Security News

State-sponsored hackers affiliated with Russia are behind a new series of intrusions using a previously undocumented implant to compromise systems in the U.S., Germany, and Afghanistan. Cisco Talos attributed the attacks to the Turla advanced persistent threat group, coining the malware "TinyTurla" for its limited functionality and efficient coding style that allows it to go undetected.

A new advanced persistent threat has been behind a string of attacks against hotels across the world, along with governments, international organizations, engineering companies, and law firms. Slovak cybersecurity firm ESET codenamed the cyber espionage group FamousSparrow, which it said has been active since at least August 2019, with victims located across Africa, Asia, Europe, the Middle East, and the Americas, spanning several countries such as Burkina Faso, Taiwan, France, Lithuania, the U.K., Israel, Saudi Arabia, Brazil, Canada, and Guatemala.

A cyberespionage group dubbed "FamousSparrow" by researchers has taken flight, targeting hotels, governments and private organizations around the world with a custom backdoor called, appropriately, "SparrowDoor." It's one of the advanced persistent threats that targeted the ProxyLogon vulnerabilities earlier this year, according to ESET, though its activity has only recently come to light. According to the firm, the backdoor's malicious actions include the ability to: rename or delete files; create directories; shut down processes; send information such as file attributes, file size and file write time; exfiltrate the content of a specified file; write data to a specified file; or establish an interactive reverse shell.

It's not entirely certain that FamousSparrow represents a wholly new APT group. While the SparrowDoor tool appears to be exclusive and suggests a new player, the researchers found potential links between FamousSparrow and existing APT groups - including the use of the Motnug loader known to have been used by a group dubbed SparklingGoblin and a SparrowDoor-compromised machine seen to be connecting to a command and control server connected to the DRDControl group.

The Turla advanced persistent threat group is back with a new backdoor used to infect systems in Afghanistan, Germany and the U.S., researchers have reported. On Tuesday, Cisco Talos researchers said that they've spotted infections they attributed to the Turla group - a Russian-speaking APT. Those attacks are "Likely" using a stealthy, "Second-chance" backdoor to maintain access to infected devices, they noted.

The FBI, CISA and the U.S. Coast Guard Cyber Command warned today that state-backed advanced persistent threat actors are likely among those who've been actively exploiting a newly identified bug in a Zoho single sign-on and password management tool since early last month. At issue is a critical authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus platform that can lead to remote code execution and thus open the corporate doors to attackers who can run amok, with free rein across users' Active Directory and cloud accounts.

The advanced persistent threat group is new, according to researchers who dubbed it SparklingGoblin. SparklingGoblin, according to ESET researchers who named and discovered the crime group and backdoor, is an offshoot of another APT Winnti Group, first identified in 2013 by Kaspersky.

In a new report, Proofpoint details how the group TA456, associated with the Iranian Revolutionary Guard, invested years in developing the false profile of a fantasy woman named Marcella Flores, an impossibly shiny haired aerobics instructor from the U.K., to rein in unsuspecting targets. Starting about eight months ago, Proofpoint found TA456 used the Marcella Flores profile to slowly build a relationship with someone who worked for a subsidiary of an aerospace defense contractor in the U.S. Over the months, Marcella shared many emails, pictures and even a video to build trust.

A new highly capable and persistent threat actor has been targeting major high-profile public and private entities in the U.S. as part of a series of targeted cyber intrusion attacks by exploiting internet-facing Microsoft Internet Information Services servers to infiltrate their networks. "TG1021 uses a custom-made malware framework, built around a common core, tailor-made for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine's memory and leaves little-to-no trace on infected targets," the researchers said.

An advanced persistent threat actor has been tracked in a new campaign deploying Android malware via the Syrian e-Government Web Portal, indicating an upgraded arsenal designed to compromise victims. "To the best of our knowledge, this is the first time that the group has been publicly observed using malicious Android applications as part of its attacks," Trend Micro researchers Zhengyu Dong, Fyodor Yarochkin, and Steven Du said in a technical write-up published Wednesday.