Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cloud Service. Show all posts
Rasnowmare attacks
Cloud Service Cyber Attacks CyberCrime Cybersecurity Cyebrthreats Evasive Panda Rasnowmare attacks

Evasive Panda Unfurls Cloud Services Under Siege

 


Using stolen Web session cookies, Evasive Panda, a China-sponsored hacking team, has unveiled CloudScout, a sleek and professional toolset created to recover data from compromised cloud services. ESET researchers have discovered CloudScout through an investigation into a couple of past breaches in Taiwan (both targeting religious institutions and government organizations), which brought them to the attention of the company. The CloudScout application is written in .NET and was designed to offer seamless integration with MgBot, Evasive Panda's proprietary malware framework. 

In a step-by-step process, MgBot feeds CloudScout previously stolen cookies, then uses the pass-the-cookie technique to use the stolen cookies to access and infiltrate data on the cloud - a method that allows hacker to hijack authenticated Web browser sessions by hijacking the cookies. There are several names given to the "evasive Panda" group, including the "BRONZE HIGHLAND," the "Daggerfly," and the "StormBamboo" group. This group has operated at least since 2012. 

The objective of Evasive Panda is to engage in cyberespionage campaigns against countries, institutions, and individuals that oppose China's interests through the preparation and dissemination of spies, such as those in the Tibetan diaspora, religious and academic groups in Taiwan, Hong Kong, and groups supporting democracy within the Chinese society. As well as being observed in certain instances, its cyberespionage activities have the tendency to extend to other countries such as Vietnam, Myanmar, and South Korea at times. 

Evasive Panda has accumulated several attack vectors, which makes it an impressive attack strategy. There have been instances in which its operators have conducted sophisticated TTPs and exploits such as supply-chain and watering-hole attacks, DNS hijacking and other forms of attack; in addition, they have used the latest CVEs that affect Microsoft Office, Confluence, and web server applications to exploit the system. In addition to this, the group is demonstrating to be capable of creating sophisticated malware, which is shown by its collection of multi-platform backdoors for Windows, macOS, and Android, which are all well documented. 

It is most commonly used on Windows by hackers, mainly MgBot (a custom malware framework built with eight plugins, detailed in our previous blog post in which we explain its features), and Nightdoor, which was developed only recently. The backdoor, described in another blog post of ours, is a sophisticated backdoor that uses a public cloud to communicate with the command and control servers. CloudScout is designed with the internal framework allowing it to process complex tasks, such as configuring, managing, and decrypting cookies that are required to make web requests to the modules. 

As part of the CommonUtilities package, CloudScout can also manage HTTP requests and cookies, which allows the tool to adapt to the varied structures of each service being targeted, making it an effective tool for aggressive monitoring. During a period, the malware would monitor directories for new configuration files, calling for new extraction cycles that would then remove any evidence of activity. This would occur regularly. CloudScout employs a number of targeted methods that appear to have been designed for Taiwanese users, which is evident by the language preferences and region-specific configurations embedded within its modules that appear to be tailored for Taiwanese users. As a result of our analysis, it seems that CloudScout may have additional modules targeting social media, such as Facebook and Twitter, but we are not aware of these modules in active deployments at this time. 

The CloudScout tool set is a .NET toolset that Evasive Panda uses to steal data stored in cloud storage services, Ho explained. Using the pass-the-cookie technique, it hijacks authenticated sessions from web browsers that have been registered using a pass-the-cookie extension to the MgBot service. There is an alarming development in Canadian cyberspace as the Government of Canada has accused a "sophisticated state-sponsored threat actor" from China of conducting a broad, extensive reconnaissance campaign spanning several months, against a variety of domains within the country. 

In a recent statement, it was revealed that a majority of the targeted organizations were Canadian government departments and agencies, including federal political parties, as well as key legislative bodies such as the House of Commons and the Senate. Additionally, Evasive Panda, an advanced persistent threat (APT) group, targeted dozens of other entities spanning democratic institutions, critical infrastructure, defence sectors, media organizations, think tanks, and non-governmental organizations (NGOs). This broad reach underscores the serious nature of the ongoing cyber threat. Known by various aliases such as Bronze Highland, Daggerfly, and StormBamboo, Evasive Panda has been actively engaged in cyber espionage since at least 2012.

Its primary focus has been civil society targets, especially those associated with independence movements and democratic advocacy. ESET researchers note that this APT group is particularly focused on independence movements within the Tibetan diaspora, religious and academic organizations in Taiwan and Hong Kong, and democracy supporters within China. In recent years, Evasive Panda's operations have extended internationally, reaching regions such as Vietnam, Myanmar, South Korea, and, to a lesser extent, Nigeria. According to the researchers, Evasive Panda is known for continually evolving its cyberattack techniques. 

The latest attacks have demonstrated a marked increase in sophistication, signaling the group’s commitment to refining its approach and adapting to cybersecurity defenses. This new level of sophistication adds urgency for both national and international stakeholders to heighten their defenses and remain vigilant against this persistent and increasingly advanced cyber espionage threat.
Read more »
Software
Artifical Intelligence Azure Cloud Service cloud storage Cyber Security Encryption Microsoft SentineLabs Software

Microsoft's Rise as a Cybersecurity Powerhouse

Tech titan Microsoft has emerged as an unexpected yet potent competitor in the cybersecurity industry in a time of rapid digital transformation and rising cyber threats. The company has quickly evolved from its conventional position to become a cybersecurity juggernaut, meeting the urgent demands of both consumers and enterprises in terms of digital security thanks to its broad suite of software and cloud services.

Microsoft entered the field of cybersecurity gradually and strategically. A whopping $20 billion in security-related revenue has been produced by the corporation, according to recent reports, underlining its dedication to protecting its clients from an increasingly complicated cyber scenario. This unexpected change was brought on by many strategic acquisitions and a paradigm shift that prioritized security in all of its services.

The business has considerably improved its capacity to deliver cutting-edge threat information and improved security solutions as a result of its acquisition of cybersecurity businesses like RiskIQ and ReFirm Labs. Microsoft has been able to offer a comprehensive package of services that cover threat detection, prevention, and response by incorporating these cutting-edge technologies into its current portfolio.

The Azure cloud platform is one of the main factors contributing to Microsoft's success in the cybersecurity industry. As more companies move their operations to the cloud, it is crucial to protect the cloud infrastructure. Azure has been used by Microsoft to provide strong security solutions that protect networks, programs, and data. For instance, its Azure Sentinel service uses machine learning and artificial intelligence to analyze enormous volumes of data and find anomalies that could point to possible security breaches.

Furthermore, Microsoft's commitment to addressing cybersecurity issues goes beyond its own products. The business has taken the initiative to work with the larger cybersecurity community in order to exchange threat intelligence and best practices. Its participation in efforts like the Cybersecurity Tech Accord, which combines international tech companies to safeguard clients from cyber dangers, is an example of this collaborative approach.

Microsoft's success in the field of cybersecurity is not without its difficulties, though. The broader cybersecurity sector continues to be beset by a chronic spending issue as it works to strengthen digital defenses. Microsoft makes large investments in security, but many other companies find it difficult to set aside enough funding to properly combat attacks that are always developing.



Read more »
Vulnerabilities and Exploits
and Exploits Cloud Service Crypto Wallet Google Imperva Red Security Breach Vulnerabilities Vulnerabilities and Exploits

Over 2.5 Billion Google Chrome Users' Information was Breached

 


It is no longer necessary for a person to commute to a physical location to find information about anything they are interested in. 

Currently, Google can be trusted to provide the most relevant information about anything and everything. Google has a wealth of information available at the click of a button. Data threat risk is also growing along with the acceptance of cloud services leading to the rise of data breaches. 

With billions of users, Google Chrome is gaining an increasing amount of popularity as one of the most popular web browsers. 

According to the cyber security firm Imperva Red, a vulnerability in Google Chrome and Chromium browsers could expose the data of over 2.5 billion users worldwide to the risk of theft or other harm. 

The company is reporting that a vulnerability known as CVE-2022-3656 can be exploited to steal private information, such as the login credentials of cloud providers and crypto wallets. An assessment of how the browser interacts with the file system found a vulnerability in the way the browser works with the file system. According to the blog, the purpose of this experiment was primarily to examine how browsers handle symlinks to find widespread issues. 

It should be noted that a symbolic link is a kind of file that points to a different file or directory, as defined by Imperva Red. A symlink can therefore be treated by the operating system as if it were a regular file or directory. This means that the operating system can access it as though it were physically present. A symlink could be useful if you want to create shortcuts, change the path of a file, or organize your files more flexibly according to the manual. 

There is also a possibility that these links could be exploited to expose vulnerabilities if not managed appropriately.  

The company stated that the flaw, which affected Google Chrome, could have been exploited by hacking and building a false website. This site promoted a newly launched service related to crypto wallets. A website that prompts people to download "recovery" keys might then appear to deceive them into creating a new wallet.   
Read more »
Subscribe to: Posts (Atom)