Security News

APT hacking groups and ransomware operations are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions. In 2020, Chetan Nayak, an ex-red teamer at Mandiant and CrowdStrike, released Brute Ratel Command and Control Center as an alternative to Cobalt Strike for red team penetration testing engagements.

An advanced persistent threat group dubbed ToddyCat has been targeting Microsoft Exchange servers throughout Asia and Europe for more than a year, since at least December 2020. At the time, the hacking group exploited the ProxyLogon Exchange flaws that allowed them to gain remote code execution on vulnerable servers to deploy China Chopper web shells.

Just a few days after news of attempted use of a new variant of the Industroyer malware comes a warning from the US Cybersecurity and Infrastructure Security Agency: Certain APT actors have exhibited the capability to gain full system access to multiple industrial control system/supervisory control and data acquisition devices. These tools may allow attackers to compromise and control Schneider Electric programmable logic controllers, OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture servers.

A China-based threat group is likely running a month-long campaign using a variant of the Korplug malware and targeting European diplomats, internet service providers and research institutions via phishing lures that refer to Russia's invasion of Ukraine and COVID-19 travel restrictions. The ongoing campaign was first seen in August 2021 and is being tied to Mustang Panda - a Chinese APT unit also known as TA416, RedDelta and PKPLUG - due to similar code and common tactics, techniques and procedures used by the group in the past, according to researchers with the cybersecurity firm ESET. Mustang Panda is known for targeting governmental entities and non-governmental organizations, with most of its victims being in East and Southeast Asia.

A Russian-speaking ransomware outfit likely targeted an unnamed entity in the gambling and gaming sector in Europe and Central America by repurposing custom tools developed by other APT groups like Iran's MuddyWater, new research has found. The unusual attack chain involved the abuse of stolen credentials to gain unauthorized access to the victim network, ultimately leading to the deployment of Cobalt Strike payloads on compromised assets, said Felipe Duarte and Ido Naor, researchers at Israeli incident response firm Security Joes, in a report published last week.

The Federal Bureau of Investigation warned of an advanced persistent threat compromising FatPipe router clustering and load balancer products to breach targets' networks. "As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN device software going back to at least May 2021," the FBI said in a flash alert issued this week.

State-sponsored hackers affiliated with Russia are behind a new series of intrusions using a previously undocumented implant to compromise systems in the U.S., Germany, and Afghanistan. Cisco Talos attributed the attacks to the Turla advanced persistent threat group, coining the malware "TinyTurla" for its limited functionality and efficient coding style that allows it to go undetected.

It's not entirely certain that FamousSparrow represents a wholly new APT group. While the SparrowDoor tool appears to be exclusive and suggests a new player, the researchers found potential links between FamousSparrow and existing APT groups - including the use of the Motnug loader known to have been used by a group dubbed SparklingGoblin and a SparrowDoor-compromised machine seen to be connecting to a command and control server connected to the DRDControl group.

A sub-group of the 'Molerats' threat-actor has been using voice-changing software to successfully trick targets into installing malware, according to a warning from Cado Security. In recent attacks targeting political opponents, APT-C-23 appears to have taken the spear-phishing to a new level, through the use of voice-changing software to pose as women.

Google has added new details on a pair of exploit servers used by a sophisticated threat actor to hit users of Windows, iOS and Android devices. Malware hunters at Google continue to call attention to a sophisticated APT group that burned through at least 11 zero-days exploits in less than a year to conduct mass spying across a range of platforms and devices.