Security News

New BendyBear APT malware gets linked to Chinese hacking group
2021-02-09 18:09

Unit 42 researchers today have shared info on a new polymorphic and "Highly sophisticated" malware dubbed BendyBear, linked to a hacking group with known ties to the Chinese government. The malware has features and behavior that strongly resemble those of the WaterBear malware family, active since at least as early 2009.

Hezbollah-Linked Lebanese Cedar APT Infiltrates Hundreds of Servers
2021-02-01 21:18

Advanced persistent threat group Lebanese Cedar has compromised at least 250 public-facing servers since early 2020, researchers said, with its latest malware. The group has added new features to its custom "Caterpillar" webshell and the "Explosive RAT" remote access trojan, both of which researchers at ClearSky Security said they linked to the compromise of the public servers [PDF], which allowed widespread espionage.

SolarWinds Hack Potentially Linked to Turla APT
2021-01-11 17:53

New details on the Sunburst backdoor used in the sprawling SolarWinds supply-chain attack potentially link it to previously known activity by the Turla advanced persistent threat group. "After the Sunburst malware was first deployed in February 2020, Kazuar continued to evolve and later 2020 variants are even more similar, in some respects, to Sunburst," the firm noted in an analysis published on Monday.

Kaspersky Connects SolarWinds Attack Code to Known Russian APT Group
2021-01-11 13:47

Researchers have identified some similarities between the Sunburst malware used in the SolarWinds supply chain attack and Kazuar, a backdoor that appears to have been used by the Russia-linked cyber-espionage group known as Turla. On Monday, Kaspersky reported finding an interesting link between the Sunburst malware delivered by the SolarWinds attackers and Kazuar, a.NET backdoor that has been around since at least 2015 and which was first detailed in 2017 by Palo Alto Networks.

Sunburst backdoor shares features with Russian APT malware
2021-01-11 09:07

Kaspersky researchers found that the Sunburst backdoor, the malware deployed during the SolarWinds supply-chain attack, shows shared features with Kazuar, a.NET backdoor tentatively linked to the Russian Turla hacking group. Kazuar is one of the tools used during past Turla operations and, according to Kaspersky, it shares several of its features with the malware created by the group behind the SolarWinds hack.

APT Horoscope
2021-01-08 20:19

This delightful essay matches APT hacker groups up with astrological signs. This is me: Capricorn is renowned for its discipline, skilled navigation, and steadfastness. Just like Capricorn, Helix...

China's APT hackers move to ransomware attacks
2021-01-04 09:36

Security researchers investigating a set of ransomware incidents at multiple companies discovered malware indicating that the attacks may be the work of a hacker group believed to operate on behalf of China. Although the attacks lack the sophistication normally seen with advanced threat actors, there is strong evidence linking them to APT27, a group normally involved in cyber espionage campaigns, also known as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse.

CISA: APT group behind US govt hacks used multiple access vectors
2020-12-17 12:48

The US Cybersecurity and Infrastructure Security Agency said that the APT group behind the recent compromise campaign targeting US government agencies used more than one initial access vector. "CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this Alert as new information becomes available," the agency said.

MoleRats APT Returns with Espionage Play Using Facebook, Dropbox
2020-12-10 17:50

The MoleRats advanced persistent threat has developed two new backdoors, both of which allow the attackers to execute arbitrary code and exfiltrate sensitive data, researchers said. The DropBook backdoor uses fake Facebook accounts or Simplenote for C2, and both SharpStage and DropBook abuse a Dropbox client to exfiltrate stolen data and for storing their espionage tools, according to the analysis, issued Wednesday.

SideWinder APT Targets Nepal, Afghanistan in Wide-Ranging Spy Campaign
2020-12-09 19:53

"We identified a server used to deliver a malicious.lnk file and host multiple credential-phishing pages," wrote researchers, in a Wednesday posting. On the email front, researchers found that many malicious initial files are being used in the campaign, including a.lnk file that in turn downloads an.