Security News > 2022 > February > Experts Warn of Hacking Group Targeting Aviation and Defense Sectors

Entities in the aviation, aerospace, transportation, manufacturing, and defense industries have been targeted by a persistent threat group since at least 2017 as part of a string of spear-phishing campaigns mounted to deliver a variety of remote access trojans on compromised systems.

The use of commodity malware such as AsyncRAT and NetWire, among others, has led enterprise security firm Proofpoint to a "Cybercriminal threat actor" codenamed TA2541 that employs "Broad targeting with high volume messages." The ultimate objective of the intrusions is unknown as yet.

"While TA2541 is consistent in some behaviors, such as using emails masquerading as aviation companies to distribute remote access trojans, other tactics such as delivery method, attachments, URLs, infrastructure, and malware type have changed," Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, told The Hacker News.

"Mitigating threats hosted on legitimate services continues to be a difficult vector to defend against as it likely involves implementation of a robust detection stack or policy-based blocking of services which might be business-relevant," DeGrippo said.

With Microsoft announcing plans to turn off macros by default for internet-downloaded files starting April 2022, the move is expected to cause threat actors to step up and shift to other methods should macros become an inefficient method of delivery.

"Further, we regularly observe actors 'containerize' payloads, using archive and image files which also can impact ability to detect and analyze in some environments. As always, threat actors will pivot to use what is effective."

News URL

https://thehackernews.com/2022/02/experts-warn-of-hacking-group-targeting.html