Security News

Google's Threat Analysis Group recently discovered a new tool named Hyperscrape which is able to steal data from mailboxes such as Gmail, Yahoo! or Microsoft Outlook. Hyperscrape is a tool written for Windows systems in.

Facebook parent company Meta disclosed that it took action against two espionage operations in South Asia that leveraged its social media platforms to distribute malware to potential targets. The first set of activities is what the company described as "Persistent and well-resourced" and undertaken by a hacking group tracked under the moniker Bitter APT targeting individuals in New Zealand, India, Pakistan and the U.K. "Bitter used various malicious tactics to target people online with social engineering and infect their devices with malware," Meta said in its Quarterly Adversarial Threat Report.

Media organizations and journalists in the last years have been increasingly targeted by state-sponsored advanced persistent threat actors with a clear purpose: Obtain access to their sensitive information, spy their activities or even identify their sources. Zirconium, a threat actor also known as TA412, has been targeting American journalists since 2021.

A China-based advanced persistent threat group is possibly deploying short-lived ransomware families as a decoy to cover up the true operational and tactical objectives behind its campaigns. The activity cluster, attributed to a hacking group dubbed Bronze Starlight by Secureworks, involves the deployment of post-intrusion ransomware such as LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0.

Two Chinese hacking groups conducting cyber espionage and stealing intellectual property from Japanese and western companies are deploying ransomware as a decoy to cover up their malicious activities. Threat analysts from Secureworks say that the use of ransomware in espionage operations is done to obscure their tracks, make attribution harder, and create a powerful distraction for defenders.

A Chinese advanced persistent threat known as Gallium has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa. Called PingPull, the "Difficult-to-detect" backdoor is notable for its use of the Internet Control Message Protocol for command-and-control communications, according to new research published by Palo Alto Networks Unit 42 today.

A Chinese-speaking hacking group known as LuoYu is infecting victims WinDealer information stealer malware deployed by switching legitimate app updates with malicious payloads in man-on-the-side attacks. LuoYu has switched to abusing the automatic update mechanism of their victims' apps after previously pushing malware in easier to pull-off watering-hole attacks where they would use compromised local news sites as infection vectors.

Cisco Talos Intelligence Group reported a new attack campaign from the infamous cyberespionage threat actor Mustang Panda, also known as Bronze President, RedDelta, HoneyMyte, TA416 or Red Lich with a particular focus on Europe. The downloader now downloads the decoy document from one URL and uses another URL to download the benign executable file, the DLL file and the final PlugX payload. More malware infections.

A new report from Mandiant reveals details about an ongoing cyberespionage operation run by a threat actor dubbed UNC3524, monitored by Mandiant since December 2019. While such targeting may suggest financial motivations, Mandiant believes it's instead motivated by espionage, because the threat actor maintains its access and remains undetected for an order of magnitude longer than the average dwell time of 21 days.

A threat group responsible for sophisticated cyberespionage attacks against U.S. utilities is actually comprised of three subgroups, all with their own toolsets and targets, that have been operating globally since 2018, researchers have found. The group is known not only for targeting U.S. organizations in the utilities sector, but also diplomatic organizations in the Middle East and Africa, according to a report published this week by researchers at security firm ESET. Though it's apparently been active since 2018, TA410 first came up on researchers' radar in 2019, when Proofpoint uncovered a phishing campaign targeting three U.S. companies in the utilities sector that used a novel malware then dubbed LookBack.