Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label FireEye. Show all posts
Technology
Aerospace APT Cyber Crime cyber espionage Cyber Intelligence Cyber Spying Cyberattacks CyberCrime Cybersecurity FBI FireEye Hackers Technology

Cyber Spying Seems to be the Predominant Goal of North Korean Hackers

 


According to a new study, an increasingly sophisticated North Korean cyber-espionage unit is using its skills to carry out spying operations on the aerospace and defense industries. 

As per an updated report released by a cyber-intelligence company, North Korean hackers are no longer viewed as sole criminals who commit cybercrimes motivated by financial gain and break into cryptocurrency exchanges. According to the report, instead of focusing on cyber espionage and data collection, they focus more on information collection. 

A group of bad actors connected to potentially criminal activities on the internet has been identified by Google analysts as an advanced persistent threat (APT) or as a group of cybercriminals linked to activities that might be considered criminal. 

In its report, FireEye, a US-based security firm that keeps track of cyber-attackers around the world, examines the threat from North Korean hackers called APT37 (Reaper) and claims to have found that the group uses malware to infiltrate computer networks at home and abroad. This group has been active in the past but has now migrated to an advanced persistent threat. 

Yet another  report published exclusively by Foreign Policy, authored by private cyber-intelligence company Recorded Future, identifies espionage as the primary motivation behind North Korea's cyber program, which experts attribute to a desire for economic advantage. 

Recorded Future says over 14 years there have been 273 cyberattacks associated with state-sponsored groups in North Korean society. Over 70% of the respondents stated that they were motivated primarily by the desire to collect information about government entities and countries in neighboring Asia, as well as to use their skill sets to commit high-profile cryptocurrency heists. 

It is clear from the report that Pyongyang intends to gain a better understanding of how its adversaries think. This is done by providing the country with "insight into how its adversaries think" as well as knowledge about technologies that could benefit the North in the event of a conflict. Government agencies are usually the targets of this type of attack, followed by cryptocurrency exchanges, media outlets, financial institutions, defense institutions, and nongovernmental organizations as the next most frequent targets. 

Unlike many other countries, North Korea's government seems much more interested in finding out what other nations think of them and how they can improve. It only takes them a minute or two to gather information that can help them develop nuclear and ballistic missile technology. They steal money to fund their regime. 

According to Anne Neuberger, deputy national security adviser for cyber and emerging technologies under President Biden, North Korea is unique in how it views and uses cryptocurrency. This is because it employs cyber operations to finance its nuclear arsenal. About half of the regime's missile program is financed by cryptocurrency and cyber heists. 

The group's cyber operation targets Japan, Vietnam, and the Middle East as part of its efforts. By attempting to steal secret information from companies and organizations involved in chemical, electronics, manufacturing, aerospace, automotive, healthcare, and other sectors, it is attempting to steal valuable information.

In recent years, North Korean hackers have been reported to have stolen billions of dollars from cryptocurrency exchanges around the world. The greatest threat of this year has so far been the high-profile attacks on exchanges, which have targeted Estonia and California so far. 

There has been an increasing number of instances in which North Korea has been linked to attacks beyond crypto, as well as smaller, more disruptive attacks across the globe, starting with the crippling of Sony Pictures just under a decade ago that put its cyber capabilities in the spotlight. After that, Bangladesh's central bank was hacked, which compromised the Swift global financial transfer system used by the United Kingdom to transfer money, and the National Health Service of the United Kingdom was crippled following the hack. 

Nevertheless, Haszard and his coworkers found that a substantial majority of North Korea's cyber activities are directed at domestic targets to which they do not have access.  

According to the report, 83 percent of the attacks for which spatial information is available occurred in Asia, where the majority of the attacks were targeted. There were 29 countries where attacks took place, most of them being in the immediate neighborhood of South Korea, where almost 65 percent of the targets were located North Korean attacks accounted for 8.5 percent of countries, while only three percent of countries were responsible for more than three percent of total North Korean attacks. 

A study by Recorded Future revealed that Lazarus, the biggest and most prominent group of hackers connected to the authoritarian regime, tends to target global targets but is not the most frequent perpetrator of cyberattacks in the world. A group known as Kimsuky targets Asian governments and civil organizations. This accounts for more than one-third of the group's attacks.

U.S. law enforcement agencies say kinky hackers pose as South Korean journalists. They exchange emails with their targets to set up interviews before sending them a link or document embedded with malware. This is the result of their scam. 

It is believed that the malware, known as BabyShark, can provide hackers with access to the devices and communications of those victims. It was found in a joint cybersecurity advisory published earlier this month by the FBI, National Security Agency, and South Korean authorities that Kimsuky actors had also been known to configure a victim's email account so that all emails were automatically forwarded to another account controlled by them. 

North Korea is increasingly focusing on cyber espionage and information collection to gain an advantage over its adversaries. This raises concerns about its intentions and capabilities in cyberspace. Despite this, the report also confirms that North Korea has demonstrated enhanced flexibility when conducting large-scale disruptions of critical infrastructure or engaging in ransomware campaigns compared to opposing adversaries with cyber capabilities like Russia and China.
Read more »
VPN
CISA Credential Harvester FireEye malware Pulse Secure TTPs VPN

CISA Published MARs on Samples Targeting Pulse Secure Devices

 

Five new research reports outlining malware detected on compromised Pulse Secure devices were issued this week by the US Cybersecurity and Infrastructure Security Agency (CISA). Adversaries have been targeting Pulse Connect Secure VPN appliances to exploit a variety of vulnerabilities, including CVE-2021-22893 and CVE-2021-22937, which were found earlier this year.

CISA issued an alert in April this year on assaults on Pulse Secure devices, along with indicators of compromise (IOCs) and details on the malware used by the attackers. Threat actors' tactics, techniques, and procedures (TTPs) are detailed in the malware analysis reports (MARs). 

CVE-2021-22893 is a buffer overflow vulnerability in Pulse Connect Secure Collaboration Suite prior to version b9.1R11.4 that allows remote authenticated attackers to execute arbitrary code as the root user through a maliciously crafted meeting room. Two hacking groups have used the zero-day vulnerability in Pulse Secure VPN equipment to break into the networks of US defence contractors and government institutions around the world, according to reports issued by FireEye and Pulse Secure in May. 

CVE-2021-22937 is a high-severity remote code execution vulnerability in Pulse Connect Secure's admin web interface. A remote attacker might use the weakness to overwrite arbitrary files and gain root-level code execution. The bug has a CVSS score of 9.1 and is the consequence of a bypass of the patch provided in October 2021 to address the CVE-2020-8260 issue, according to experts. Early this month, Ivanti corrected a major code execution issue in Pulse Connect Secure VPN. 

According to CISA, two of the samples are maliciously modified Pulse Secure files received from compromised machines, both of which are credential harvesters. One of the files also serves as a backdoor, allowing attackers to access the hacked device remotely. A malicious shell script in another file might log usernames and passwords. A third sample consisted of many files, one of which had a shell script for converting a Pulse Secure file to a web shell. One file was created to intercept certificate-based multi-factor authentication, while others were created to read web request data.

Two Perl scripts designed to execute attacker instructions, a Perl library, a Perl script, and a shell script designed to manipulate and execute the 'bin/umount' file were included in the fifth sample.
Read more »
Threat Detection
Cyber Crime FireEye M-Trends 2021 Threat Detection

Threat Actors' Dwell Time Reduced to 24 Days, FireEye Reports

 

FireEye, the intelligence-led security company, published the FireEye Mandiant M-Trends 2021 report. The FireEye-owned forensic specialist’s M-Trends 2021 report was compiled from investigations of targeted attack activity between October 1, 2019, and September 30, 2020. This year’s report outlines critical details on the latest attacker methodologies and malware, the growth of multifaceted extortion and ransomware, preparing for expected UNC2452 / SUNBURST threat actors, growing insider threats, and industry targeting trends. 

“UNC2452, the threat actor responsible for the SolarWinds supply chain attack, reminds us that a highly-disciplined and patient actor cannot be underestimated. This actor’s attention paid to operational security, counter forensics, and even counterintelligence set it apart from its peers. Defense against this actor will not be easy, but it is not impossible. We have learned a great deal about UNC2452 in recent months, and we believe that intelligence will be our advantage in future encounters," said Sandra Joyce, Executive Vice President, Global Threat Intelligence, Mandiant.

Over the past decade, Mandiant has noticed a trending reduction in global median dwell time (defined as the duration between the start of a cyber intrusion and when it is identified). The researchers revealed that 59% of organizations detected attackers within their own environments over the period, a 12-percentage point increase on the previous year. The speed at which they did so also increased: dwell time for attackers inside corporate networks fell below a month for the first time in the report’s history, with the median global figure now at 24 days.

This is in stark contrast to the 416 days it took firms when the report was first published in 2011. It's also more than twice as fast as the previous year (56 days) and shows that detection and response are moving in the right direction. For incidents notified to firms externally, the figure was slightly higher (73 days) and for internally detected attacks it was lower (12 days). In America, dwell time dropped from 60 days in 2019 to just 17 days last year, while in APAC (76 days) and EMEA (66 days) the figure increased slightly. 

The top five most targeted industries, in order, are Business and Professional Services, Retail and Hospitality, Financial, Healthcare and High Technology. Mandiant experts observed that organizations in the Retail and Hospitality industry were targeted more heavily in 2020 – coming in as the second most targeted industry compared to 11th in last year’s report. 

Healthcare also rose significantly, becoming the third most targeted industry in 2020, compared to eighth in last year’s report. This increased focus by threat actors can most likely be explained by the vital role the healthcare sector played during the global pandemic.

However, a major contributing factor to the global reduction in dwell time may be the escalation of ransomware attacks, which usually take place over a shorter time frame than traditional cyber-espionage or data theft operations.
Read more »
Sunshuttle
FireEye malware SolarWinds Attack Sunshuttle

Sunshuttle, the Latest Strain Allegedly Linked to SolarWinds Hackers

 

FireEye researchers have discovered a new strain of backdoor malware on the servers of an organization exploited by the SolarWinds hackers. The new strain is identified as ‘Sunshuttle’ and it was uploaded by a U.S.-based entity to a public malware repository in August 2020.

FireEye researchers Lindsay Smith, Jonathan Leathery, and Ben Read believe this new strain is connected to the hackers behind the SolarWinds supply-chain attack. Sunshuttle is a second-stage backdoor written in Go that uses HTTP to link with a command-and-control server for data exfiltration and adding a new code. 


Hacking of cybercrime forums ‘Mazafaka and Exploit’


Mysterious threat actors are targeting popular Russian language cybercrime forums ‘Mazafaka and Exploit’ and are leaking the stolen data on the dark web. On Tuesday, unknown threat actors dumped thousands of usernames, email addresses, and passwords on the dark web apparently stolen from Mazafaka. Threat actors have also leaked a 35-page PDF online which is a private encryption key allegedly used by Maza administrators. 

According to cyber intelligence firm Intel 471, “the file comprised more than 3,000 rows, containing the username, partially obfuscated passwords hashes, email addresses, and other contact details. Initial analysis of the leaked data pointed to its probable authenticity, as at least portion of the leaked user records correlated with our own data holdings.”

Antivirus Creator John McAfee charged with $13M cryptocurrency fraud 


John McAfee has been charged with securities fraud over a ‘pump-and-dump’ cryptocurrency scheme. Federal prosecutors unsealed a case against McAfee and his executive advisor and bodyguard Jimmy Gale Watson Jr. claiming the pair has raked in more than $13 million from the investors they victimized with their fraudulent schemes.

In late 2017 and early 2018, McAfee urged his hundreds of thousands of Twitter followers to invest in a number of obscure cryptocurrencies. Prosecutors say he failed to disclose his own financial stake in those tokens and in some cases outright lied about it. 

“The defendants allegedly used McAfee’s Twitter account to publish messages to his hundreds of thousands of Twitter followers touting various cryptocurrencies through false and misleading statements to conceal their true, self-interested motives,” Manhattan US Attorney Audrey Strauss stated.
Read more »
Security Breach
Breach Cyberattack Cybersecurity Breach FireEye Security Breach

US Cybersecurity Company FireEye Hacked by 'Nation-Backed' Threat Actors


On Tuesday, one of the leading cybersecurity firms, FireEye said that it has been attacked by "highly sophisticated" state-sponsored hackers who stole the company's valuable hacking tools used for testing customers' security and computer networks. The attack was heavily customized to breach FireEye's systems. 
 
The breach substantiated the biting reality that the most advanced security vendors out there, primarily to protect others from intrusions can also be targeted and consequently hacked. Notably, the attacker mainly sought data of some government customers, using an unprecedented combination of tactics, according to the firm. CEO Kevin Mandia in his blogpost characterized the attack as a 'highly targeted cyberattack', a kind never witnessed before. So far, no customer data seem to be accessed by the attackers. 
 
There are a number of speculations about who might have performed the attack, however, the firm gave no clarity about the origins of the attackers and is investigating the matter along with the FBI. In a similar context, Mandia indicated in his blog post that the nation responsible for the attack is someone with world-class offensive capabilities as the unfamiliarity of the attack speaks volumes about the top-notch capabilities tailor-made to attack FireEye.  
 
On the basis of his 25 years of experience in cybersecurity, Mr. Mandia further said in his Saturday's blog that this attack was “different from the tens of thousands of incidents we have responded to throughout the years,” and “used a novel combination of techniques not witnessed by us or our partners in the past.” 
 
“These tools mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers,” the company said in the filing. “Consistent with our goal to protect the community, we are proactively releasing methods and means to detect the use of our stolen Red Team tools.” 
 
While giving insights, a CISA spokesperson told, "As details are made available we are working to share and implement countermeasures across the federal networks and with our private sector partners," 
 
Meanwhile, FireEye has been said to have a "ringside seat" for some of the most advanced intrusions carried out globally by Mike Chapple, a former NSA official who's currently working at the University of Notre Dame as a cybersecurity expert.
Read more »
Medical Device Security
China FireEye Medical Device Security

Indian Healthcare Website Hacked, stolen data for sale





US-based cyber-security firm FireEye discovered a hack into a leading Indian healthcare website, stealing more than 68 lakh data of both doctors and patients.

The FireEye did not name the website but said that the cybercriminals mostly from China are selling the stolen data in web portals around the world.

"In February, a bad actor that goes by the name "fallensky519" stole 6,800,000 records associated with an India-based healthcare website that contains patient information and personally identifiable information (PII), doctor information and PII and credentials," FireEye said in its report shared with IANS.

According to FireEye, in between October 1, 2018, and March 31, 2019, their intelligence team stumbled upon on multiple healthcare-associated databases which were for sale in $2,000.

"In particular, it is likely that an area of unique interest is cancer-related research, reflective of China's growing concern over increasing cancer and mortality rates, and the accompanying national health care costs," the cyber-security agency noted.

"Targetting medical research and data from studies may enable Chinese corporations to bring new drugs to market faster than Western competitors," the report claimed.

Read more »
Hunting
Asia Pacific Cyber Attacks Darkweb hackers Data Breach FireEye Hunting

Asia Pacific is No 1 hunting ground for hackers

Global data from last year found that 64 per cent of all FireEye-managed detection and response customers were targeted again by the same or similarly motivated attack group -- up from 56 per cent in 2017 and Asia Pacific tops the list of malware report for 2019.

As organisations get better at detecting data breaches, hackers have become increasingly persistent, retargeting the firms they earlier broke into, US-based cybersecurity firm FireEye said on Monday.

A US-headquartered firm, Malwarebytes estimated an increase of 270% of malware detections amongst business in the Asia-Pacific region.

The financial services sector was seen to have the largest number of retargeted victims in 2018, particularly in the Asia-Pacific region, revealed the "FireEye 2019 Mandiant M-Trends Report". This trend is particularly relevant for the Indian market, given last year's cyber attack incidents at Cosmos Bank and State Bank of Mauritius.

Among the top ten countries that pose the biggest threat to malware, Asia Pacific tops the list with five countries.

Country                                          Biggest Threat

1. United States                              Information Theft
2. Indonesia                                    Backdoors
3. United Kingdom                         Information Theft
4. France                                         Information Theft
5. Malaysia                                     Backdoors
6. Thailand                                      Backdoors
7. Australia                                     Cryptomining
8. Germany                                     Information Theft
9. Brazil                                          Adware
10. Philippines                                Information Theft

"I encourage Indian firms to reassess their security posture and determine whether they can quickly detect and respond to intrusions," said Steve Ledzian, Vice President and APAC CTO, FireEye.

The Indian businesses must also determine whether "they know who is likely to attack them and how, and whether they have tested their security against human attackers in a red team scenario to try to spot weaknesses before their real world adversaries do," Ledzian said in a statement.

Singapore, a prized target

In Singapore alone, Malwarebytes saw a 180% increase in malware detections amongst the business sectors.

In the meantime, organisations appear to be getting better at discovering breaches internally, rather than being notified by an outside source such as law enforcement.
Read more »
Subscribe to: Posts (Atom)