Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label espionage. Show all posts
Vulnerability
China Cybersecurity espionage Ivanti malware VPN Vulnerability

Chinese Cyber Espionage Suspected in New Ivanti VPN Malware Attack

 

A newly discovered cyberattack campaign targeting Ivanti VPN devices is suspected to be linked to a Chinese cyberespionage group. Security researchers believe the attackers exploited a critical vulnerability in Ivanti Connect Secure, which was patched by the Utah-based company in February. The attack is yet another example of how state-backed Chinese threat actors are rapidly taking advantage of newly disclosed vulnerabilities and frequently targeting Ivanti’s infrastructure.

On Thursday, researchers from Mandiant revealed that a group tracked as UNC5221 exploited a stack-based buffer overflow vulnerability to deploy malicious code from the Spawn malware ecosystem—an attack technique often associated with Chinese state-sponsored activity. Mandiant also identified two previously unknown malware families, which they've named Trailblaze and Brushfire. As seen in earlier attacks tied to Chinese hackers, this group attempted to manipulate Ivanti’s internal Integrity Checker Tool to avoid detection.

The vulnerability, officially tracked as CVE-2025-22457, was used to compromise multiple Ivanti products, including Connect Secure version 22.7R2.5 and earlier, the legacy Connect Secure 9.x line, Policy Secure (Ivanti’s network access control solution), and Zero Trust Access (ZTA) gateways. Ivanti released a patch for Connect Secure on February 11, emphasizing that Policy Secure should not be exposed to the internet, and that "Neurons for ZTA gateways cannot be exploited when in production."

Ivanti acknowledged the attack in a statement: "We are aware of a limited number of customers whose appliances have been exploited." The incident follows warnings from Western intelligence agencies about China's increasing speed and aggression in leveraging newly disclosed software vulnerabilities—often before security teams have time to deploy patches.

Many of the devices targeted were legacy systems no longer receiving software updates, such as the Connect Secure 9.x appliance, which reached end-of-support on December 31, 2024. Older versions of the Connect Secure product line, which were set to be replaced by version 22.7R2.6 as of February 11, were also compromised.

This marks the second consecutive year Ivanti has had to defend its products from persistent attacks by suspected Chinese state-backed hackers. Thursday’s advisory from Mandiant and Ivanti highlights a vulnerability separate from the one flagged in late March by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which had allowed attackers to install a Trojan variant linked to Spawn malware in Ivanti systems.
Read more »
WhatsApp
Cyber Attacks espionage Iran Israel spying surveillance Telegram WhatsApp

Iran Spies on Senior Israeli Officials, Launches Over 200 Cyberattacks

Iran Spies on Senior Israeli Officials, Launches Over 200 Cyberattacks

Shin Bet, an Israeli Cybersecurity Service said recently it discovered over 200 Iranian phishing attempts targeting top Israeli diplomats to get personal information. Shin Bet believes the attacks were launched by Iranian actors through Telegram, WhatsApp, and email. 

The threat actors tried to bait targets into downloading infected apps that would give them access to victim devices and leak personal data like location history and residential addresses.

Iran Targeting Israeli Officials

The targeted senior officials include academicians, politicians, media professionals, and others

ShinBet said the stolen information would be used by Iran to launch attacks against Israeli nationals “through Israeli cells they have recruited within the country.” The targets were reached out with an “individually tailored cover story for each victim according to their area of work, so the approach doesn’t seem suspicious.”

In one case, the attacker disguised as a Cabinet Secretary lured the target saying he wanted to coordinate with PM Benjamin Netanyahu. Shin Bet has tracked the targets involved in the campaign and informed them about the phishing attempts. 

“This is another significant threat in the campaign Iran is waging against Israel, aimed at carrying out assassination attacks. We request heightened awareness, as cyberattacks of this type can be avoided before they happen through awareness, caution, suspicion, and proper preventative behavior online,” said a Shin Bet official.

Reasons for attack

Shin Bet “will continue to act to identify Iranian activity and thwart it in advance.” It believes the motive behind the attacks was to manage future attacks on Israeli nationals using information given by Israeli cells recruited by Iran. The campaign is a sign of an escalation between Iran and Israel, the end goal being assassination attempts.

The bigger picture

The recent discovery of phishing campaigns is part of larger targeted campaigns against Israel. In September 2024, 7 Jewish Israelis were arrested for allegedly spying on IDF and Israeli security figures for Iran. 

The Times of Israel reports, “Also in September, a man from the southern city of Ashkelon was arrested on allegations that he was smuggled into Iran twice, received payment to carry out missions on behalf of Tehran, and was recruited to assassinate either Israel’s prime minister, defense minister, or the head of the Shin Bet.”

Read more »
Technology
AI Deep Learning espionage HDMI Technology

Hackers Can Now Intercept HDMI Signals Using Deep Learning

Hackers Can Now Intercept HDMI Signals Using Deep Learning

Secretly intercepting video signals is a very traditional way to do electronic spying, but experts have found a new that puts a frightening twist to it.

A team of experts from Uruguay has found that it's possible to hack electromagnetic radiation from HDMI cables and process the video via AI.

Using deep learning to trace HDMI signals

University of the Republic experts in Montevideo posted their findings on Cornell's ArXiv service. As per the findings, you can train an AI model to interpret minute fluctuations in electromagnetic radiation released from an HDMI cable. “In this work, we address the problem of eavesdropping on digital video displays by analyzing the electromagnetic waves that unintentionally emanate from the cables and connectors, particularly HDMI,” the researchers said.  Despite being a wired standard and digitally encrypted, abundant electromagnetic signals are released from these cables to track without needing direct access.

Detecting and decoding are different, but the experts also found that by pairing an AI model with text recognition software, one can "read" the wireless recorded EM radiation with a surprising 70% accuracy.

It is still distant from a traditional recording, but there's still a 60 percent improvement compared to earlier methods, making it capable of stealing passwords and other sensitive info. One can also do it wirelessly without physical access to attack a computer, from outside a building in real-life situations.

A new method for surveillance

Skimming from wireless electromagnetic signals for spying purposes isn't a new thing. It is a vulnerability called TEMPEST (Transient ElectroMagnetic Pulse Emanation Standard, a very awkward backronym) having links to espionage dating back to World War 2. 

However, because HDMI connections are digital transmissions with some kind of encryption utilizing the HDCP standard, they were not thought to be particularly vulnerable to it. The researchers' AI algorithm-assisted technique of assault (dubbed "Deep-TEMPEST") raises some troubling possibilities.

State-sponsored attacks

According to experts, the system and its related alternatives, are already in use by state-sponsored hackers and industrial espionage threat actors. The advanced nature of the methods and the need to be around the target systems suggest that they won’t cause harm to regular users. However, large businesses or government agencies should be on the lookout, to protect their sensitive data, they should consider EM-shielding measures- especially for the employees and stakeholders working from home. 

“The proposed system is based on widely available Software Defined Radio and is fully open-source, seamlessly integrated into the popular GNU Radio framework. We also share the dataset we generated for training, which comprises both simulated and over 1000 real captures. Finally, we discuss some countermeasures to minimize the potential risk of being eavesdropped by systems designed based on similar principles,” concluded experts in the report.

Read more »
sabotage
Bitkom report China cyber threats Cyber Security cyberattacks increase CyberCrime Data Theft economic damage espionage foreign organizations Russia cyber threats sabotage

Surge in Cyber Attacks on German Businesses Costs Billions of Euros

 

Around 80% of targeted firms have fallen victim to data theft, espionage, or sabotage, according to the German digital industry association Bitkom. Cybercrime is on the rise in Germany, with damages estimated to cost the economy €148 billion annually.

Data released by German authorities on Monday indicated a 28% increase in cyberattacks by foreign organizations in 2023, with significant activity from Russia and China.

German Interior Minister Nancy Faeser highlighted the high threat level in cybersecurity while presenting the national report on cybercrime. Bitkom managing director Bernhard Rohleder added that cyberattacks from Russia had doubled in the past two years, and those from China had increased by 50%.

Rohleder also noted that 80% of German companies targeted experienced data theft, espionage, or sabotage, causing financial damages amounting to €148 billion per year. Most of these attacks were attributed to criminal gangs or foreign intelligence services, targeting key infrastructures such as energy supplies, transport, and hospitals.

The motivations behind these cyberattacks vary. Some cybercriminals seek financial gain, while others, including private individuals, are driven by the desire to cause disruption or simply for amusement.

The report’s release comes amidst heightened concerns ahead of the European Parliament elections in June. Earlier this month, Germany accused Russia of launching cyberattacks against its defense and aerospace sectors, as well as members of the Social Democratic Party, in response to Germany's support for Ukraine.

Interior Minister Faeser emphasized Germany’s resilience, stating, "We will not be intimidated by the Russian regime. We will continue to do everything to protect our democracy from Russian cyber actions and we will continue to support Ukraine."
Read more »
The Mask
Careto Cyber Security espionage Kaspersky The Mask

The Mask: A Resilient Espionage Group Returns After a Decade


An APT group that has been missing for over a decade has reappeared in a cyber-espionage campaign aimed at organizations in Latin America and Central Africa.

The Mask’s history

  1. Origins: The Mask first appeared in 2007, operating with stealth and sophistication.
  2. Vanishing Act: In 2013, the group seemingly vanished, leaving behind a trail of cyber-espionage campaigns.
  3. Unique Victims: Over the years, they targeted around 380 unique victims across 31 countries, including major players like the US, UK, France, Germany, China, and Brazil.

About Careto aka The Mask

The gang "Careto" or "The Mask" began operations in 2007 and suddenly vanished in 2013. During that time, the Spanish-speaking threat actor claimed around 380 unique victims in 31 countries, including the United States, the United Kingdom, France, Germany, China, and Brazil.

Kaspersky researchers, who monitored Careto ten years ago and recently discovered new attacks, classified Careto's former victims as government organizations, diplomatic offices and embassies, energy, oil and gas corporations, research institutions, and private equity firms.

Sophisticated Tailored Methods

According to Kaspersky, Careto group actors use specialized tactics to sneak into both victim environments, maintain persistence, and harvest information.

In both attacks, for example, it appears that the attackers got early access using the organization's MDaemon email server, a software that many small and medium-sized enterprises use. According to Kaspersky, the attackers planted a backdoor on the server, giving them control of the network. They used a driver connected with the HitmanPro Alert malware scanner to sustain persistence.

Careto distributed four multi-modular implants on workstations across each victim's network as part of the attack chain, exploiting a previously undisclosed weakness in a security product utilized by both. Kaspersky's analysis did not specify the security product or weakness that Careto is exploiting in its latest operation. However, the company stated that it has provided comprehensive details about Careto's recent attacks, including tactics, strategies, and procedures, in a private APT report for customers.

The implant

The implants, named "FakeHMP," "Careto2," "Goreto," and the "MDaemon implant," allowed the attackers to carry out a variety of harmful acts in the victim environments. According to Kucherin, the MDaemon implant permitted threat actors to conduct initial reconnaissance, extract system configuration information, and execute commands for lateral movement. 

He emphasizes that threat actors use FakeHMP to record microphones and keyloggers and steal confidential papers and login information. Both Careto2 and Goreto perform keylogging and screenshot capture. Careto2 also facilitates file theft, according to Georgy Kucherin, security researcher at Kaspersky.

Implications and lessons

  1. Vigilance Matters: Organizations must remain vigilant even when APTs go silent. The Mask’s resurgence underscores the need for continuous monitoring.
  2. Advanced Techniques: The group’s ability to exploit zero-day vulnerabilities highlights the importance of robust security measures.
  3. Global Reach: The Mask’s diverse victim pool emphasizes that cyber threats transcend borders.

Read more »
Vulnerability management
China Cyber Security Cyber Threats Cybersecurity Dutch intelligence espionage FortiGate devices Malware Detection RAT Threat actors Vulnerability management

China Caught Deploying Remote Access Trojan Tailored for FortiGate Devices

 

The Military Intelligence and Security Service (MIVD) of the Netherlands has issued a warning regarding the discovery of a new strain of malware believed to be orchestrated by the Chinese government. Named "Coathanger," this persistent and highly elusive malware has been identified as part of a broader political espionage agenda, targeting vulnerabilities in FortiGate devices.

In a recent advisory, MIVD disclosed that Coathanger was employed in espionage activities aimed at the Dutch Ministry of Defense (MOD) in 2023. Investigations into the breach revealed that the malware exploited a known flaw in FortiGate devices, specifically CVE-2022-42475.
Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. 
Unlike some malware that relies on new, undisclosed vulnerabilities (zero-day exploits), Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. However, the advisory emphasizes that it could potentially be used in conjunction with future vulnerabilities in FortiGate devices.

Described as stealthy and resilient, Coathanger evades detection by concealing itself through sophisticated methods, such as hooking system calls to evade detection. It possesses the capability to survive system reboots and firmware upgrades, making it particularly challenging to eradicate.

According to Dutch authorities, Coathanger is just one component of a larger-scale cyber espionage campaign orchestrated by Chinese state-sponsored threat actors. These actors target various internet-facing edge devices, including firewalls, VPN servers, and email servers.

The advisory issued by Dutch intelligence underscores the aggressive scanning tactics employed by Chinese threat actors, who actively seek out both disclosed and undisclosed vulnerabilities in edge devices. It warns of their rapid exploitation of vulnerabilities, sometimes within the same day they are made public.

Given the popularity of Fortinet devices as cyberattack targets, businesses are urged to prioritize patch management. Recent reports from Fortinet highlighted the discovery of two critical vulnerabilities in its FortiSIEM solution, emphasizing the importance of prompt patching.

To mitigate the risk posed by Coathanger and similar threats, intelligence analysts recommend conducting regular risk assessments on edge devices, restricting internet access on these devices, implementing scheduled logging analysis, and replacing any hardware that is no longer supported.
Read more »
tutorials
business protection Cyber Crime Cybersecurity Dark Web data trade espionage hacking services Insider Threats keyloggers network access tools operational data tutorials

The Dark Web: A Hidden Menace for Businesses

 

In recent months, the Indian capital's remote region of Nuh has garnered unwanted attention for its transformation into a cybercrime hub, mirroring the notorious Jamtara region. With over 28,000 cybercrime cases spearheaded by unemployed social engineers, Nuh has firmly entrenched itself in the dark web's criminal ecosystem.

Earlier this year, James Roland Jones, a SpaceX engineer operating under the alias "MillionaireMike," admitted to discreetly purchasing personal information and selling insider tips of an anonymous company on the dark web. This incident highlights the pervasiveness of illicit activities on the dark web, a concealed realm of the internet frequently linked to anonymous crimes.

Unlike the conventional web, the dark web evades search engine indexing and remains inaccessible to standard web browsers. Instead, users employ specialized software like Tor (The Onion Router) to navigate its encrypted pathways. Initially developed by the U.S. government for secure communication, the dark web has since morphed into a haven for criminal enterprises.

The 2019 study "Into the Web of Profit" by criminology professor Dr. Michael McGuire from the University of Surrey revealed that cybercrime has evolved into a thriving economy, generating an annual turnover of $1.5 trillion. Alarmingly, the study also uncovered a 20% surge in harmful dark web listings since 2016. Among these listings, a staggering 60% pose a direct threat to businesses. Dr. McGuire identified 12 domains where enterprises face the risk of compromised data or network breaches.

Common Threats Posed by the Dark Web

1. Illicit Data Trade: The dark web serves as a marketplace for stolen personal data, including login credentials, intellectual property, credit card details, and other confidential information. This stolen data fuels malicious activities and identity theft, often sold to the highest bidder.

2. Competitive Intelligence and Espionage: The clandestine nature of the dark web provides a fertile ground for competitors to gather intelligence on each other, often through industrial espionage, where trade secrets and confidential data are illicitly acquired.

3. nsider Threats:The dark web can entice insiders within organizations with financial rewards to reveal confidential information or aid in cyberattacks.

4. Hacking Services: The dark web offers a vast array of hacking services, ranging from customized malware to phishing kits, empowering attackers to execute sophisticated cyberattacks.

5. Operational Data, Network Access Tools, Tutorials, and Keyloggers: These resources are readily available on the dark web, enabling attackers to gather sensitive information, gain unauthorized access to networks, and monitor user activity.

Protecting Your Business from the Dark Web's Shadows

1. Stay Informed: Familiarize yourself with the latest dark web trends and threats to proactively identify potential risks.

2. Implement Robust Cybersecurity Measures: Employ strong passwords, multi-factor authentication, and network security solutions to safeguard your organization's data and systems.

3. Educate Employees: Train employees on cybersecurity best practices, including recognizing phishing attempts and handling sensitive data with care.

4. Engage Cybersecurity Experts: Collaborate with experienced IT professionals to assess your business requirements and develop tailored cybersecurity strategies.

5. Monitor Dark Web Activity: Utilize specialized tools and services to monitor the dark web for mentions of your organization or stolen data related to your business.

By staying vigilant, implementing robust cybersecurity measures, and educating employees, businesses can effectively mitigate the risks posed by the dark web and protect their valuable assets. Remember, knowledge is your shield in the digital realm.
Read more »
Subscribe to: Posts (Atom)