries think. This is done by providing the country with "insight into how its adversaries think" as well as knowledge about technologies that could benefit the North in the event of a conflict. Government agencies are usually the targets of this type of attack, followed by cryptocurrency exchanges, media outlets, financial institutions, defense institutions, and nongovernmental organizations as the next most frequent targets. 

Unlike many other countries, North Korea's government seems much more interested in finding out what other nations think of them and how they can improve. It only takes them a minute or two to gather information that can help them develop nuclear and ballistic missile technology. They steal money to fund their regime. 

According to Anne Neuberger, deputy national security adviser for cyber and emerging technologies under President Biden, North Korea is unique in how it views and uses cryptocurrency. This is because it employs cyber operations to finance its nuclear arsenal. About half of the regime's missile program is financed by cryptocurrency and cyber heists. 

The group's cyber operation targets Japan, Vietnam, and the Middle East as part of its efforts. By attempting to steal secret information from companies and organizations involved in chemical, electronics, manufacturing, aerospace, automotive, healthcare, and other sectors, it is attempting to steal valuable information.

In recent years, North Korean hackers have been reported to have stolen billions of dollars from cryptocurrency exchanges around the world. The greatest threat of this year has so far been the high-profile attacks on exchanges, which have targeted Estonia and California so far. 

There has been an increasing number of instances in which North Korea has been linked to attacks beyond crypto, as well as smaller, more disruptive attacks across the globe, starting with the crippling of Sony Pictures just under a decade ago that put its cyber capabilities in the spotlight. After that, Bangladesh's central bank was hacked, which compromised the Swift global financial transfer system used by the United Kingdom to transfer money, and the National Health Service of the United Kingdom was crippled following the hack. 

Nevertheless, Haszard and his coworkers found that a substantial majority of North Korea's cyber activities are directed at domestic targets to which they do not have access.  

According to the report, 83 percent of the attacks for which spatial information is available occurred in Asia, where the majority of the attacks were targeted. There were 29 countries where attacks took place, most of them being in the immediate neighborhood of South Korea, where almost 65 percent of the targets were located North Korean attacks accounted for 8.5 percent of countries, while only three percent of countries were responsible for more than three percent of total North Korean attacks. 

A study by Recorded Future revealed that Lazarus, the biggest and most prominent group of hackers connected to the authoritarian regime, tends to target global targets but is not the most frequent perpetrator of cyberattacks in the world. A group known as Kimsuky targets Asian governments and civil organizations. This accounts for more than one-third of the group's attacks.

U.S. law enforcement agencies say kinky hackers pose as South Korean journalists. They exchange emails with their targets to set up interviews before sending them a link or document embedded with malware. This is the result of their scam. 

It is believed that the malware, known as BabyShark, can provide hackers with access to the devices and communications of those victims. It was found in a joint cybersecurity advisory published earlier this month by the FBI, National Security Agency, and South Korean authorities that Kimsuky actors had also been known to configure a victim's email account so that all emails were automatically forwarded to another account controlled by them. 

North Korea is increasingly focusing on cyber espionage and information collection to gain an advantage over its adversaries. This raises concerns about its intentions and capabilities in cyberspace. Despite this, the report also confirms that North Korea has demonstrated enhanced flexibility when conducting large-scale disruptions of critical infrastructure or engaging in ransomware campaigns compared to opposing adversaries with cyber capabilities like Russia and China.

Defense Contractor Hensoldt Confirms Lorenz Ransomware Attack

 

Hensoldt, a multinational defence contractor, disclosed that Lorenz ransomware has infected part of its UK subsidiary's systems. A spokesman for Hensholdt acknowledged the security vulnerability to BleepingComputer this week. 

Hensoldt's Head of Public Relations, Lothar Belz, told BleepingComputer, "I can confirm that a small number of mobile devices in our UK subsidiary has been affected." 

Belz, on the other hand, refused to provide any other specifics on the incident, adding, "for obvious reasons, we do not reveal any more facts in such cases." 

Since April, the Lorenz ransomware group has targeted several institutions around the world, demanding hundreds of thousands of dollars in ransom. Lorenz operators, like other ransomware groups, use a double-extortion approach, acquiring data before encrypting it and threatening victims if they don't pay the ransom. Ransom demands have been quite high, between $500.000 and $700.000.

Hensoldt AG emphasizes sensor technology for security and surveillance missions in the defence, security, and aerospace sectors. Radar, optoelectronics, and avionics are the company's core product areas, and it is listed on the Frankfurt Stock Exchange. 

The defence multinational, which is listed on the Frankfurt Stock Exchange and with a revenue of 1.2 billion euros in 2020, offers sensor solutions for defence, aerospace, and security applications. The corporation works with the US government on classified and sensitive contracts, and its products include and equip tanks, helicopter platforms, submarines, and Littoral Combat Ships, among other things. 

The Lorenz ransomware group has already published the names of the firms that have been compromised on their Tor leak site. The ransomware group claims to have already transferred 95 percent of all stolen files to its leak site as of this time of writing. The gang named the archive file "Paid," implying that someone else paid to keep the Hensoldt files from being exposed. 

Tesorion, a cybersecurity firm, studied the Lorenz ransomware and produced a decryptor that may allow victims to decrypt their files for free in some situations.

Remote Access Trojans Target Aerospace and Travel Industries

 

Earlier this week, Microsoft Security Intelligence tweeted that somehow a remote access Trojan (RAT) campaign was being tracked by them which was aimed at the aerospace and travel sectors by emailing spear-phishes that spreads an actively created loader and then deliver RevengeRAT or AysncRAT. 

In the context of the exchange of tweets, it was pointed out that attackers use the RATs for theft of data, follow-up operation, and additional payloads, such as Agent Tesla. The loader is being developed and named Morphisec's Snip3. 

These campaigns are not surprising particularly when everyone leaves the lockdown and the people travel again making the travel and tourism industry rich, stated Netenrich's chief information security officer Chris Morales. 

“The level of targeting is also a reason why it’s so hard to detect attacks,” Morales added. “They change and are tailored. SecOps has to align to with threats targeting their organizations specifically and not look for generic threats.” 

New Net Technologies, vice president for security studies, Dirk Schrader, stated that he intends to see sectoral spear-phishing campaigns as everyone emerges from the pandemic. “Using familiar language and terminology can help in the effectiveness of a targeted campaign,” Schrader said. “It’s not shocking that attackers are targeting the transport sector as the sector is about to come back to life. Therefore, a well-crafted campaign addressing this situation is even better.” 

Roger Grimes, KnowBe4 Data-Driven Defense evangelist, adds that when attackers enter one industry company, they could read their emails and use this freshly infiltrated spot known as "cyber haven" to target their partners. 

The mails come from individuals who use the email topic threads in which they are involved and email addresses the new victims' trust. There would be a much higher risk of the new victims falling into fraud when the request to click on the connection or to open a document arrives suddenly. This is the reason why the staff has to understand that phishing emails will come through people they know and trust and also that depending on an email address is not sufficient whether or not the employees recognize it.

Grimes said security awareness training should educate users on the following features to beware of e-mails, which invites users to do something completely foreign. Also, emails that arrive unexpectedly and the behavior can be detrimental to their own best interest or their organization. 

“If any two of those traits are present, the recipient should slow down, stop, think and verify the request another way, like calling the person on a predefined phone number,” Grimes added.