Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cyber espionage. Show all posts
Telecom Firms
CISA cyber espionage Data Breach Telecom Firms

US Exposes Major Chinese Cyber-Espionage Targeting Telecom Networks

 


The United States has accused China of conducting a vast cyber espionage operation that targeted multiple telecommunications networks. The hackers allegedly stole sensitive data and intercepted communications relating to a few government and political leaders. The incident raises national security concerns, in which officials are sounding warning bells.

US officials said that Chinese state-sponsored hackers broke into the systems of several telecom companies, looking to syphon away customer call records and gain unauthorised access to communication data. In some cases, the attackers allegedly copied information sought by US law enforcement through court-approved procedures, said analysts. That's a disturbing breach of sensitive data.

This is receiving full-time investigation by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) to help targeted companies. Officials said they are only slowly learning the extent of what happened, but preliminary reports indicate a sophisticated attack that probably reaches virtually everywhere in the country.


 

Key Targets and Methods


Unnamed sources suggest that major telecom providers, including AT&T and Verizon, were among those breached. Hackers allegedly found a way into systems used for court-authorised wiretaps, bypassing security measures. Microsoft identified the group responsible as “Salt Typhoon,” a hacking collective linked to the Chinese state.


According to reports, this group had been undetected for months before exploiting vulnerabilities to gain access to sensitive communication networks. The list of allegedly targeted big fish includes former President Donald Trump, members of his family, and Vice President Kamala Harris' campaign staff. 


Impact Beyond Large Companies

The scope of the attack does not only extend to big corporations. Regional internet service providers were also targeted, which shows how the hackers covered many areas. Experts think that the attackers must have abused the wiretap systems by monitoring some specific numbers, which may give them audio data through such breaches.

 

Wider Issues and Follow-Up Investigations

US authorities have already informed dozens of affected organisations. Classified briefings have lately been conducted to enlighten lawmakers on the serious implications. Senator Ron Wyden, who attended one of the briefings described the breach as deeply concerning in regard to its implications across various sectors.

While the probe is still ongoing, more efforts have been committed toward discovering the scope of the operation. According to a State Department official, this attack highlighted vulnerabilities in telecom systems believed to have been secure, and a greater need for upgraded cyber defence mechanisms is therefore urgent.

This incident typifies the dynamic threat of state-sponsored cyberattacks with regard to challenges in safeguarding critical infrastructure. The US is to enhance its defence mechanisms and systems for better preparedness to such breaches in the future as investigations continue.

Read more »
State Sponsored Hackers
Cyber Crime cyber espionage Daggerfly Evasive Panda State Sponsored Hackers

State-Sponsored Cyber Threats: Daggerfly’s Upgraded Malware Toolkit

State-Sponsored Cyber Threats: Daggerfly’s Upgraded Malware Toolkit

According to a Symantec investigation, the prolific Chinese espionage outfit Daggerfly (also known as Evasive Panda and Bronze Highland) has considerably modified its malware toolset, enhancing its ability to target the majority of key operating systems.

The most recent advancements indicate that the gang is employing a single framework to efficiently target Windows, Linux, macOS, and Android operating systems.

The researchers saw the group using new malware versions in recent operations against Taiwanese organizations and a US NGO operating in China.

The Evolution of Daggerfly

Daggerfly has been active for over a decade, conducting espionage operations both internationally and within China. Their primary targets have included government agencies, defense contractors, and various industries critical to national security. Over the years, Daggerfly has demonstrated a high level of sophistication in their cyber operations, continually evolving their tactics, techniques, and procedures (TTPs) to stay ahead of detection mechanisms.

Symantec reported in April 2023 on a Daggerfly campaign targeting an African telecoms business, in which the gang employed new plugins written with the MgBot malware platform.

In March 2024, ESET identified persistent Daggerfly campaigns targeting Tibetans in multiple countries and territories. The researchers observed the group using Nightdoor, a previously undocumented backdoor.

Daggerfly appears to be capable of responding to disclosure by quickly updating its toolset and continuing its espionage efforts with minimal disturbance.

The Upgraded Malware Arsenal

Symantec stated that it discovered proof that Daggerfly had created the macOS backdoor Macma. Macma was initially documented by Google in 2021, however, it appears to have been used since at least 2019.

According to Google's early study, the modular backdoor provides a variety of data exfiltration capabilities, such as device fingerprinting, command execution, screen capture, keylogging, audio recording, and file uploading and downloading.

A second version of Macma includes incremental improvements to the existing capabilities, such as more debug logging and updated modules in the appended data.

Its main module showed signs of more comprehensive changes, such as new logic to collect a file's system listing and changed code in the AudioRecorderHelper function.

Symantec linked Macma to Daggerfly after discovering two variants of the Macma backdoor connected to a command-and-control (C&C) server also used by a MgBot dropper.

Furthermore, Macma and other well-known Daggerfly malware, such as Mgbot, incorporate code from a single, shared library or framework that has been used to create threats for Windows, macOS, Linux, and Android platforms.

The researchers also noted Daggerfly's usage of the Windows backdoor Suzafk, which ESET initially identified as Nightdoor in March 2024.

Implications for Cybersecurity

Suzafk is a multi-stage backdoor that can use TCP or OneDrive for command and control. It was created using the same shared library as Mgbot, Macma, and several other Daggerfly utilities.

The researchers found a configuration indicating that the ability to connect to OneDrive is in development or exists in other malware copies.

In addition to the tools listed above, Symantec claims Daggerfly can Trojanize Android APKs, SMS interception tools, DNS request interception tools, and even malware families targeting the Solaris operating system.

The Broader Context of Cyber Espionage

Daggerfly’s activities are part of a broader trend of state-sponsored cyber espionage. Nation-states invest heavily in cyber capabilities to gain strategic advantages over their adversaries. These activities often target critical infrastructure, intellectual property, and sensitive government information.

The international community has recognized the threat posed by state-sponsored cyber espionage, leading to increased efforts to develop norms and agreements to govern state behavior in cyberspace. However, the covert nature of these operations makes attribution and enforcement challenging.

Read more »
Five Eye
APT40 Chinese Hackers Cyber Crime cyber espionage Five Eye

Chinese APT40 Attackers Exploit SOHO Routers to Launch Attacks

 

Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the United Kingdom, and the United States have issued a joint advisory about APT40, a China-linked cyber espionage group, warning regarding its ability to co-opt exploits for newly disclosed security vulnerabilities within hours or days of public release.

"APT40 has previously targeted organizations in various countries, including Australia and the United States," the agencies noted. "Notably, APT40 possesses the ability to quickly transform and adapt vulnerability proofs-of-concept (PoCs) for targeting, reconnaissance, and exploitation operations.” 

The threat group, also known as Bronze Mohawk, Gingham Typhoon (previously Gadolinium), ISLANDDREAMS, Kryptonite Panda, Leviathan, Red Ladon, TA423, and TEMP.Periscope, has been active since at least 2011, carrying out cyber attacks against companies in the Asia Pacific region. It is believed to be based in Haikou.

In July 2021, the US and its allies officially identified the group as being linked to China's Ministry of State Security (MSS), indicting several members of the hacking crew for orchestrating a multiyear campaign aimed at various sectors to facilitate the theft of trade secrets, intellectual property, and high-value information. 

Over the last few years, APT40 has been linked to intrusion waves that distribute the ScanBox reconnaissance framework, as well as the exploitation of a security vulnerability in WinRAR (CVE-2023-38831, CVSS score: 7.8) as part of a phishing effort targeting Papua New Guinea to deliver a backdoor known as BOXRAT. Then, earlier this March, the New Zealand government implicated the threat actor in the 2021 deal between the Parliamentary Counsel Office and the Parliamentary Service.

The group has also been observed using out-of-date or unpatched devices, such as small-office/home-office (SOHO) routers, as part of its attack infrastructure in an attempt to reroute malicious traffic and avoid detection, a strategy similar to that used by other China-based groups such as Volt Typhoon.

According to Google-owned Mandiant, this is part of a larger shift in Chinese cyber espionage activity that aims to prioritise stealth by increasingly weaponizing network edge devices, operational relay box (ORB) networks, and living-off-the-land (LotL) techniques to avoid detection. 

Attack chains also include reconnaissance, privilege escalation, and lateral movement actions that use the remote desktop protocol (RDP) to steal credentials and exfiltrate sensitive information. To reduce the risks posed by such threats, organisations should maintain adequate logging mechanisms, enforce multi-factor authentication (MFA), implement an effective patch management system, replace obsolete equipment, disable unused services, ports, and protocols, and segment networks to prevent access to sensitive data.
Read more »
Spear Phishing
Cyber Crime cyber espionage Hackers Russia Spear Phishing

Inside the Espionage: How Nobelium Targets French Diplomatic Staff


Cybersecurity threats have become increasingly sophisticated, and state-sponsored actors continue to target government institutions and diplomatic entities. One such incident involves a Russian threat actor known as “Nobelium,” which has been launching spear phishing attacks against French diplomats.

ANSSI Issued an Alert

France's cybersecurity agency, ANSSI, has issued a notice outlining a Russian spear phishing attempt aimed at French diplomats, the Record writes. The CIA connects the campaign to "Nobelium," a threat actor linked to Russia's Foreign Intelligence Service (SVR).

The Campaign

Nobelium, believed to have ties to Russia’s Foreign Intelligence Service (the SVR), primarily uses compromised legitimate email accounts belonging to diplomatic staff to conduct these attacks. The goal is to exfiltrate valuable intelligence and gain insights into French diplomatic activities.

Compromising Email Accounts of French Ministers

These events included the penetration of email accounts at the French Ministry of Culture and the National Agency for Territorial Cohesion, but according to ANSSI, the hackers were unable to access any elements of those networks other than the compromised inboxes.

However, the hackers subsequently used those email addresses to target other organizations, including France's Ministry of Foreign Affairs. ANSSI stated that Nobelium attempted to acquire remote access to the network by installing Cobalt Strike, a penetration testing system infamous for being abused by bad actors, but was unsuccessful.

Other occurrences reported by ANSSI included the use of a French diplomat's stolen email account to send a malicious message falsely proclaiming the closure of the French Embassy in South Africa due to an alleged terror assault.

Tactics and Techniques

Nobelium’s spear phishing campaigns are highly targeted. They craft convincing lure documents tailored to specific individuals within diplomatic institutions, embassies, and consulates. Here are some tactics and techniques they employ:

Email Spoofing: Nobelium impersonates trusted senders, often using official-looking email addresses. This makes it challenging for recipients to discern the malicious intent.

Lure Documents: The threat actor attaches seemingly innocuous files (such as PDFs or Word documents) to their emails. These files contain hidden malware or exploit vulnerabilities in software applications.

Social Engineering: Nobelium leverages social engineering techniques to manipulate recipients into opening the attachments. They might use urgent language, reference official matters, or create a sense of curiosity.

Credential Harvesting: Once the recipient opens the attachment, the malware may attempt to steal login credentials or gain unauthorized access to sensitive systems.

Read more »
Velvet Ant
Bug Exploit cyber espionage malware Network Security Velvet Ant

Inside the Velvet Ant’s Web: F5 BIG-IP Vulnerabilities Exposed

“Inside the Velvet Ant’s Web: F5 BIG-IP Vulnerabilities Exposed

Cybersecurity threats have evolved beyond traditional attack vectors. One such sophisticated campaign involves the exploitation of F5 BIG-IP appliances by a group known as ‘Velvet Ant.’ In this blog post, we delve into the details of this stealthy data theft operation, shedding light on the techniques employed and the implications for organizations worldwide.

According to a Sygnia report, which discovered the breach after being called in to investigate the cyberattack, Velvet Ant established multiple footholds across the network, including a legacy F5 BIG-IP appliance that served as an internal command and control (C2) server.

The ‘Velvet Ant’ Group

The ‘Velvet Ant’ group, suspected to have ties to Chinese state-sponsored actors, has been active since at least 2017. Their primary focus is on cyber espionage, targeting government entities, defense contractors, and critical infrastructure organizations. Their modus operandi involves gaining persistent access to internal networks, exfiltrating sensitive data, and maintaining long-term presence without detection.

F5 BIG-IP Appliances: A Prime Target

F5 BIG-IP appliances are widely used for load balancing, application delivery, and security functions. Unfortunately, their ubiquity also makes them an attractive target for threat actors. The ‘Velvet Ant’ group leverages vulnerabilities in these devices to achieve their objectives.

The Malware Campaign

  • Initial Compromise: The group gains initial access through known vulnerabilities in F5 BIG-IP devices. These vulnerabilities allow them to bypass authentication and execute arbitrary code.
  • Custom Malware Deployment: Once inside the network, the attackers deploy custom malware tailored for F5 BIG-IP appliances. This malware establishes a covert channel for communication, allowing the group to maintain persistence.
  • Data Exfiltration: The malware exfiltrates sensitive data, including intellectual property, classified documents, and personally identifiable information (PII). The stealthy nature of the operation ensures that data theft remains undetected for extended periods.
  • Lateral Movement: The ‘Velvet Ant’ group moves laterally within the network, escalating privileges and accessing additional resources. They carefully avoid triggering alarms or arousing suspicion.
  • Long-Term Presence: Unlike traditional smash-and-grab attacks, this group aims for longevity. By maintaining a foothold, they can continuously monitor and extract valuable information.

Mitigation Strategies

  • Patch Management: Regularly update F5 BIG-IP devices to address known vulnerabilities. Timely patching reduces the attack surface.
  • Network Segmentation: Isolate critical systems from less secure segments to limit lateral movement.
  • Behavioral Analytics: Implement solutions that detect anomalous behavior within the network. Unusual data flows or unauthorized access attempts should trigger alerts.
  • Threat Intelligence Sharing: Collaborate with industry peers and share threat intelligence. Early detection of emerging threats is crucial.

Read more »
Threat Landscape
Chinese Hacker cyber espionage malware RAT Threat Landscape

Chinese Threat Actors Leveraging 'Noodle RAT' Backdoor

 

A backdoor in Executable and Linkable Format (ELF) files used by Chinese hackers has been misidentified as a version of existing malware for years, Trend Micro claimed in a recent analysis. 

In Noodle RAT: Reviewing the New Backdoor utilised by Chinese-Speaking Groups, a blog post based on a Botconf 2024 presentation, Trend Micro Research revealed Noodle RAT, a remote access Trojan employed by Chinese-speaking groups involved in espionage or criminal activity.

Noodle RAT, aka ANGRYREBEL or Nood RAT, has been active since at least 2018. However, it was always regarded as a variant of an existing malware strain, such as Gh0st RAT or Rekoobe.

“For instance, NCC Group released a report on a variant of Gh0st RAT used by Iron Tiger in 2018. Talos released a report on an ELF backdoor used by Rocke (aka Iron Cybercrime Group) in 2018. Sophos released a report on a Linux version of the Gh0st RAT variant used in the Cloud Snooper Campaign in 2018. Positive Technology Security released a report on Calypso RAT used by Calypso APT in 2019,” noted Trend Micro. 

The cybersecurity provider's threat intelligence team revealed that the ELF backdoor mentioned in these reports was actually a new malware strain known as Noodle RAT. 

Noodle RAT: New Malware Strain

Since 2020, the researchers claim to have discovered espionage campaigns employing Noodle RAT that targeted Thailand, India, Japan, Malaysia, and Taiwan. 

The Windows version of Noodle RAT contains several links to Gh0st RAT, a malware strain developed by the C. Rufus Security Team in China and exposed in 2008. For example, Win.NOODLERAT and Gh0st RAT share plugins, and the former employs a slightly similar packet encryption method to that employed by various Gh0st RAT variants, including Gh0stCringe, HiddenGh0st, and Gh0stTimes. 

However, the rest of Win.NOODLERAT and Gh0st RAT's code does not appear to be comparable, prompting Trend Micro to infer that the plugins were simply reused, despite the fact that the backdoor is completely different. 

Additionally, some Linux.NOODLERAT's code is identical to Rekoobe v2018, a backdoor built on Tiny SHell (or tsh) whose source code is freely available on GitHub. Specifically, both use the same reverse shell and process name spoofing techniques. 

“Still, since the rest of the code of Linux.NOODLERAT is totally different from any version of Rekoobe or Tiny SHell, we can conclude that Linux.NOODLERAT should be classified as another malware family,” Trend Micro concluded.
Read more »
Washington DC
conservative think tank cyber attack Cyber Attacks cyber espionage Cybersecurity donor information Heritage Foundation Investigation nation-state hackers Politico Republican politics Washington DC

US Think Tank Struck by Cyberattack

 

The Heritage Foundation, a prominent conservative think tank based in Washington, DC, revealed on Friday that it had fallen victim to a cyberattack earlier in the week. The attack, which occurred amid ongoing efforts to mitigate its effects, left the organization grappling with uncertainties regarding potential data breaches. 

Although the exact extent of the breach remained unclear, the foundation took proactive measures by temporarily shutting down its network to prevent further infiltration while launching an investigation into the incident.

Initial reports of the cyberattack surfaced through Politico, citing a Heritage official who speculated that the perpetrators behind the attack could be nation-state hackers. However, no concrete evidence was provided to substantiate this claim. Despite inquiries, Heritage spokesperson Noah Weinrich refrained from offering comments, both on Thursday via email and when approached by TechCrunch on Friday.

Founded in 1973, the Heritage Foundation has emerged as a significant force in conservative advocacy and policymaking, exerting considerable influence within Republican circles. Yet, its prominence also renders it a prime target for cyber threats, with think tanks often serving as lucrative targets for cyber espionage due to their close ties to government entities and policymaking processes. 

This incident marks another instance in which Heritage has faced cyber adversity, reminiscent of a 2015 attack that resulted in the unauthorized access and theft of internal emails and sensitive donor information.
Read more »
Human Vulnerability
Cyber Crime cyber espionage Digital Security Family Targeting Human Vulnerability

The Unseen Threat: How Chinese Hackers Target Family Members to Surveil Hard Targets

The Unseen Threat: How Chinese Hackers Target Family Members to Surveil Hard Targets

According to an indictment unsealed by American prosecutors, a Chinese hacking group known as APT 31, which is linked to China’s Ministry of State Security, has been targeting thousands of U.S. and Western politicians, foreign policy experts, academics, journalists, and democracy activists between 2015 and 2024. Their focus extends beyond the primary targets themselves; they also target family members of these individuals.

The Art of Subtle Intrusion

Hackers employ a more subtle and insidious method: targeting family members through carefully crafted emails. These messages don’t contain malicious attachments or overt phishing attempts. Instead, they include harmless tracking links that, when clicked, reveal a treasure trove of information about the recipient.

Imagine a journalist covering sensitive political topics. Her elderly mother receives an email seemingly from a distant relative, sharing family photos. Innocent enough, right? But that seemingly harmless click reveals the journalist’s location, her device details, and even her browsing habits. Armed with this reconnaissance, the hackers can then launch more direct attacks on her devices, infiltrating her digital life.

The Digital Age’s Achilles’ Heel

While this kind of targeting isn’t entirely unheard of, it remains relatively rare. The Chinese government’s efforts to control speech abroad increasingly rely on manipulating family relationships in creative ways. 

For instance, last year, the U.S. Department of Justice indicted over 40 individuals allegedly involved in a scheme by the Chinese Ministry of Public Security. This scheme used thousands of fictitious social media personas to attack and harass Chinese nationals living in the United States who had criticized the Chinese government.

The Family Connection

Why target family members? Because they are the soft underbelly of security. They are less likely to be tech-savvy, less cautious about clicking links, and more trusting of familiar faces. Moreover, family members often share devices, networks, and even passwords. By compromising one family member, the hackers gain a foothold in the entire network.

Consider a diplomat stationed abroad. His teenage daughter receives an email claiming to be from her school. She clicks the link, unknowingly granting access to her father’s encrypted communications. Suddenly, the diplomat’s confidential negotiations are exposed. The hackers have bypassed firewalls, encryption, and secure channels—all through a teenager’s curiosity.

The Broader Implications

This tactic isn’t limited to diplomats and journalists. It extends to academics, foreign policy experts, and even democracy activists. The hackers cast a wide net, ensnaring anyone connected to their primary targets. And it’s not just about surveillance; it’s about control and coercion.

Imagine a human rights activist whose elderly parents receive threatening emails. The message is clear: “Stop your activism, or your family suffers.” Suddenly, the stakes are higher. The activist’s fight for justice becomes a delicate balancing act between principles and protecting loved ones.

Read more »
State-sponsored Hackers
Cyber Crime cyber espionage FBI I-Soon State-sponsored Hackers

I-Soon Leak: Exposing China's Cyber Espionage

I-Soon Leak

In the dark caves of cyberspace, where secrets are traded like currency and digital shadows gamble, a recent leak of documents reveals that China's hacking community is not as advanced and systematic as it appears.

The leak is likely from a frustrated employee of Chinese cybersecurity company I-soon (Anxun in China), which tells a denting story of China's cyberespionage operations. It provides us with a backstage glimpse of China's hacking ecosystem.

Since 2010, China has leveled up its cyberespionage and cybertheft game to such extremes that FBI Chief Christopher Wray said that China's state-sponsored hackers outnumber U.S. cyber intelligence personnel 50-to-1.

The Players

I-Soon: The Contractor

I-Soon works for Chinese government agencies and private players. It has ties to China's major government contractors such as the Ministry of Public Security (police) and the Ministry of State Security (intelligence). I-Soon is a shadowy figure that plans campaigns crossing borders. Its weapons include zero-day exploits, sophisticated tools, and a diverse team of skilled hackers.

Targets: Foreign Networks to Dissidents

The leaked documents disclose I-Soon's wide range of surveillance. Their spying targets include both Chinese citizens and foreigners. The main targets are:

1. Foreign Networks: I-Soon's reach goes beyond Chinese borders. They hack foreign networks, steal sensitive info, and leave no digital stone untouched. Whether military intelligence, personal data, or corporate secrets, I-soon is involved in everything.

2. Political Dissidents: Regions like Hong Kong and Xinjiang are constantly under I-Soon's surveillance radar. The aim is to keep an eye on any form of dissent and opposition and inform the Chinese government.

The Exposed Data

Darkweb and Hacked Databases

I-Soon has vast databases of hacked info. These databases have stolen credentials, surveillance footage, and hacked emails. But where does it end? The hacked data is sold on the dark web. Chinese police are always on the lookout for this information, they buy these digital assets to improve their surveillance operations.

The Silent War

Cyberespionage is a war fought on an unseen battlefield. Contrary to traditional conflicts, there are no casualties or damage that can be seen in the open. However, cyber espionage destroys firewalls, lines of code are disrupted, and digital footprints disappear. A lot is at stake, economic dominance, national security, and ideological superiority.

The Impact

State-sponsored Cyberattack

I-Soon's operations highlight the murky relationship between state-sponsored cyber operations and private contractors. While the Chinese government shows it has no involvement, contractors like I-soon do their dirty work. The blurred lines between private and public actors create an environment where accountability doesn't exist.

Global Cybersecurity Awareness

The leak serves as a reminder to individuals, corporations, and nations to strengthen their digital defenses. Cybersecurity is a basic need for digital survival, it's not a luxury. Threat intelligence, encryption, and partnership across borders can be the defense against unknown cyber terror.

What have we learned?

The leak is only a glimpse into the dark world of cyberespionage, what we see is just the tip of the iceberg- the iceberg is hiding much more. I-Soon's leak is a wake-up call.

Read more »
United States
China Confidential Data Cyber Crime cyber espionage Data Leak United States

Former Google Employee Charged with Stealing AI Secrets

 

A former Google software engineer has been charged with stealing the company's artificial intelligence trade secrets while surreptitiously working for two Chinese companies, the Justice Department announced Wednesday. 

Linwei Ding, a Chinese national, was arrested in Newark, California, for four charges of federal trade secret theft, each punishable by up to ten years in prison. 

Attorney General Merrick Garland announced the case against Ding, 38, at an American Bar Association conference in San Francisco. Garland, along with other law enforcement leaders, has repeatedly warned about the threat of Chinese economic surveillance as well as the national security concerns posed by developments in artificial intelligence and other novel technologies.

“Today’s charges are the latest illustration of the lengths affiliates of companies based in the People’s Republic of China are willing to go to steal American innovation,” FBI Director Christopher Wray noted in a statement. “The theft of innovative technology and trade secrets from American companies can cost jobs and have devastating economic and national security consequences.” 

Google said it came to the conclusion that the employee had stolen "numerous documents" and had referred the case to law enforcement. 

“We have strict safeguards to prevent the theft of our confidential commercial information and trade secrets,” Google spokesman Jose Castaneda explained. “After an investigation, we found that this employee stole numerous documents, and we quickly referred the case to law enforcement. We are grateful to the FBI for helping protect our information and will continue cooperating with them closely.”

Artificial intelligence is the primary battleground for high-tech competitors, and who dominates can have far-reaching commercial and security repercussions. In recent weeks, Justice Department leaders have warned that foreign foes may use AI technologies to target the United States. 

Deputy Attorney General Lisa Monaco stated in a speech last month that the administration's multi-agency Disruptive Technology Strike Force would prioritise AI enforcement, and Wray told a conference last week that AI and other novel technologies had made it easier for attackers to try to interfere with the American political process. 

The indictment, unsealed Wednesday in the Northern District of California, alleges that Ding, who was hired by Google in 2019 and had access to sensitive information regarding the firm's supercomputing data centres, began uploading hundreds of files to a personal Google Cloud account two years ago. 

According to prosecutors, Ding was offered the post of chief technology officer at an early-stage technology business in China that advertised its use of AI technology and gave him a monthly salary of around $14,800, plus an annual bonus and company stock, just weeks after the theft started. The indictment says Ding travelled to China to attend investor meetings and seek funding for the company. 

In January, the FBI filed a search warrant at Ding's house and seized his electronic equipment, followed by an additional warrant for the contents of his personal accounts, which contained more than 500 distinct files of classified data that investigators claim he stole from Google.
Read more »
Network Security
cyber espionage Cyber Security Dark Web ISP Network Security

Hundreds of Network Operators' Credentials Compromised on Dark Web


Leaked creds of RIPE, APNIC, AFRINIC, and LACNIC are available on the Dark Web

After doing a comprehensive scan of the Dark Web, Resecurity discovered that info stealer infections had compromised over 1,572 customers of RIPE, the Asia-Pacific Network Information Centre (APNIC), the African Network Information Centre (AFRINIC), and the Latin America and Caribbean Network Information Center (LACNIC). 

Included in this number are new artifacts and historical records discovered in January 2024 as a result of an examination of subterranean marketplaces and Command and Control (C2) servers. In light of the highly disruptive hack that occurred recently against telecom provider Orange España, the cybersecurity community should reconsider how it protects the digital identities of employees who work in network engineering and IT infrastructure management.

Victims whose credentials were revealed on the Dark Web by info stealers such as Azorult, Redline, Vidar, Lumma, and Taurus have been alerted by Resecurity. 

Cybersecurity experts were able to compile the following data using the feedback that was gathered:

  • 16% of respondents were already aware that their accounts had been compromised due to a malicious code infection, and they had made the required password changes and enabled two-factor authentication. 
  • The remaining 45% did not know about the compromised credentials and acknowledged that their password change had been successful.
  • 14% knew of the compromised credentials, however, they didn't activate 2FA until they were notified (statement received).
  • Twenty percent of respondents agreed that further investigation into the incident that compromised credentials was necessary.
  • Five percent of the recipients were unable to offer any comments.

Cyberespionage organizations active

It's noteworthy that the majority of network administrators (those found to have been infiltrated) who oversaw networks used email addresses registered with free services like Gmail, GMX, and Yahoo. 
Cyberespionage organizations that are intensely focused on particular targets, including network administrators and their social networks, may find great value in these facts. Finding out about their private emails might result in more advanced campaigns and increase the chances of successful reconnaissance.

Malicious actors do more than just steal credentials. If they have access to network settings, they might change current setups or add dishonest components, which could seriously damage company infrastructure. 

Unauthorized changes of this nature have the potential to cause serious service interruptions and security breaches, which emphasizes how important it is to protect digital assets with strong security procedures and increased awareness.

The gathered data might verify that personnel engaged in mission-critical IT administration and network engineering tasks are similarly susceptible to malicious programming. If their accounts are compromised, they could serve as "low-hanging fruit" for significant cyberattacks.

What are experts saying?

Resecurity's cybersecurity specialists have drawn attention to the growing threats posed by the Dark Web, where nefarious actors could take advantage of credential compromises held by network engineers, data center technicians, ISP/Telco engineers, IT infrastructure managers, and outsourcing firms that oversee networks for their corporate customers. 

Therefore, for highly skilled threat actors, this employee category represents a high-value target. Resecurity's Dark Web study highlighted the danger landscape by identifying several compromised network engineer credentials that could allow threat actors to access gateways.
Read more »
United States
cyber espionage Cyber Security Data Privacy Surveillance Bill United States

New Surveillance Reform Bill Raises Concerns Regarding Americans Data Privacy

 

Spies might be made out of regular employees at US companies if the recently proposed and approved legislation by the House Intelligence Committee greatly expands the federal government's surveillance powers, experts warn. 

The legislation, called H.R. 6611 or the "HPSCI bill," is said to be aimed at updating Section 702 of the FISA Amendments Act of 2008. Section 702 was enacted to empower the National Security Agency (NSA) to intercept data related to suspected terrorists abroad. Such surveillance, however, has resulted in the widespread acquisition of domestic data as well. Without a warrant, agencies such as the FBI used data gathered under 702 to target Americans. Rep. Mike Turner (R-Ohio) and Rep. Jim Himes (D-Conn.) introduced the bill, which was approved by committee on December 7. 

Elizabeth Goitein, co-director of the non-profit Brennan Centre for Justice's Liberty and National Security Programme, was among many who raised concerns about the so-called reform after a section representing "the biggest expansion of surveillance inside the United States since the Patriot Act" was discovered. 

“Through a seemingly innocuous change to the definition of ‘electronic service communications provider,’ the bill vastly expands the universe of U.S. businesses that can be conscripted to aid the government in conducting surveillance,” Goitein stated. 

Currently, Section 702 allows the government to compel businesses with direct access to communications—like emails, phone calls, or texts—to share data. However, Goitein notes that under Section 504 of the HPSCI bill, any organisation having access to devices that store or transfer communications would likewise have to abide by requests for surveillance. 

“Hotels, libraries, coffee shops, and other places that offer wifi to their customers could be forced to serve as surrogate spies,” Goitein continued. “They could be required to configure their systems to ensure that they can provide the government access to entire streams of communications.” 

Goitein went on to say that even a repairman trying to fix your home internet router might be forced into spying on you. 

The bill's advocates have vehemently denied that Section 504 would be enforced so loosely. Senator Mike Lee (R-Utah), however, even criticised the bill on his meme account. “If this bill were to pass, and you went to McDonald’s and used the McDonald’s wifi service, the NSA could go to McDonald’s and obtain that wifi data—without a warrant,” Lee wrote. 

Goitein claims that despite the sponsors of the bill's assurances, the government's past performance shows that it cannot be trusted with such authority.
Read more »
State Sponsored Hackers
cyber espionage lazarus malware Malware loader State Sponsored Hackers

North Korean Links: Lazarus Group Strikes Again. This time via Unpatched Software Flaws


North Korean hackers spreading malware through legit software

North Korean hackers are spreading malware by exploiting known flaws in genuine software. The Lazarus group targets a version of an undisclosed software product for which vulnerabilities have been documented and solutions are available in a new campaign discovered by Kaspersky researchers.

Despite the vulnerabilities being disclosed and patched, the new advanced persistent threat campaign attacking companies globally used known flaws in a previous version of an unnamed software to encrypt web connection via digital certificates.

Threat actors used software to gain entry points

According to Kaspersky, hackers from the Lazarus group exploited the insecure software and used it as an entry point to breach organizations and encrypt web communication using digital certificates.

North Korea uses "cyber intrusions to conduct both espionage and financial crime in order to project power and finance both their cyber and kinetic capabilities," according to research by Google's Mandiant threat intelligence department. 

UN alleges North Korean links

Under Kim Jong Un's leadership, the DPRK is linked with a variety of state-sponsored hacking teams both at home and abroad that collect espionage on allies, opponents, and defectors, as well as hack banks and steal cryptocurrency. The UN has earlier accused North Korea of using stolen assets to fund the country's long-range missile and nuclear weapons programs, as well as enticing the country's officials.

To control the victim, hackers used SIGNBT malware and the infamous LPEClient tool, which experts have seen in attacks targeting defense contractors, nuclear engineers, and the cryptocurrency sector, and which was discovered in the infamous 3CX supply chain attack. "This malware acts as the initial point of infection and plays a crucial role in profiling the victim and delivering the payload," said experts.

According to Kaspersky, the developers of the unknown software previously became a target to Lazarus. According to the report, this repeated breach indicates a determined and persistent threat actor with the likely goal of compromising important source code or interfering with the software supply chain.

A deep look into the malware

According to Kaspersky experts, in mid-July, they noticed an increasing number of attacks on many victims utilizing the prone software, and they discovered post-exploitation activity within the genuine software's processes.

To establish and maintain efforts on hacked machines, the threat actor used a variety of techniques, including the development of a file called ualapi.dll in the system folder, which is loaded by default by the spoolsv.exe process at each system boot. According to the experts, Lazarus hackers also built registry entries to run genuine files for the purpose of malicious side-loading, assuring a durable persistence mechanism.

Lazarus used that malware loader to spread additional malware to the victim computers, such as LPEClient and credential dumping applications. The tool allows in extracting victim data as well as downloading additional payloads from a remote server for activation in memory.

As previously stated by the experts, it now uses advanced tactics to improve secrecy while preventing detection, such as deactivating user-mode syscall hooking and restoring system library memory parts.

Read more »
threat report
cyber espionage Cyber Security Cyber Warfare Nation-State Attacks threat report

Microsoft Warns of Rise in Global Cyberespionage Operations

 

Government-sponsored cyberespionage campaigns and data operations are on the rise, and not just as a result of hacker spies deployed by typical suspects Russia and China.

So warns Microsoft in its annual Digital Defence Report, which evaluates nation-state and criminal behaviour recorded from July 2022 to June 2023. 

Ransomware attacks naturally draw attention due to their visible and immediate impact, but governments are doubling down on stealthy cyberespionage operations behind the scenes. 

"Nation states are becoming increasingly sophisticated and aggressive in their cyberespionage efforts, led by highly capable Chinese actors focused on the Asia-Pacific region in particular," Tom Burt, Microsoft's corporate vice president for customer security and trust, stated in an introduction to the report. 

Based on Microsoft's report, the US was the subject of the most cyberattacks last year, followed by Israel and Ukraine. It witnessed an increase in activity last spring that targeted Western organisations, of which 46% were based in NATO states, particularly the U.S., the United Kingdom, and Poland. 

The United States' intelligence agencies have frequently warned that Russia, China, Iran, and North Korea pose the greatest internet risks to national security and allies. According to Microsoft, the scale and sophistication of activities linked to each of those countries continues to improve, and their efforts to steal information and alter narratives target both adversaries and allies. 

"Russian intelligence agencies have refocused their cyberattacks on espionage activity in support of their war against Ukraine, while continuing destructive cyberattacks in Ukraine and broader espionage efforts," Burt wrote in a blog post. 

China is still a significant player, concentrating particularly on gathering intelligence - particularly from U.S. defence and vital sectors, as well as Taiwan and even its own partners - and conducting influence operations, Microsoft reported.

Beijing additionally "deploys a vast network of coordinated accounts across dozens of platforms to spread covert propaganda" that targets Chinese speakers worldwide and occasionally spreads anti-American narratives, the report further reads. The nation's influence operations also emphasise "promoting a positive image of China through hundreds of multilingual lifestyle influencers."

There is ample evidence that Russia is using cyberespionage more frequently. Western intelligence authorities continue to issue warnings that the real scope of such operations is still unknown because they are intended to be stealthy and at times highly targeted. Long-term attacks might not be seen right away. 

The White House blamed the Russian Foreign Intelligence Service, or SVR, for the SolarWinds supply chain attack, which involved the injection of a Trojan into the Orion software updater. It's possible that the effort started in September 2019, but it wasn't discovered until December 2020, giving the SVR months to secure covert access to a number of extremely sensitive systems. 

Microsoft reports that nominal allies attack one another while conducting cyber operations and acquiring intelligence. Despite the meeting between Russian President Vladimir Putin and North Korean hereditary dictator Kim Jong Un last month, Pyongyang continues to carry out Moscow-centered espionage activities, with a particular emphasis on "nuclear energy, defence, and government policy intelligence collection." 

The threat from criminal groups continues to rise in addition to the risk from nation-state organisations. "Ransomware‐as‐ a-service and phishing-as-a-service are key threats to businesses, and cybercriminals have conducted business email compromise and other cybercrimes, largely undeterred by the increasing commitment of global law enforcement resources," Burt added.
Read more »
VSSE
Alibaba Belgian Intelligence cyber espionage Cyber Security Threat Intelligence VSSE

Belgian Intelligence Service are Scrutinising Alibaba For Possible Spying

 

The Veiligheid van de Staat (VSSE), the state security agency of the European country, is concerned about "possible espionage" at Alibaba's logistics base at a Belgian airport. 

Belgian intelligence officials have been keeping an eye on Cainiao, Alibaba's logistics division, at the cargo airport in Liège for any signs of spying or other types of espionage concerning shipments made for Beijing, as first reported by the Financial Times. 

The VSSE is eager to "detect and fight against possible spying and/or interference activities carried out by Chinese entities, including Alibaba," according to a statement issued to media outlets. 

Alibaba was unable to respond to our inquiries concerning the current scenario. "We strongly deny the allegations... based on prior conjecture," a spokesperson for the mega-corp told CNN earlier. Cainiao complies with all rules and regulations in the countries where it operates."

Cainiao will be floated and spun out by the Chinese e-commerce and cloud giant within the next six to twelve months.

According to the FT, which cited "people familiar with the matter," the VSSE is worried about software systems that compile private economic data.

The VSSE informed the newspaper that China "has the intent and capability to use this data for non-commercial purposes" since China's national intelligence law forces Chinese organisations to share information with the government. 

The logistics facility, which became operational in 2021, mostly deals with products that European customers have ordered through the online marketplace AliExpress. We believe that there is concern that Beijing, through Alibaba, may discover what sort of items are being shipped through the facility or potentially interfere with people's goods.

Cainiao apparently wants to increase the size of its airport warehouses by more than three times, from 30,000 square metres to 100,000 square metres. The negotiations between Alibaba and Belgium to host the logistics centre, according to Belgium's law minister Vincent Van Quickenborne, took place in "a previous century" and that "times of naiveté have changed." 

The espionage fears coincide with new warnings from Western nations about Chinese espionage and data theft. 

Chinese spies are believed to have broken into Outlook and Exchange Online accounts hosted by Microsoft over the summer and stolen more than 60,000 emails belonging to US government personnel.

US and Japanese government agencies issued a warning late last month that Beijing's spies might be lurking in Cisco routers and using that access to collect organisations' IP and other sensitive data. 

In the meantime, FBI Director Christopher Wray has frequently warned that China has 50 cybercriminals for each infosec operative employed by the agency. However, China reversed course and claimed that the US had broken into Huawei systems and stolen data going all the way back to 2009.
Read more »
Middle East
APT34 Covert Attacks cyber espionage Iran hackers malware Middle East

Iranian APT34 Employs Menorah Malware for Covert Operations

 

In a recent cyber espionage operation, suspected Iranian hackers infected their targets with the newly discovered Menorah Malware, according to a report released on Friday. 

APT34, also known as OilRig, Cobalt Gypsy, IRN2, and Helix Kitten, is believed to have its headquarters in Iran. Since at least 2014, it has targeted Middle Eastern nations, primarily concentrating on governmental institutions and companies in the finance, oil, chemical, and telecommunications industries. 

Researchers from Trend Micro claim that in August, the hackers infected targets suspected to be headquartered in Saudi Arabia with the Menorah malware via a series of phishing emails.

The malware designed by the group is intended for cyber espionage; it has the ability to download files to the system, run shell commands, and upload particular files from a compromised device.

The SideTwist backdoor, which the organisation had previously utilised, is said to be similar to the new malware created by APT34. But the new version is more complex and more difficult to spot. 

“APT34 is in continuous-development mode, changing up and trying which routines and techniques will work,” the researchers explained. 

A tiny portion of data regarding the victims targeted by APT34 was discovered by Trend Micro during the investigation. They impersonated the Seychelles Licensing Authority in their phishing emails by using a fake file registration form.

According to the investigation, the target victim was probably based in Saudi Arabia because this document included price information in Saudi Arabian currency. 

APT34 has a history of taking part in prominent cyberattacks on numerous targets in the Middle East. A government official in Jordan's foreign ministry was the target of Saitama's backdoor last year. The gang attacked a number of Middle Eastern banks in 2021. 

“This group operates with a high degree of sophistication and seemingly vast resources, posing a significant cybersecurity challenge regionally and beyond,” the researchers added. "Organisations should regularly alert their staff to the numerous techniques that attackers use to target systems, confidential information, and personal information."
Read more »
Technology
Aerospace APT Cyber Crime cyber espionage Cyber Intelligence Cyber Spying Cyberattacks CyberCrime Cybersecurity FBI FireEye Hackers Technology

Cyber Spying Seems to be the Predominant Goal of North Korean Hackers

 


According to a new study, an increasingly sophisticated North Korean cyber-espionage unit is using its skills to carry out spying operations on the aerospace and defense industries. 

As per an updated report released by a cyber-intelligence company, North Korean hackers are no longer viewed as sole criminals who commit cybercrimes motivated by financial gain and break into cryptocurrency exchanges. According to the report, instead of focusing on cyber espionage and data collection, they focus more on information collection. 

A group of bad actors connected to potentially criminal activities on the internet has been identified by Google analysts as an advanced persistent threat (APT) or as a group of cybercriminals linked to activities that might be considered criminal. 

In its report, FireEye, a US-based security firm that keeps track of cyber-attackers around the world, examines the threat from North Korean hackers called APT37 (Reaper) and claims to have found that the group uses malware to infiltrate computer networks at home and abroad. This group has been active in the past but has now migrated to an advanced persistent threat. 

Yet another  report published exclusively by Foreign Policy, authored by private cyber-intelligence company Recorded Future, identifies espionage as the primary motivation behind North Korea's cyber program, which experts attribute to a desire for economic advantage. 

Recorded Future says over 14 years there have been 273 cyberattacks associated with state-sponsored groups in North Korean society. Over 70% of the respondents stated that they were motivated primarily by the desire to collect information about government entities and countries in neighboring Asia, as well as to use their skill sets to commit high-profile cryptocurrency heists. 

It is clear from the report that Pyongyang intends to gain a better understanding of how its adversaries think. This is done by providing the country with "insight into how its adversaries think" as well as knowledge about technologies that could benefit the North in the event of a conflict. Government agencies are usually the targets of this type of attack, followed by cryptocurrency exchanges, media outlets, financial institutions, defense institutions, and nongovernmental organizations as the next most frequent targets. 

Unlike many other countries, North Korea's government seems much more interested in finding out what other nations think of them and how they can improve. It only takes them a minute or two to gather information that can help them develop nuclear and ballistic missile technology. They steal money to fund their regime. 

According to Anne Neuberger, deputy national security adviser for cyber and emerging technologies under President Biden, North Korea is unique in how it views and uses cryptocurrency. This is because it employs cyber operations to finance its nuclear arsenal. About half of the regime's missile program is financed by cryptocurrency and cyber heists. 

The group's cyber operation targets Japan, Vietnam, and the Middle East as part of its efforts. By attempting to steal secret information from companies and organizations involved in chemical, electronics, manufacturing, aerospace, automotive, healthcare, and other sectors, it is attempting to steal valuable information.

In recent years, North Korean hackers have been reported to have stolen billions of dollars from cryptocurrency exchanges around the world. The greatest threat of this year has so far been the high-profile attacks on exchanges, which have targeted Estonia and California so far. 

There has been an increasing number of instances in which North Korea has been linked to attacks beyond crypto, as well as smaller, more disruptive attacks across the globe, starting with the crippling of Sony Pictures just under a decade ago that put its cyber capabilities in the spotlight. After that, Bangladesh's central bank was hacked, which compromised the Swift global financial transfer system used by the United Kingdom to transfer money, and the National Health Service of the United Kingdom was crippled following the hack. 

Nevertheless, Haszard and his coworkers found that a substantial majority of North Korea's cyber activities are directed at domestic targets to which they do not have access.  

According to the report, 83 percent of the attacks for which spatial information is available occurred in Asia, where the majority of the attacks were targeted. There were 29 countries where attacks took place, most of them being in the immediate neighborhood of South Korea, where almost 65 percent of the targets were located North Korean attacks accounted for 8.5 percent of countries, while only three percent of countries were responsible for more than three percent of total North Korean attacks. 

A study by Recorded Future revealed that Lazarus, the biggest and most prominent group of hackers connected to the authoritarian regime, tends to target global targets but is not the most frequent perpetrator of cyberattacks in the world. A group known as Kimsuky targets Asian governments and civil organizations. This accounts for more than one-third of the group's attacks.

U.S. law enforcement agencies say kinky hackers pose as South Korean journalists. They exchange emails with their targets to set up interviews before sending them a link or document embedded with malware. This is the result of their scam. 

It is believed that the malware, known as BabyShark, can provide hackers with access to the devices and communications of those victims. It was found in a joint cybersecurity advisory published earlier this month by the FBI, National Security Agency, and South Korean authorities that Kimsuky actors had also been known to configure a victim's email account so that all emails were automatically forwarded to another account controlled by them. 

North Korea is increasingly focusing on cyber espionage and information collection to gain an advantage over its adversaries. This raises concerns about its intentions and capabilities in cyberspace. Despite this, the report also confirms that North Korea has demonstrated enhanced flexibility when conducting large-scale disruptions of critical infrastructure or engaging in ransomware campaigns compared to opposing adversaries with cyber capabilities like Russia and China.
Read more »
US Firms
Chinese Hackers cyber espionage Cyber Security Cyber Warfare US Firms

Chinese-Sponsored Hacking Group Targeting Critical U.S. Infrastructure, Microsoft Claims

 

The employment of hackers to gather intelligence data is prevalent in practically every nation on earth. Intelligence organisations like the Fancy Bear and Equation Group are used by both the US and Russia. 

Microsoft Corp. stated last week that Volt Typhon was "pursuing the development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises." Concern over the relationship between China and the US on Taiwan immediately arose after this statement. Pacific-wide cyberattacks may result from disputes between the US and China.

What precisely is a Volt Typhoon? 

A suspected hacker organisation goes by the name of "Volt Typhoon." The gang is thought to have China's support. The Volt Typhoon is reported to be capable of both digital sabotage and intelligence gathering. 

Is the Volt Typhoon a genuine threat to the infrastructure of the United States, or is it merely a new network of digital spies? 

Potential threats 

The American infrastructure is thought to be seriously threatened by the Volt Typhoon. The following are potential risks to the group: 

Espionage concerns: Spying is a concern for experts. In the midst of tensions over Taiwan, experts believe Volt Typhoon is a group of hackers ready to attack the American infrastructure. 

The assessment of Microsoft is given a "moderate confidence" rating, which denotes that the idea is plausible and backed by reliable sources but is not yet fully supported. Few experts believe there is any proof of sabotage planning, despite the fact that many researchers have discovered and evaluated the group's many elements.

According to Marc Burnard and Secureworks, the Volt Typhoon currently appears to be designed to steal data from organisations that hold information about the U.S. government or military.

Volt Typhoon is known as the "Bronze Silhouette" by Secureworks, and according to Marc Burnard, its primary function is espionage. 

Sneaky storm: Almost all cyber spies try to hide their tracks; Microsoft and other analysts believe Volt Typhoon was a quiet operator who camouflaged its activity by passing it through hijacked network equipment such as residential routers. These are well-planned wiped proof of intrusion from the victim's logs. 

China, on the other hand, has consistently denied any involvement in the Volt Typhoon cyberattack. However, Beijing has been preparing documentation of cyberespionage efforts for more than two decades. Spying has become a major emphasis in the recent decade, since Western experts have linked breaches to specific units of the People's Liberation Army. US law enforcement has indicted a slew of Chinese operatives with eavesdropping on US secrets. 

According to Secureworks in a blog post, the Volt Typhoon's interest in operational security may stem from the US claims, as well as increased pressure from Chinese leaders to refrain from scrutinising cyberespionage acts. 

Mitigation tips

In line with Microsoft's research on Volt Typhoon, spotting an activity that exploits standard sign-in channels and system binaries necessitates behavioural monitoring, and remediation necessitates shutting or resetting credentials for compromised accounts. In these circumstances, Microsoft recommends that security operations teams investigate the activities of compromised accounts for any dangerous actions or exposed data.
Read more »
Subscribe to: Posts (Atom)