Security News

The Turkish state-backed cyber espionage group tracked as Sea Turtle has been carrying out multiple spying campaigns in the Netherlands, focusing on telcos, media, internet service providers, and Kurdish websites. Previously, Sea Turtle, also known as Teal Kurma and Cosmic Wolf, focused on the Middle Eastern region, as well as Sweden and the United States, using techniques like DNS hijacking and traffic redirection to perform man-in-the-middle attacks against government and non-government organizations, media, ISPs, and IT service providers.

A US court has recently unsealed a restraining order against a gang of alleged cybercrooks operating outside the country, based on a formal legal complaint from internet giant Google. Interestingly the court order also authorises Google to identify network providers whose services directly or indirectly make this criminality possible, and to "[request] that those persons and entities take reasonable best efforts" to stop the malware and the data theft in its tracks.

The group uses two Windows-based malware that have been described as "Extremely complex" but there are indications of Linux malware, too. Researchers at SentinelLabs discovered Metador in an telecommunications company in the Middle East that had already been breached by about ten other threat actors originating from China and Iran, among them Moshen Dragon and MuddyWater.

The cybersecurity firm codenamed the group Metador in reference to a string "I am meta" in one of their malware samples and because of Spanish-language responses from the command-and-control servers. The threat actor is said to have primarily focused on the development of cross-platform malware in its pursuit of espionage aims.

The iOS application does not trigger any alert since it is signed with a certificate from a company named 3-1 Mobile SRL, enrolled in the Apple Developer Enterprise Program. The Android malicious software requires the targeted user to allow the installation of applications from unknown sources.

A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices. Necessary changes have been implemented in Google Play Protect - Android's built-in malware defense service - to protect all users, Benoit Sevens and Clement Lecigne of Google Threat Analysis Group said in a Thursday report.

Google's Threat Analysis Group revealed today that RCS Labs, an Italian spyware vendor, has received help from some Internet service providers to infect Android and iOS users in Italy and Kazakhstan with commercial surveillance tools. RCS Labs is just one of more than 30 spyware vendors whose activity is currently tracked by Google, according to Google TAG analysts Benoit Sevens and Clement Lecigne.

Two Russian internet service providers have received notices from Google that the global caching servers on their network have been disabled. A caching server is an ISP-bound node for fast serving Google content faster to internet subscribers and maintain high access reliability even during outages.

The Federal Trade Commission today proposed an order requiring Connecticut-based internet service provider Frontier Communications to stop "Lying" to its customers and support its high-speed internet claims. "Today's proposed order requires Frontier to back up its high-speed claims. It also arms customers lured in by Frontier's lies with free, easy options for dropping their slow service."

ESET Research discovered a still-ongoing cyberespionage campaign using a previously undocumented Korplug variant by the Mustang Panda APT group. The current campaign exploits the war in Ukraine and other European news topics.