Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Africa. Show all posts

China-Backed Earth Baku Broadens Cyber Assaults to Europe, Middle East, and Africa

 

The China-backed threat actor Earth Baku has diversified its targeting footprint beyond the Indo-Pacific region to include Europe, the Middle East, and Africa starting in late 2022. Newly targeted countries include Italy, Germany, the U.A.E., and Qatar, with suspected attacks also detected in Georgia and Romania. Governments, media and communications, telecoms, technology, healthcare, and education sectors are among those singled out as part of the intrusion set.

Trend Micro researchers Ted Lee and Theo Chen, in an analysis published last week, noted that Earth Baku has updated its tools, tactics, and procedures (TTPs) in more recent campaigns. The group utilizes public-facing applications such as IIS servers as entry points for attacks, subsequently deploying sophisticated malware toolsets on the victim's environment. The findings build upon recent reports from Zscaler and Google-owned Mandiant, which also detailed the threat actor's use of malware families like DodgeBox (aka DUSTPAN) and MoonWalk (aka DUSTTRAP). Trend Micro has assigned them the monikers StealthReacher and SneakCross.

Earth Baku, a threat actor associated with APT41, has been known for its use of StealthVector as far back as October 2020. Their attack chains involve the exploitation of public-facing applications to drop the Godzilla web shell, which is then used to deliver follow-on payloads. StealthReacher has been classified as an enhanced version of the StealthVector backdoor loader, responsible for launching SneakCross, a modular implant and a likely successor to ScrambleCross that leverages Google services for its command-and-control (C2) communication.

The attacks are further characterized by the use of other post-exploitation tools such as iox, Rakshasa, and a Virtual Private Network (VPN) service known as Tailscale. Sensitive data exfiltration to the MEGA cloud storage service is accomplished by means of a command-line utility dubbed MEGAcmd. "The group has employed new loaders such as StealthVector and StealthReacher to stealthily launch backdoor components, and added SneakCross as their latest modular backdoor," the researchers stated.

"The persistence of Earth Baku is notable," said the researchers. "Their tactics show a sophisticated understanding of public-facing applications, allowing them to infiltrate various sectors with precision." They further explained that the group's post-exploitation tools are customized to fit specific operational needs, with iox and Rakshasa playing significant roles in maintaining prolonged access and stealth. Tailscale, the VPN service, ensures the attackers can manage their operations without detection, while MEGAcmd allows for efficient data exfiltration.

The continued evolution of Earth Baku's methods, including the introduction of new malware like SneakCross, highlights the growing complexity and threat posed by this actor. The group’s ability to adapt and refine their TTPs makes them a formidable adversary in the cyber landscape.

Sharp Dragon Shifts Cyber Attacks to New Frontiers: Africa and the Caribbean


Check Point Research has been monitoring Sharp Dragon, a Chinese cyber threat group, since 2021. This group, previously known as Sharp Panda, has primarily targeted organisations in Southeast Asia with phishing campaigns. Recently, however, they have expanded their activities to include government organisations in Africa and the Caribbean, marking a significant change in their strategy.

Starting in late 2023, Sharp Dragon shifted its focus to government entities in Africa and the Caribbean. They used previously compromised email accounts from Southeast Asia to send phishing emails. These emails contained documents that appeared legitimate but were actually designed to deliver Cobalt Strike Beacon malware, replacing their earlier use of VictoryDLL and the Soul framework.

The first attack targeting Africa occurred in November 2023, involving a phishing email about industrial relations between Southeast Asia and Africa. By January 2024, further attacks within Africa suggested that some initial attempts had been successful. Similarly, in December 2023, Sharp Dragon targeted a Caribbean government with a document related to a Commonwealth meeting. This was followed by a broader phishing campaign in January 2024, using a fake survey about opioid threats in the Eastern Caribbean.

Sharp Dragon has been refining its tactics. Their new approach includes more thorough checks on target systems before deploying malware. They now use Cobalt Strike Beacon, which allows them to control infected systems without exposing their custom tools immediately. This change helps them avoid detection and gather more information on their targets.

They have also shifted from using DLL-based loaders to executable files disguised as documents. These files write and execute malicious software and create scheduled tasks for persistence on the infected system.

Another major change is Sharp Dragon's use of compromised servers for their command and control operations. Instead of using dedicated servers, they exploit legitimate servers, making their activities harder to detect. For example, in May 2023, they used a vulnerability in the GoAnywhere platform to take over legitimate servers.

Sharp Dragon's new focus on Africa and the Caribbean shows a broader effort by Chinese cyber groups to increase their influence in these regions. After years of targeting Southeast Asia, Sharp Dragon is using its established tactics to gain foothold in new territories. Their refined methods and careful target selection highlight the need for enhanced cybersecurity measures in these regions, which have yet to be as heavily scrutinized by the global cybersecurity community.


Pegasus Spyware Targets Two Journalists in Togo: RSF

 

Reporters Without Borders (RSF) disclosed that two journalists in Togo had spyware on their phones that looked similar to the potent Pegasus surveillance tool used by the NSO group. RSF reports that the journalists are accused of defaming a government minister and are currently on trial for it. Since 1963 the nation of West Africa has been ruled by the same repressive royal family. 

RSF was unclear about the detected spyware, stating only that the "traces are typical of Pegasus." According to RSF, the Togo government employed Pegasus until at least 2021, and one of the two targeted journalists was exposed to a "major cyber-espionage operation throughout the first half of 2021.” 

RSF reported that Loïc Lawson, publisher of Flambeau des Démocrates, had 23 spyware attacks on his phone from February to July 2021. A second journalist, freelancer Anani Sossou, was targeted many months later, in October 2021. 

RSF stated that its forensic service for journalists, Digital Security Lab, conducted months of investigation, and Amnesty International's Security Lab corroborated its findings in an independent analysis. 

The organisation began probing the alleged phone tampering in December, roughly three weeks after the journalists were detained. Their arrest followed a complaint from Togo's minister of urban planning, housing, and land reform, who objected to their reporting disclosing the theft of approximately 600,000 Euros (nearly $650,000) in cash from his home.

According to RSF, the journalists were accused of undermining the minister's image and "inciting revolt" at a trial that began last month. While investigating the arrests, RSF stated in a press statement that it "discovered that [the journalists] had in fact been in the crosshairs of the Togolese authorities for a long time." 

The findings mark the first verified incident of spyware being used against journalists in Togo. Pegasus spyware has frequently targeted journalists, human rights campaigners, and opposition party leaders around the world in recent years. Researchers say the attack took place in February, shortly after the Russian government banned Timchenko's journal, Meduza, for being critical of Russia's invasion of Ukraine.

New Cyber Espionage Group Targeting Ministries of Foreign Affairs

 

Researchers unveiled a new cyber espionage group on Thursday, which is behind the series of targeted operations attacking diplomatic entities and telecommunication corporations in Africa and the Middle East since at least 2017. 

The campaign, dubbed "BackdoorDiplomacy," involves exploiting flaws in internet-exposed devices like web servers to carry out various cyber-hacking operations, including moving laterally across the network to execute a custom implant called Turian which is capable of exfiltrating sensitive data stored on removable media. 

Jean-Ian Boutin, head of threat research at Slovak cybersecurity firm ESET said, "BackdoorDiplomacy shares tactics, techniques, and procedures with other Asia-based groups. Turian likely represents a next stage evolution of Quarian, the backdoor last observed in use in 2013 against diplomatic targets in Syria and the U.S." 

The cross-platform group, which targets both Windows and Linux operating systems, singles out management interfaces for networking equipment and servers with internet-exposed ports, most likely abusing unsecured flaws to implement the China Chopper web shell for initial access, which is then used to conduct reconnaissance and install the backdoor. 

F5 BIG-IP devices (CVE-2020-5902), Microsoft Exchange servers, and Plesk web hosting control panels are among the systems affected. Victims have been identified in many African countries' foreign ministries and those in Europe, the Middle East, and Asia. Furthermore, in Africa and at least one Middle Eastern country, telecom carriers have also been hit. 

The researchers stated, "In each case, operators employed similar tactics, techniques, and procedures (TTPs), but modified the tools used, even within close geographic regions, likely to make tracking the group more difficult."

BackdoorDiplomacy is also believed to overlap with previously reported campaigns operated by a Chinese-speaking group Kaspersky tracks as "CloudComputating.

According to ESET researchers, apart from its features to gather system information, take screenshots, and carry out file operations, Turian's network encryption protocol is nearly identical to that used by WhiteBird, a C++ backdoor operated by an Asia-based threat actor named Calypso that was installed within diplomatic organizations in Kazakhstan and Kyrgyzstan at the same timeframe as BackdoorDiplomacy.