Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Slovak. Show all posts

Hacktivists Target Asian Government Organizations

 

An unknown espionage group called Worok that is active since late 2020 targets high-profile businesses and municipal governments with headquarters largely in Asia.

The cyber gang, originally identified as Worok by ESET experts, also has attacked targets in the Middle East and Africa.

Worok is alleged to have parallels with another antagonistic collective known as TA428 in terms of skills and goals. TA428 has been linked to attacks against military, government, and public sector organizations, as well as telecom, banking, maritime, and energy firms.

Worok's toolkit, according to ESET researcher Thibaut Passilly, "includes a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that employs steganography to extract concealed malicious payloads from PNG files."

Between May 2021 and January 2022, the group's malicious operations took a significant hiatus before picking back up the following month. The Slovak cybersecurity company determined that the group's objectives were compatible with identity theft.

In certain cases, ProxyShell exploits were used to gain an initial foothold on target networks until 2021 and 2022. Additional custom backdoors were then introduced for entrenched access. Other initial compromise approaches are not yet known.

Infection chains in 2022 have now abandoned CLRLoad in favor of PowHeartBeat, a fully functional PowerShell implant that launches PNGLoad and communicates with a remote server via HTTP or ICMP to carry out associated file operations, transmit and receive files, and execute arbitrary commands.

​"In such situations, webshells have often been uploaded after these vulnerabilities have been exploited on order to enable persistence in the victim's network. The operators then utilized a variety of implants to obtain more capabilities, "Passilly continued.

ESET discovered a new PowerShell backdoor called PowHeartBeat, which has replaced CLRLoad in instances recorded since February 2022 as the tool designed to launch PNGLoad on infected systems. However, it has not yet been able to recover one of the final payloads delivered in the group's attacks.

A cyber espionage organization called Worok compromises its targets using both custom-built tools and techniques that already exist.

We believe the attackers are after information theft from their victims as they target high-profile organisations in Asia and Africa, focusing on diverse sectors, both private and public, but with a particular emphasis on government entities.

Researchers Uncovered Russian Spy Agencies Targeting Slovak Government

 

For months, the Slovak government has been targeted by a cyber-espionage group associated with a Russian intelligence agency, Slovak security companies ESET and IstroSec stated this week. The Slovak internet security firm ESET develops anti-virus and firewall products. With headquarters in Bratislava, Slovakia, ESET earned the award for the most successful Slovakian company in 2008, 2009, and 2010. 

Additional revelations targetting the Slovak Government including the Cobalt Strike Infrastructure operation employed by the attackers were provided by the companies. Dukes, Nobelium, and APT29 are the organizations that are held responsible for the attacks. These are affiliated with the Russian Foreign Intelligence Service (SVR). Their activities date back to 2008, typically targeting government networks in NATO and European countries, research institutes, and think tanks. 

The SVR hackers are believed to have spear-phished senior government officials using publicly available information, community threat intelligence sources (VirusTotal), and their investigations. The security firms IstroSec and ESET claimed that the SVR targeted the Slovak officials through spear-phishing campaigns. 

Researchers at the Def Con conference reported that SVR operators sent spear-phishing attacks to Slovak diplomats in the form of emails posing as the National Security Authority (NBU) of Slovak to infect their systems. The ISO/IMG attachment in the email looked like a Word document. 

IstroSec researchers have described how the SVR command-and-control servers used during these assaults have been uncovered. The ISOC report stresses certain C&C servers used by SVR also had papers directed against the government representatives in the Czech Republic. 

Furthermore, European diplomats in 13 countries have been targeted by the group, as stated by the security firm ESET. All the cyberattacks in these events employed the same strategy, according to ESET: email -> ISO disk image -> LNK shortcut file -> Cobalt Strike backdoor. Volexity and Microsoft have previously described this tactic in their respective reports. 

Cobalt Strike is an Adversary Simulations and Red Team Operations Software. It has been used by numerous Pen-testers and red staff and sophisticated actors like APT19, APT29, APT32, Leviathan, The Cobalt Group, and FIN6, and it costs $3,500 per year per user for a commercial tool. 

As part of its malware attack on iOS devices, the Russian cyber espionage group employed a huge variety of tactics against them. One such attack has exploited a zero-day Safari iOS flaw to steal information and data of diplomats that read their emails on their iPhones. 

Local authorities, for instance, the computer security incident response committee, were notified of the incidents and outcomes. The study includes the collected compromise signs such as hashes and IP addresses.