Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyberespionage. Show all posts
United States
Cyber Security Cyberespionage FBI Salt Typhoon Telecommunication United States

US Telecoms Warned of Chinese Cyber Espionage Threat

 


The White House recently brought together U.S. telecommunications executives to discuss a cyberespionage campaign attributed to Chinese-backed hackers. The attacks have been described by experts as the "worst telecom hack in U.S. history," compromising major telecom providers and targeting national security intelligence.

According to reports, the FBI said several breaches had occurred at telecommunications companies where attackers made off with sensitive data including call records and communications that the hackers could access due to government-mandated backdoors. The intrusion, according to reports, was done by a group code-named Salt Typhoon that has connections to China's Ministry of State Security. It is said to have engaged in espionage activities against officials from U.S. presidential campaigns.

The key telecom providers like AT&T, Verizon, and Lumen have been listed as victims of this cyberattack. Recently, T-Mobile has also revealed that its networks have been breached, though it claimed no customer data was compromised. The hackers did not only target U.S. companies but also stretched their reach to allied nations whose identities remain undisclosed.

Senator Mark Warner, chair of the Senate Intelligence Committee, called these attacks some of the most serious he's seen. He reported that the FBI had informed fewer than 150 people - mostly in Washington - whose communications were compromised. Some telecom companies are still working to get the attackers out of their networks, showing just how persistent these intrusions are. 


Techniques and Long-Term Goals

Salt Typhoon uses advanced tactics to infiltrate systems and maintain long-term access. They include vulnerability exploitation in common devices like Cisco routers and Microsoft Exchange servers. Researchers also found that this group uses legitimate tools to carry out their malicious activities, hence making it challenging to be detected.

Since at least 2020, this group has targeted not only the U.S. but also nations such as Brazil, India, and Taiwan. Their primary focus remains on gathering intelligence from telecommunications networks, government systems, and military organizations.

To mitigate such attacks, the FBI and CISA have been offering technical support to victims. U.S. Cyber Command has amplified operations aimed at disrupting the ability of Chinese cyber actors globally and, consequently, reducing the incidence and impact of such attacks.

This has also raised fears about broader objectives, including possible disruption of Western infrastructure in case tensions over Taiwan or any other issue are to rise further. According to FBI Director Christopher Wray, "China's hacking capabilities are larger than those of any other nation and present a significant challenge to our nation's cybersecurity defenses.".

In response to the growing threats, the Senate has scheduled a classified briefing in December to discuss further measures. The meeting underlines the urgent need to strengthen cybersecurity across critical sectors.


Read more »
VPN vulnerabilities
Cyber Security Cyberespionage FBI cybersecurity advisory Fox Kitten Iranian cyber threat actor Ransomware Affiliates VPN vulnerabilities

Iran Cyber Attack: Fox Kitten Aids Ransomware Operations in the U.S

 

A new joint cybersecurity advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) has revealed updated details about the Iran-based cyber threat group known as Fox Kitten.

Fox Kitten, known for selling compromised corporate access on underground cybercriminal forums, collaborates with ransomware affiliates to further exploit their victims. Recently, the group has targeted organizations in the U.S. and abroad.

Also referred to as Pioneer Kitten, UNC757, Parasite, Rubidium, and Lemon Sandworm, Fox Kitten has been engaged in cyberespionage since at least 2017. According to the FBI, this group is linked to the Iranian government and is involved in stealing sensitive technical data from various organizations. Their targets have included entities in Israel, Azerbaijan, Australia, Finland, Ireland, France, Germany, Algeria, Turkey, the U.S., and potentially more.

Fox Kitten has conducted numerous network intrusion attempts against U.S. entities since 2017, focusing on schools, municipal governments, financial institutions, and healthcare facilities, with incidents reported as recently as August 2024. Dragos, an OT cybersecurity firm, noted that the group has also attacked industrial control system (ICS) entities by exploiting vulnerabilities in Virtual Private Network (VPN) appliances.

The advisory noted that Fox Kitten operates under the guise of an Iranian company, Danesh Novin Sahand, which likely serves as a front for their malicious activities.

In 2020, Fox Kitten led "Pay2Key," an operation that demonstrated the group's capabilities beyond cyberespionage. Israeli-based ClearSky Cyber Security reported that ransomware attacks during this campaign targeted Israeli organizations with a previously unknown ransomware, likely as a propaganda effort to incite fear and panic. Stolen data was leaked online with messages such as "Pay2Key, Israel cyberspace nightmare!"

A 2020 report by CrowdStrike revealed that Fox Kitten also advertised access to compromised networks on underground forums, suggesting a diversification of their revenue streams alongside their government-backed intrusions.

Collaboration with Ransomware Affiliates
Fox Kitten collaborates with ransomware affiliates such as NoEscape, RansomHouse, and ALPHV/BlackCat, providing them with full network access in exchange for a share of the ransom. Beyond just access, Fox Kitten assists ransomware affiliates in locking victim networks and devising extortion strategies. However, the group remains vague about their Iran-based origin to their ransomware partners.

The joint advisory notes that the group often uses the aliases “Br0k3r” and “xplfinder” in their operations throughout 2024.

Technical Details
Fox Kitten uses the Shodan search engine to locate devices with vulnerabilities in specific technologies, such as Citrix Netscaler, F5 Big-IP, Pulse Secure/Ivanti VPNs, or PanOS firewalls. Once these vulnerabilities are exploited, they:

  • Install web shells and capture login credentials, adding backdoor malware to maintain access.
  • Create new accounts with discreet names like “IIS_Admin” or “sqladmin$” on the compromised networks.
  • Gain control of administrative credentials to infiltrate domain controllers and other critical infrastructure components, often disabling existing security measures.
  • The advisory also lists several indicators of compromise, including the TOX identifiers for “Br0k3r,” which the SANS Institute previously exposed in 2023 as an Initial Access Broker selling access to networks in multiple countries, including the U.S., Canada, China, the U.K., France, Italy, Norway, Spain, India, Taiwan, and Switzerland. The U.S. remains a primary target, being the most ransomware-affected country as per MalwareBytes.
Fox Kitten promotes its access sales through a Tor-hosted website on various cybercriminal forums. The group's first website version highlighted sales that included full-domain control, domain admin credentials, Active Directory user credentials, DNS zones, and Windows Domain trusts.

How to Protect Your Business from Fox Kitten

To protect against Fox Kitten, organizations should:

  • Regularly update and patch VPNs, firewalls, operating systems, and software.
  • Monitor access to VPNs for unusual connections or attempts and use filtering to restrict access.
  • Analyze log files for any indicators of compromise mentioned in the advisory and investigate immediately.
  • Deploy security solutions across all endpoints and servers to detect suspicious activity.
  • The FBI and CISA advise against paying ransoms, as there's no guarantee of file recovery and payments could fund further criminal activities.
Read more »
US-China
CISA Cyber Attacks Cyberespionage GhostNet GhostNet attack U.S. government US-China

GhostNet: Why is the Prominent Cyberattack Still a Mystery


Among the tools used in modern warfare, Cyberespionage has made a prominent name. Cyberespionage can be used to propagate misinformation, disrupt infrastructure, and spy on notable people including politicians, government officials, and business executives. In order to prepare for physical or cyber threats, nations also engage in espionage.

While many countries actively engage in some form of warfare, the U.S. has a certain stance that China, in regard to cyberespionage, poses a significant threat. According to the United States cyber defense agency CISA, "China probably currently represents the broadest, most active, and persistent cyber espionage threat to U.S. Government and private-sector networks."

CISA further notes that cyberattacks based in China may also have an impact on U.S. oil and gas pipelines, as well as rail systems.

While this warning is just an overview, China is renowned for its highly advanced cyber operations. The infamous GhostNet spy system, which compromised more than 1,000 computers of military, political, economic, and diplomatic targets around the world, is largely believed to have been coordinated by the Chinese government. China was never formally blamed for the crime, though, for a number of political and legal reasons. The history of GhostNet is therefore still a mystery.

Cyber Espionage Network ‘GhostNet’

GhostNet first came to light when the office of the Dalai Lama in India invited a team of security researchers at the Munk Center for International Studies at the University of Toronto to check their computers for any indication of a hack. This prompted an inquiry that turned up a large cyberattack that had compromised 1,295 systems over the course of two years in 103 nations. The Munk Center and Information Warfare Monitor analysts released a thorough analysis in 2009 that provided insight into the extensive spying operation they called "GhostNet."

GhostNet distributed malware via emails with attachments and suspicious links. Once the malware was successfully downloaded on the victim’s system, it would take complete access to the computers, which further enabled hackers to search for and download files, and even control the victim’s external devices like webcams and microphones. 

Around 30% percent of the victims of GhostNet were of high-profile, such as foreign ministries of several nations in Southeast Asia, South Asia and Europe. Also, several international organizations were targeted, like ASEAN, SAARC, the Asian Development Bank, news organizations, and computers of NATO headquarters.

Who was Behind the GhostNet Attacks?

Researchers from GhostNet were successful in locating and connecting to the espionage network's command servers. Hainan Island in China was linked to a number of IP addresses that the attackers used to communicate with the compromised PCs. Four control servers in total were found by the investigation, three of which were in China. The fourth server was situated at an American web hosting business. Furthermore, five of the six detected command servers were found in mainland China, while the sixth was found in Hong Kong.

According to researchers, China is amongst the most obvious operators behind GhostNet, however, their reports did not directly point at the country since they were unable to provide any concrete proof of the Chinese government’s involvement. They noted that other nations could also be behind the attacks.  

Read more »
Symantec
APT41 Atharvan RAT Blackfly Clasiopa Cyber Security Cyberespionage Cyberespionage Operation Lilith RAT Remote Access Tool Symantec

APT41: Cyberespionage Group Targets Asian Materials Industry


The Chinese-sponsored APT41 cyberespionage group, also known as Blackfly, Barium Bronze Atlas, Double Dragon, Wicked Panda, and Wicked Spider has emerged as one of the most active threat groups since at least 2007. 

The cyber-threat group has recently been targeting two subsidiaries of a major Asian conglomerate, which apparently specializes in materials and composites. The attack follows right after another distinct campaign against the Asian material sector. 

The APT attack was seen utilizing the Winnkit backdoor, Mimikatz, and several tools for credential dumping, screen capture, process hollowing, SQL querying, memory dumping (ForkPlayground), and proxy configuration. 

In one of the instances, Symantec discovered a material research organization in Asia that was being targeted by a previously unidentified threat group named ‘Clasiopa,’ which does not seem to be linked to the APTs. 

It is believed that Clasiopa acquired access to the targeted organization by brute forcing public facing servers and using a variety of post-exploitation tools like Atharvan remote access trojan (RAT), which is a modified version of the Lilith RAT, the Thumbsender hacking tool, and a custom proxy tool. The threat actor, according to Symantec, utilized the backdoors to compile lists of files and exfiltrate them, deleted logs, set a scheduled task to list file names, and verified the IP addresses of the compromised machines in an effort to disable endpoint protections. 

Moreover, it appears that Clasiopa used authorised software from Agile and Domino throughout the attack, but it is still unclear whether the attackers actually deployed the tools or simply abused the existing installations. Apparently Atharvan backdoor is able to download arbitrary files from the server, execute files, and configure communications through the C&C server, all based on the commands received from its operators. 

Adding to this, the Atharvan RAT can terminate or restart programs, send remote commands and PowerShell scripts, as well as terminate and uninstall itself. Further analysis on Atharvan revealed a Hindi mutex and a password, suggesting that Clasiopa could be based in India, although Symantec says that these could be some of the false flags planted by the threat group to muddle with the investigation.  

Read more »
WithSecure
Cyber Attacks Cyberespionage Cybersecurity Lazarus Group North Korea Ransomware WithSecure

Energy and Healthcare Firms Are The Focus of The Lazarus Group Once Again

 


The North Korean Lazarus Group, which was employed by the North Korean government to target medical research and energy organizations with cyberattack campaigns, was reported by security researchers on February 2.  

The campaign was discovered by threat intelligence analysts at WithSecure. They were trying to unravel a ransomware attack that they suspected had been launched against one of their customers. In the course of their investigation, they discovered evidence indicating that the Lazarus crew had committed an OpSec oversight that led to a key operational security (OpSec) slip-up, which provided them with proof that the event was part of a wider state-sponsored intelligence gathering campaign already being carried out by North Korea. 

Sami Ruohonen, the senior threat intelligence researcher for WithSecure, says his initial suspicion was that it was an attempted BianLian ransomware attack. 

Even though WithSecure had collected evidence in one direction, it quickly pointed in a different direction. Throughout the process of gathering more information, they became more and more confident that the attack had been perpetrated by a group associated with the North Korean government. Having discovered this, WithSecure concluded that it was indeed the Lazarus Group that had posed as the attack. 

The Path to Cyberespionage Begins With Ransomware 

It was the initial compromise and privilege escalation of the system that led them to the conclusion that they were engaged in this activity. In August, the Zimbra mail server was exploited using a known vulnerability that existed in an unpatched version of Zimbra. In one week, the threat actors had already accessed many gigabytes of data from the mailboxes on the server. The attacker used live-off-the-land (LotL) strategies along the way as he moved horizontally across the network by the end of October. The compromised assets began becoming connected to Cobalt Strike's command-and-control (C2) infrastructure in November, beginning the process of infiltrating almost 100GB of data from the network during the period between November and December.  

It is believed that the researchers dubbed this incident "No Pineapple" because it referred to an error message that was used in a backdoor that was used by the bad guys that replied > No Pineapple! > When the data size exceeds the segmented byte size, the operation fails. 

Based on the malware, the TTP, and a couple of unique findings, the researchers feel that there is a high degree of confidence in their identification of Lazarus group activity. Data exfiltration involves several key actions, one of which is critical. Several suspicious web pages appeared to be connected to a North Korean IP address for a short time, as a result of an attacker-controlled Web shell. Even though the country only has fewer than a thousand of these addresses, at first the researchers wondered if they had made a mistake. However, they later confirmed that they had not. 

The attacker showed exemplary tradecraft and still managed to carry out considered actions on carefully selected endpoints despite this OpSec failure, Tim West, head of WithSecure’s threat intelligence unit, commented on the actor’s performance. 

Upon digging deeper into the incident, the researchers discovered that additional victims were also identified as a result of the attack as the investigation proceeded. The victims were identified based on their connections to a C2 server that was controlled by threat actors during the attack. There are many espionage motives involved in this process, which points to a much larger effort than was first suspected as being the target. 

Among the hundreds of victims, several companies in the healthcare sector suffered losses including a company that researches healthcare. In addition, a company that manufactures technology utilized in the energy, defense, research, and healthcare sectors. 

During the third quarter of 2022, most of the breaches that have been reported occurred because of the infrastructure that researchers noticed in May. According to the victimology of the campaign, analysts consider the threat actor to have intentionally targeted the supply chain of the industry verticals of medical research and energy. This is based on the victimology of the campaign. 

Lazarus Never Remained Down for Long 

It is widely believed that the Foreign Intelligence and Reconnaissance Bureau of North Korea is responsible for the long-running Lazarus threat group that has been operating for over a decade. Researchers have confirmed that the group has been involved in hacking activities at least as far back as 2009. It has been responsible for an increasing number of attacks since then. It has only been a matter of short intervals where the man has been thrown to the ground between periods of standing. 

This anti-terrorist operation serves both a financial purpose - it is an extremely valuable source of revenue for the regime - as well as a spying purpose. As early as 2022, there were many reports of Lazarus providing sophisticated attacks against Apple of their M1 chip as well as fake job posting scams using Apple's M1. It should be noted that a similar attack took place last April. Computers were used to upload malicious files, disguised as job offers for highly attractive dream jobs, to targets in the chemical sector and information technology. 

As of last week, the FBI confirmed that the Lazarus Group, a group of cyber threat actors from the United States, was implicated in the theft of $100 million worth of virtual currency last June from the cross-chain technology created by Harmony to exchange data across blockchains, termed Horizon Bridge, owned by the blockchain company Harmony. According to estimates provided by the FBI, because of the actions of the group in the Horizon Bridge heist, the group was able to launder more than $60 million worth of Ethereum by using the Railgun privacy protocol in January. There has been a report that authorities were able to freeze "some of these funds."
Read more »
USA
Cyber Crime cyber espionage Cyber Fraud Cyberespionage DOJ FBI United States Cyber Security USA

Ex-NSA Employee Charged with Espionage Case

A former U.S. National Security Agency (NSA) employee from Colorado has been arrested on account of attempting to sell classified data to a foreign spy in an attempt to fulfill his personal problems facing because of debts. 

According to the court documents released on Thursday, the accused Jareh Sebastian Dalke, 30, was an undercover agent who was working for the Federal Bureau of Investigation (FBI). 

Jareh Sebastian said that he was in contact with the representative of a particular nation "with many interests that are adverse to the United States," he was actually talking to an undercover FBI agent, according to his arrest affidavit. 

Dalke was arrested on Wednesday after he allegedly agreed to transmit classified data. "On or about August 26, 2022, Dalke requested $85,000 in return for additional information in his possession. Dalke agreed to transmit additional information using a secure connection set up by the FBI at a public location in Denver,"  eventually it led to his arrest,  the DoJ said. 

Earlier he was employed at the NSA from June 6, 2022, to July 1, 2022, as part of a temporary assignment in Washington D.C as an Information Systems Security Designer. Dalke is also accused of transferring additional National Defense Information (NDI) to the undercover FBI agent at an undisclosed location in the U.S. state of Colorado. 

Following the investigation, he was arrested on September 28 by the law enforcement agency. As per the USA court law, Dalke was charged with three violations of the Espionage Act. However, the arrest affidavit did not identify the country to which Dalke allegedly provided information. 

The affidavit has been filed by the FBI and mentioned that Dalke also served in the U.S. Army from about 2015 to 2018 and held a Secret security clearance, which he received in 2016. The defendant further held a Top Secret security clearance during his tenure at the NSA. 

"Between August and September 2022, Dalke used an encrypted email account to transmit excerpts of three classified documents he had obtained during his employment to an individual Dalke believed to be working for a foreign government," the Justice Department (DoJ) said in a press release.
Read more »
Vulnerability
CVE Cyberespionage Data Breach Data Theft Hacker Trojan Vulnerability

 New Confluence Remote Code Execution Flaw is Exploited by Cryptocurrency Miners

 

Atlassian has issued a security advisory on a severe unpatched remote code execution vulnerability that affects Confluence Server and Data Center products and is being actively abused in the field, according to the company. The CVE-2022-26134 vulnerability was found as an extensively exploited zero-day towards the end of May, and the vendor issued a patch on June 3, 2022. 

Several proof-of-concept (PoC) exploits for the CVE-2022-26134 bug have been made public. Following the disclosure of the RCE, Check Point Research (CPR) researchers observed a large number of exploitation attempts, with some of the malicious payloads used in the attacks being used as part of the same campaign carried by a crypto mining gang known as the "8220 gang" by doing bulk net scans to discover vulnerable Windows and Linux endpoints to plant miners. 

Miners are special-purpose programs that mine cryptocurrency like Monero for the threat actor using the host's available computational capabilities. Reduced server performance, increase hardware wear, greater operating costs, and even business disruption are all direct consequences of this action. These actors can also improve their attack at any time and dump more potent payloads because they have access to the system.

Multiple infection chains are used to target Linux and Windows operating systems. The attack starts with a specially crafted HTTP request which exploits CVE-2022-26134 and dumps a base64-encoded payload on both Linux and Windows platforms. The payload then downloads an executable, a Linux malware injects script and a Windows child process spawner. Both scenarios try to set up reboot persistence, then delete all current devices before activating the miner. 

The miner will deplete all system resources in both circumstances, therefore the "8220 gang" is aiming for maximum profit until the malware is uprooted, rather than silently mining on infected servers and attempting to remain undiscovered by using only a portion of the available processing capacity. Eventually, the Linux script looks for SSH keys on the host in an attempt to expand to other computers nearby. 

The web shell is believed to have been used to distribute two further web shells to disk, namely China Chopper and a bespoke file upload shell for exfiltrating arbitrary files to a remote server. The news comes within a year of another severe remote code execution issue in Atlassian Confluence (CVE-2021-26084, CVSS score: 9.8) was actively exploited in the open to install cryptocurrency miners on compromised servers (CVE-2021-26084, CVSS score: 9.8). 

"Attackers can get direct access to highly valuable systems by exploiting such type of vulnerability," Volexity stated. "Furthermore, because they lack the necessary monitoring or logging capabilities, these systems can be difficult to investigate."
Read more »
Ministry of foreign affairs
Africa attacks Cyber Crime Cyberespionage Middle East Ministry of foreign affairs

New Cyber Espionage Group Targeting Ministries of Foreign Affairs

 

Researchers unveiled a new cyber espionage group on Thursday, which is behind the series of targeted operations attacking diplomatic entities and telecommunication corporations in Africa and the Middle East since at least 2017. 

The campaign, dubbed "BackdoorDiplomacy," involves exploiting flaws in internet-exposed devices like web servers to carry out various cyber-hacking operations, including moving laterally across the network to execute a custom implant called Turian which is capable of exfiltrating sensitive data stored on removable media. 

Jean-Ian Boutin, head of threat research at Slovak cybersecurity firm ESET said, "BackdoorDiplomacy shares tactics, techniques, and procedures with other Asia-based groups. Turian likely represents a next stage evolution of Quarian, the backdoor last observed in use in 2013 against diplomatic targets in Syria and the U.S." 

The cross-platform group, which targets both Windows and Linux operating systems, singles out management interfaces for networking equipment and servers with internet-exposed ports, most likely abusing unsecured flaws to implement the China Chopper web shell for initial access, which is then used to conduct reconnaissance and install the backdoor. 

F5 BIG-IP devices (CVE-2020-5902), Microsoft Exchange servers, and Plesk web hosting control panels are among the systems affected. Victims have been identified in many African countries' foreign ministries and those in Europe, the Middle East, and Asia. Furthermore, in Africa and at least one Middle Eastern country, telecom carriers have also been hit. 

The researchers stated, "In each case, operators employed similar tactics, techniques, and procedures (TTPs), but modified the tools used, even within close geographic regions, likely to make tracking the group more difficult."

BackdoorDiplomacy is also believed to overlap with previously reported campaigns operated by a Chinese-speaking group Kaspersky tracks as "CloudComputating.

According to ESET researchers, apart from its features to gather system information, take screenshots, and carry out file operations, Turian's network encryption protocol is nearly identical to that used by WhiteBird, a C++ backdoor operated by an Asia-based threat actor named Calypso that was installed within diplomatic organizations in Kazakhstan and Kyrgyzstan at the same timeframe as BackdoorDiplomacy.
Read more »
Subscribe to: Posts (Atom)