Security News
Cybersecurity researchers on Thursday took the wraps off a new cyberespionage group that has been behind a series of targeted attacks against diplomatic entities and telecommunication companies in Africa and the Middle East since at least 2017. Dubbed "BackdoorDiplomacy," the campaign involves targeting weak points in internet-exposed devices such as web servers to perform a panoply of cyber hacking activities, including laterally moving across the network to deploy a custom implant called Turian that's capable of exfiltrating sensitive data stored in removable media.
Secureworks, and Volexity shed light on a new spear-phishing activity unleashed by the Russian hackers who breached SolarWinds IT management software, the U.S. Department of Justice Tuesday said it intervened to take control of two command-and-control and malware distribution domains used in the campaign. Com - were used to communicate and control a Cobalt Strike beacon called NativeZone that the actors implanted on the victim networks.
Cybersecurity researchers from FireEye unmasked additional tactics, techniques, and procedures adopted by Chinese threat actors who were recently found abusing Pulse Secure VPN devices to drop malicious web shells and exfiltrate sensitive information from enterprise networks. FireEye's Mandiant threat intelligence team, which is tracking the cyberespionage activity under two threat clusters UNC2630 and UNC2717, said the intrusions lines up with key Chinese government priorities, adding "Many compromised organizations operate in verticals and industries aligned with Beijing's strategic objectives outlined in China's recent 14th Five Year Plan.".
A previously undocumented backdoor malware, dubbed PortDoor, is being used by a probable Chinese advanced persistent threat actor to target the Russian defense sector, according to researchers. The malware then creates an additional file in %temp% with the hardcoded name "58097616.tmp" and writes the GetTickCount value multiplied by a random number to it: "This can be used as an additional identifier for the target, and also as a placeholder for the previous presence of this malware," researchers explained.
In the evolution of cyber-attacks I'd argue while the fundamentals have stayed the same there have been two major critical changes recently in the past few years among nation-state and criminal attackers that require us to thoroughly understand and respond in a different manner than in the past. Most of the world and in most industries we've reached the tipping point in our digital dependence on our IT infrastructure and it has drawn attackers in.
Researchers with the PRODAFT Threat Intelligence Team took a deep dive into the operations of the SilverFish cyber-espionage group and linked one of its command and control servers with recent high-profile malicious attacks. The investigation, which started from indicators of compromise published for the December 2020 SolarWinds attacks, has led the researchers to identifying a new advanced persistent threat group called SilverFish, which has conducted cyber-attacks on at least 4,720 targets worldwide.
The McAfee Advanced Threat Research Strategic Intelligence team has identified an espionage campaign that is specifically targeting telecommunication companies in an attack dubbed "Operation Diànxùn." McAfee researchers Thomas Roccia, Thibault Seret and John Fokker said in a blog post that the malware is using tactics similar to those seen from groups like RedDelta and Mustang Panda. Cybersecurity companies Intsights and Positive Technologies both identified Mustang Panda last year as an advanced persistent threat group behind a number of COVID-19-themed attacks on people in Vietnam and Mongolia.
The advanced persistent threat known as Lazarus Group and other sophisticated nation-state actors are actively trying to steal COVID-19 research to speed up their countries' vaccine-development efforts. That's the finding from Kaspersky researchers, who found that Lazarus Group - widely believed to be linked to North Korea - recently attacked a pharmaceutical company, as well as a government health ministry related to the COVID-19 response.
Incident response teams are scrambling as after details emerged late Sunday of a sophisticated espionage campaign leveraging a software supply chain attack that allowed hackers to compromise numerous public and private organizations around the world. Among victims are multiple US government agencies, including the Treasury and Commerce departments, and cybersecurity giant FireEye, which stunned the industry last week when it revealed that attackers gained access to its Red Team tools.
The MoleRats advanced persistent threat has developed two new backdoors, both of which allow the attackers to execute arbitrary code and exfiltrate sensitive data, researchers said. The DropBook backdoor uses fake Facebook accounts or Simplenote for C2, and both SharpStage and DropBook abuse a Dropbox client to exfiltrate stolen data and for storing their espionage tools, according to the analysis, issued Wednesday.