Security News
It's one thing for APT groups to conduct cyber espionage to meet their own financial objectives. "The cybercriminal group infiltrated the company using a tainted and specially crafted plugin for Autodesk 3ds Max," Bitdefender researchers said in a report released today.
It's one thing for APT groups to conduct cyber espionage to meet their own financial objectives. "The cybercriminal group infiltrated the company using a tainted and specially crafted plugin for Autodesk 3ds Max," Bitdefender researchers said in a report released today.
According to a Thursday advisory by the National Security Agency and the Federal Bureau of Investigation, the malware especially represents a threat to national security systems such as the Department of Defense and Defense Industrial Base customers that use Linux systems. "Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control server," according to a 45-page deep-dive analysis of the malware published Thursday [PDF] by the FBI and NSA. "When deployed on a victim machine, the Drovorub implant provides the capability for direct communications with actor controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as 'root'; and port forwarding of network traffic to other hosts on the network."
The China-based APT known as CactusPete has returned with a new campaign aimed at military and financial targets in Eastern Europe, which is a new geography for the group's victimology, according to researchers. CactusPete is a Chinese-speaking APT group that has been publicly known since at least 2013, according to the blog post.
Group-IB security researchers have identified an advanced persistent threat group that has launched at least 26 targeted attacks since 2018. Presumably Russian-speaking, the group targeted victims in Canada, Germany, Norway, Russia, Ukraine, and the United Kingdom.
Recent attacks associated with the threat actor known as StrongPity appear to focus on the Kurdish community in Turkey and Syria, Bitdefender security researchers say. Despite the publishing of several reports detailing its activities, the threat actor remains active and continues to target victims in various regions, including Colombia, India, Canada and Vietnam, Cisco Talos reveals.
Report on espionage attacks using LinkedIn as a vector for malware, with details and screenshots. They talk about "Several hints suggesting a possible link" to the Lazarus group, but that's by no means definite.
Organizations in the aerospace and military sectors were compromised in a highly targeted cyber-espionage campaign that shows a possible link to North Korean hackers, ESET reveals. The threat actor behind these attacks remains unknown, but ESET believes it could be linked to the infamous North Korean state-sponsored group Lazarus, based on targeting, the use of fake LinkedIn accounts, development tools, and anti-analysis methods.
"The dated nature of this binary coupled with the extensible nature of the malware code suggests that the FlowCloud code base has been under development for numerous years," the analysts wrote, adding that "Development of this malware around legitimate QQ files and the identification of malware samples uploaded to VirusTotal from Japan in December 2018 and earlier this year from Taiwan indicate that the malware may have been active for some time in Asia prior to its appearance targeting the U.S. utilities sector." Several campaigns delivering the LookBack malware were aimed at U.S. utilities over last summer and the fall as well, and, based on shared attachment macros, identical malware installation techniques and overlapping delivery infrastructure, Proofpoint believes the LookBack and FlowCloud malware can be attributed to a single threat actor, TA410.
A Chinese threat actor has developed new capabilities to target air-gapped systems in an attempt to exfiltrate sensitive data for espionage, according to a newly published research by Kaspersky yesterday. "One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data," Kaspersky said.