Security News

The researchers attributed the campaign, with "Moderate-to-high confidence," to the Winnti group. Winnti is "An exceptionally capable adversary" that is "Believed to be operating on behalf of Chinese state interests and specializes in cyberespionage and intellectual property theft."

A threat group responsible for sophisticated cyberespionage attacks against U.S. utilities is actually comprised of three subgroups, all with their own toolsets and targets, that have been operating globally since 2018, researchers have found. The group is known not only for targeting U.S. organizations in the utilities sector, but also diplomatic organizations in the Middle East and Africa, according to a report published this week by researchers at security firm ESET. Though it's apparently been active since 2018, TA410 first came up on researchers' radar in 2019, when Proofpoint uncovered a phishing campaign targeting three U.S. companies in the utilities sector that used a novel malware then dubbed LookBack.

The U.S. government on Wednesday warned of nation-state actors deploying specialized malware to maintain access to industrial control systems and supervisory control and data acquisition devices. "The APT actors have developed custom-made tools for targeting ICS/SCADA devices," multiple U.S. agencies said in an alert.

Threat actors have built and are ready to deploy tools that can take over a number of widely used industrial control system devices, which spells trouble for critical infrastructure providers-particularly those in the energy sector, federal agencies have warned. In a joint advisory, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the FBI caution that "Certain advanced persistent threat actors" have already demonstrated the capability "To gain full system access to multiple industrial control system/supervisory control and data acquisition devices," according to the alert.

Just a few days after news of attempted use of a new variant of the Industroyer malware comes a warning from the US Cybersecurity and Infrastructure Security Agency: Certain APT actors have exhibited the capability to gain full system access to multiple industrial control system/supervisory control and data acquisition devices. These tools may allow attackers to compromise and control Schneider Electric programmable logic controllers, OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture servers.

A China-based threat group is likely running a month-long campaign using a variant of the Korplug malware and targeting European diplomats, internet service providers and research institutions via phishing lures that refer to Russia's invasion of Ukraine and COVID-19 travel restrictions. The ongoing campaign was first seen in August 2021 and is being tied to Mustang Panda - a Chinese APT unit also known as TA416, RedDelta and PKPLUG - due to similar code and common tactics, techniques and procedures used by the group in the past, according to researchers with the cybersecurity firm ESET. Mustang Panda is known for targeting governmental entities and non-governmental organizations, with most of its victims being in East and Southeast Asia.

The Chinese advanced persistent threat Mustang Panda has upgraded its espionage campaign against diplomatic missions, research entities and internet service providers - largely in and around Southeast Asia. For one thing, the APT has deployed a brand-new, customized variant of an old but powerful remote-access tool called PlugX, according to researchers from ESET. They named this latest variant "Hodur," after a blind Norse god known for slaying his thought-to-be-invulnerable half-brother Baldr.

A Chinese-speaking advanced persistent threat (APT) has been linked to a new campaign targeting gambling-related companies in South East Asia, particularly Taiwan, the Philippines, and Hong Kong....

A DarkHotel phishing campaign breached luxe hotel networks, including Wynn Palace and the Grand Coloane Resort in Macao, a new report says. An advanced persistent threat group has been targeting luxury hotels in Macao, China with a spear-phishing campaign aimed at breaching their networks and stealing the sensitive data of high-profile guests staying at resorts, including the Grand Coloane Resort and Wynn Palace.

The modular botnet known as Cyclops Blink, linked to the same advanced persistent threat behind the NotPetya wiper attacks, is expanding its device targeting to include ASUS routers. "Our investigation shows that there are more than 200 Cyclops Blink victims around the world. Typical countries of infected WatchGuard devices and ASUS routers are the United States, India, Italy, Canada, and a long list of other countries, including Russia."