Search This Blog

Showing posts with label APT. Show all posts

Years-Long Attack by Chinese-Linked APT Groups Discovered by McAfee

 

A cyber-attack that had been sitting on the target organization's network for years stealing data was discovered during a McAfee investigation into a suspected malware infection. The sophisticated threat actors utilized a mix of known and novel malware tools in the attack, called Operation Harvest, to infiltrate the victim's IT infrastructure, exfiltrate data, and avoid detection, according to the investigators. McAfee researchers were able to narrow down the list of suspects to two advanced persistent threat (APT) nation-state groups with ties to China during the course of the two-month investigation. 

“Operation Harvest has been a long-term operation whereby an adversary maintained access for multiple years to exfiltrate data,” Christiaan Beek, lead scientist and senior principal engineer for the Enterprise Office of the CTO at McAfee, wrote in a report. 

“The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions. The adversaries made use of techniques very often observed in this kind of attack but also used distinctive new backdoors or variants of existing malware families,” Beek added. 

The actor gained initial access by compromising the victim's web server, which contained software to maintain the existence and storage of tools needed to acquire information about the victim's network and lateral movement/execution of files, according to forensic investigations. 

Between the operating method of the unique encryption function in the custom backdoor and the code used in the DLL, the adversaries used techniques that are commonly seen in this type of attack, but they also used distinctive new backdoors or variants of existing malware families, almost identical to methods attributed to the Winnti malware family. According to the findings, the adversary was looking to steal proprietary knowledge for military or intellectual property/manufacturing reasons.

McAfee investigators drew out MITRE ATT&CK Enterprise methods, added the tools utilized, and compared the information to previous technique data to figure out who the perpetrators were. They discovered four groups that shared the same tactics and sub-techniques and then used a chart to narrow down the suspects to APT27 and APT41.

“After mapping out all data, TTP’s [tactics, techniques, and procedures] etc., we discovered a very strong overlap with a campaign observed in 2019/2020,” Beek wrote. “A lot of the (in-depth) technical indicators and techniques match. Also putting it into perspective, and over time, it demonstrates the adversary is adapting skills and evolving the tools and techniques being used.”

Chinese Webdav-O Virus Attacked Russian Federal Agencies

 

In 2020, a collection of Chinese state-sponsored threat groups may have been behind a series of targeted attacks on the Russian federal executive authority. The latest study, published by Singapore-based Group-IB, looks into a piece of computer virus known as "Webdav-O" that was discovered in the intrusions, with the cybersecurity firm noticing similarities between the tool and a popular Trojan known as "BlueTraveller," which is linked to a Chinese threat group known as TaskMasters and used in malicious activities with the aim of espionage and plundering confidential documents. 

The report builds on a series of public disclosures in May from Solar JSOC and SentinelOne, both of which revealed a malware called "Mail-O" that was also observed in attacks against Russian federal executive authorities to access the cloud service Mail.ru, with SentinelOne linking it to a variant of another well-known malicious software called "PhantomNet" or "SManager" used by a threat actor dubbed TA428. 

TA428 has been targeting government entities in East Asia since 2013, with a particular focus on those involved in domestic and foreign policy, government information technology, and economic development. Attackers used the Microsoft Equation Editor exploit CVE-2018-0798 to deploy a custom malware called Cotx RAT, according to Proofpoint researchers. This APT gang also employs Poison Ivy payloads, which share command and control (C&C) infrastructure with the newly discovered Cotx attacks.

"Chinese APTs are one of the most numerous and aggressive hacker communities," researchers Anastasia Tikhonova and Dmitry Kupin said. "Hackers mostly target state agencies, industrial facilities, military contractors, and research institutes. The main objective is espionage: attackers gain access to confidential data and attempt to hide their presence for as long as possible."

"The main goal of the hackers was to completely compromise the IT infrastructure and steal confidential information, including documents from closed segments and email correspondence of key federal executive authorities," Solar JSOC noted, adding the "cybercriminals ensured themselves a high level of secrecy through the use of legitimate utilities, undetectable malware, and a deep understanding of the specifics of the work of information protection tools installed in government bodies."

“It is noteworthy that Chinese hacker groups actively exchange tools and infrastructure, but perhaps it is just the case here,” Group-IB points out. The researchers also point out that evidence implies a big hacking force made up of People's Liberation Army intelligence units may be operating out of China, with the numerous Chinese APT groups tracked by threat intelligence agencies being little more than subgroups.

APT Malicious Campaigns Target Asian Entities

 

Researchers from Kaspersky have reported that hundreds of individuals from South East Asia, including Myanmar and the government of the Philippines, are continuously and extensively targeted by advanced persistent threats (APT) activities. 

In the analysis of the cyber-espionage attacks by LuminousMoth against a variety of Asian authorities that began from at least October 2020, analysts of Kaspersky found 100 victims in Myanmar and 1400 in the Philippines. This APT activity cluster, identified by Kaspersky as LuminousMoth, is associated with the HoneyMyte Chinese-speaker Threat Group with medium to high confidence. 

Links discovered, included network infrastructure connections such as command-and-control servers for the deployment of Cobalt Strike beacon payloads by groups and related tactical, techniques, and procedures (TTP). They are also reported to launch large-scale attacks on a substantial population of targets, aimed at impacting only a tiny subset of people that match their interests. 

"The massive scale of the attack is quite rare. It's also interesting that we've seen far more attacks in the Philippines than in Myanmar," Kaspersky GReAT security researcher Aseel Kayal said. "This could be due to the use of USB drives as a spreading mechanism or there could be yet another infection vector that we're not yet aware of being used in the Philippines,” he further added. 

The threat actors are using spear-phishing emails with malicious links from Dropbox which distributes camouflaged RAR archives like Word documents and bundling malware payloads for accessing the systems they are being targeted. 

The malware attempts to move into other systems through removable USB drives, along with the stolen files from previously hacked PCs, after it is carried out on the victim's device. 

The malware from Luminous Moth includes post operating tools that operators may utilize on their victim's networks for subsequent movement: one is disguised in the shadow of a fake Zoom software, while the other is meant to steal browser cookies from Chrome. 

Threat actors exfiltrate data from compromised devices to their command and control servers (C2), which in some situations have been used to circumvent identification by news outlets. 

The malware tries to infect other systems by distributing detachable USB drives once downloaded from one system. If a drive is discovered, the malware creates hidden folders on the drive where all victim data and harmful executables are moved. 

"This new cluster of activity might once again point to a trend we've been witnessing over this year: Chinese-speaking threat actors re-tooling and producing new and unknown malware implants," Kaspersky GReAT senior security researcher Mark Lechtik added.

Job Seeking Engineers Have Become Lazarus Gang’s New Target

 

Amid operations sending malicious documentation to work-seekers, the renowned group Lazarus advanced persistent threat (APT) has been identified. In this case, defense companies are searching for jobs. 

As per a paper published online by AT&T Alien Labs, researchers monitored the activity of Lazarus for months with technical targets in the United States and Europe. 

According to the creator of the report, Fernando Martinez, emails from prominent defense contractors Airbus, General Motors (GM), and Rheinmetall have been sent to potential engineering recruits by the APT purport. 

Word documents with macros that implant malicious code in a victim's PC are included in the emails to prevent detection by changing the target computer settings. 

“The core techniques for the three malicious documents are the same, but the attackers attempted to reduce the potential detections and increase the faculties of the macros,” Martinez wrote. 

Lazarus's operation is the newest thing that targets the field of defense. In February, scientists attributed a 2020 spear-phishing campaign to the APT aiming to acquire key data by using advancing malware named ThreatNeedle from defense organizations. 

Indeed, with Microsoft Office Macros being used and third-party communications infrastructures being jeopardized, Lazarus is written all over the latest attacks that remain 'in line with the earlier Lazarus campaigns' as Martinez said. 

“Attack lures, potentially targeting engineering professionals in government organizations, showcase the importance of tracking Lazarus and their evolution,” he wrote. “We continue to see Lazarus using the same tactic, techniques, and procedures that we have observed in the past.” 

Researchers from AT&T Alien Labs have already seen Lazarus' activities, trying to attract victims to false Boeing and BAE systems jobs. Martinez noted that Twitter users were warned of the current campaign as Twitter users identified various papers related to Lazarus by Rheinmetall, GM, and Airbus from May to June this year. 

Researchers have discovered that campaigns using the three new documents are comparable in communicating with the command and control but that they can do malicious activities in distinct ways. Lazarus has circulated two malicious documents related to the German defense and automotive industry engineering firm Rheinmetall. The second had "more elaborate content," which made it possible for victims to remain unnoticed, noted Martinez. 

One of the distinctive aspects of the macro in the original malicious document is to rename the Microsoft Docs command-line software Certutil to try and disguise its actions. 

“The macro executes the mentioned payload with an updated technique,” Martinez wrote. “The attackers are no longer using Mavinject, but directly executing the payload with explorer.exe, significantly modifying the resulting execution tree.” 

Owing to Lazarus' historically prolific behavior – called the "most active" threat group in 2020 by Kaspersky— the recent attack on technicians "is not expected to be the last," Martinez said. 

Attack tactics that may target technical experts in governmental organizations illustrate the relevance of Lazarus tracking and its progression, Martinez added.

APT: China-Based Threat Group Attacks Pulse Secure VPNs

 

Several hacker groups that are supposed to support Chinese long-term economic goals continue in the defense, high-tech, public, transportation, and financial services industry networks in the US and Europe. 

Many breaches have taken place wherein attacks by Chinese threat actors penetrated Pulse Secure VPN devices to break into an organization's network and steal confidential material. 

Whereas in several other incidents the attackers took full advantage of the Pulse Connect Secure (PCS) (CVE-2021-22893) authentication bypass vulnerability to enter into the victim's network. The intruders also gained control of the combination of previously known vulnerabilities. Meanwhile, last month, a failure in the bypass authentication was detected and rectified. 

Mandiant issued a warning this week – on China's advanced persistent threat (APT) activity for U.S. and European organizations. In the alert, Mandiant had focused on a battery of malware tools used to address vulnerabilities in Pulse Secure VPN devices on two Chinese-based organizations: UNC2630 and UNC2717. Mandiant said that UNC2630 had targeted US military industry groups and UNC2717 had attacked an EU entity. 

"The exploitation activity we have observed is a mix of targeting unpatched systems with CVEs from 2019 and 2020, as well as a previously unpatched 2021 CVE (CVE-2021-22893)," says Stephen Eckels, a reverse engineer at Mandiant. "Since our original report, Pulse Secure and Mandiant have worked together, and the zero-day has since been patched." 

"At this time, Pulse Secure has patched all known vulnerabilities," Eckels added. 

In certain cases, the attackers had set up their local admin accounts on critical Windows servers to operate freely on the target network. Instead of depending on internal endpoints of the security vulnerabilities, they used exclusivity of Pulse Secure web-shells and malware. 

The UNC2630 and UNC2717, according to Mandiant, are just two of the various groups which threaten Pulse Secure VPNs that seem to work for the interest of the Chinese administration. Many of the groups use the same number of instruments, but their strategies and tactics are different. 

There has been no confirmation so far that the threat actors had acquired American data that would provide economic advantages for Chinese enterprises. In particular, a 2012 agreement between President Barack Obama and a Chinese counterpart Xi prohibits cyber espionage of such data. 

"Right now we're not able to say that they haven't, just that we don't have direct evidence that they have violated [the agreement]," Mandiant says. "Some of the affected entities are private companies that would have commercial intellectual property, the theft of which would violate the agreement. We just have not seen direct evidence of that type of data being staged or exfiltrated." 

Mandiant's assessment of the Chinese ferocious ATP activities is coinciding with this week's alert from Microsoft for Nobellum, the Russian menace actor behind the SolarWinds attack and an extensive e-mail campaign. In both cases, cyber espionage seems to be the major motif in support of national strategic objectives.

FBI says Attackers Breached US Local Govt After Hacking a Fortinet Appliance

 

After issuing a cybersecurity advisory warning that APT hacker groups are purposefully targeting vulnerabilities in Fortinet FortiOS, the FBI now warned that after hacking a Fortinet appliance, state-sponsored attackers compromised the webpage of a US local government. 

Fortinet is a multinational security company based in Sunnyvale, California. It creates and sells cybersecurity solutions, which include hardware like firewalls as well as software and services like anti-virus protection, intrusion prevention systems, and endpoint security components.

"As of at least May 2021, an APT actor group almost certainly exploited a Fortigate appliance to access a web-server hosting the domain for a U.S. municipal government," the FBI's Cyber Division said in a TLP:WHITE flash alert published on 27th May. 

The advanced persistent threat (APT) actors moved laterally around the network after gaining access to the local government organization's server, creating new domain controller, server, and workstation user identities that looked exactly like existing ones. On compromised systems, attackers linked to this ongoing APT harmful activity have created 'WADGUtilityAccount' and 'elie' accounts, according to the FBI.

This APT organization will most likely utilize this access to capture and exfiltrate data from the victims' network, according to the FBI. "The APT actors are actively targeting a broad range of victims across multiple sectors, indicating the activity is focused on exploiting vulnerabilities rather than targeted at specific sectors," the FBI added.

Last month, the FBI and the CISA issued a warning about state-sponsored hacking groups gaining access to Fortinet equipment by exploiting FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. The threat actors are also scanning for CVE-2018-13379 vulnerable devices on ports 4443, 8443, and 10443, and enumerating servers that haven't been patched against CVE-2020-12812 and CVE-2019-5591. 

Once they've gained access to a vulnerable server, they'll use it in subsequent attacks aimed at critical infrastructure networks. "APT actors may use other CVEs or common exploitation techniques—such as spear-phishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks," the two federal agencies said.

"APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns." They further told. 

Kaspersky Discovered Purple Lambert to be a Part of the CIA

 

Kaspersky Lab, a cybersecurity company, has uncovered a new malware that analysts believe is linked to the US Central Intelligence Agency. Multiple antivirus providers obtained a series of malware samples in February 2019, according to Kaspersky experts, some of which cannot be linked to the operation of established APT classes. There were no parallels between these malware strains and malware affiliated with other APT classes.

Although an initial investigation revealed no common code with any previously-known malware samples, Kaspersky recently re-analyzed the files and discovered that “the samples have intersections with coding patterns, style, and techniques that have been used in different Lambert families,” according to the company. Lamberts is Kaspersky's internal codename for tracking CIA hacking operations.

Kasperksy has dubbed this new malware cluster Purple Lambert due to the shared similarity between these recently found samples and previous CIA malware. The malware samples seem to have been collected seven years earlier, in 2014, according to Purple Lambert metadata. Although Kaspersky has not seen any of these samples in the wild, it believes Purple Lambert samples were “most certainly deployed in 2014 and probably as late as 2015.”

“Although we have not found any shared code with any other known malware, the samples have intersections of coding patterns, style and techniques that have been seen in various Lambert families. We therefore named this malware Purple Lambert.” states the APT trends report Q1 2021 published by Kaspersky. “Purple Lambert is composed of several modules, with its network module passively listening for a magic packet. It is capable of providing an attacker with basic information about the infected system and executing a received payload. Its functionality reminds us of Gray Lambert, another user-mode passive listener. Gray Lambert turned out to be a replacement of the kernel-mode passive-listener White Lambert implant in multiple incidents. In addition, Purple Lambert implements functionality similar to, but in different ways, both Gray Lambert and White Lambert.” 

While the Lambert APT (also known as the Longhorn APT) has been present since at least 2008, the first samples were discovered in 2014. The group is extremely advanced, and it has penetrated organisations all over the world with a sophisticated cyberattack network that can hack both Windows and Mac systems. The researchers discovered and studied numerous backdoors and hacking methods that make up the cyberespionage group's arsenal over the years.

Researchers Spotted Two Android Spyware Linked to Confucius

 

Researchers at cybersecurity firm Lookout have published information on two recently discovered Android spyware families utilized by an advanced persistent threat (APT) group named Confucius. Lookout said that two malware strains, named Hornbill and SunBird, have been linked to Confucius, a group thought to be state-sponsored and to have pro-India ties. 

First detected in 2013, Confucius has been linked to assaults against government entities in Southeast Asia, as well as targeted strikes against Pakistani military personnel, Indian election officials, and nuclear agencies. “Hornbill and SunBird have both similarities and differences in the way they operate on an infected device” reads the report published by Lookout. “While SunBird features remote access trojan (RAT) functionality – a malware that can execute commands on an infected device as directed by an attacker – Hornbill is a discreet surveillance tool used to extract a selected set of data of interest to its operator.” 

The team's analysis of the malware recommends that Hornbill is based on MobileSpy, a commercial stalker ware application for remotely observing Android gadgets that were retired in 2018. SunBird, however, seems to have a comparable codebase to BuzzOut, an old type of spyware created in India. Confucius was known to have utilized ChatSpy for surveillance purposes back in 2017, yet it is felt that both Hornbill and SunBird originated before this malware. There doesn't appear to be any new campaigns utilizing SunBird–accepted to have been in active development between 2016 and early 2019; in any case, Hornbill has been found in a rush of assaults dating from December 2020. 

Both malware variations, however, can steal information including gadget identifiers, call logs, WhatsApp voice notes, contact records, and GPS location information. Also, they can request administrator privileges on an undermined gadget, take screenshots and photographs, and record sound both when calls are taking place or just as environmental noise. SunBird's abilities go past Hornbill's as this malware is likewise ready to grab browser histories, calendar information, BlackBerry Messenger (BBM) content, and more extensive WhatsApp content including documents, databases, and pictures. SunBird will likewise attempt to upload stolen information to a command-and-control (C2) server at more normal spans than Hornbill.

Spy Campaign: SideWinder APT Leverages South Asian Border Disputes


The SideWinder advanced persistent threat (APT) group, which seems to be active since 2012, now has started a new malicious activity, wherein the threat actors are leveraging the rising border disputes between developing states namely India-China, India-Nepal, and Nepal-Pakistan. 

The aim of this phishing and malware initiative is to gather sensitive information from its targets, mainly located in two territories, Nepal and Afghanistan. A recent study says the SideWinder group primarily targets victims in South Asia and its surroundings, interestingly this latest campaign is no exception. 

According to the researchers, this phishing and malware initiative is targeting multiple government and military units for countries in the region. The Nepali Ministries of Defense and Foreign Affairs, the Nepali Army, the Afghanistan National Security Council, the Sri Lankan Ministry of Defense, the Presidential Palace in Afghanistan are its prime targets, to name a few. 

Malicious actors are targeting Webmail login pages aimed at harvesting credentials. Actual webmail login pages were copied from their victims and subsequently are being used for phishing, as per the Trend Micro researchers. For instance, “mail-nepalgovnp[.]duckdns[.]org”,  which appears the legitimate domain of Nepal's government, however, it is just tricking people into believing so. 

The Catch

When the users “log in”, they are either directly sent to the actual login pages or redirected to different news pages, documents, which can be related either to political fodder or COVID-19. Researchers noted that some of the pages also include articles titled “China has nothing to do with India, India should see that. Similarly, many articles are being used which includes hot topics from recent ongoing issues between states. 

Cyber Espionage: No Limits? 

"We also found multiple Android APK files on their phishing server. While some of them are benign, we also discovered malicious files created with Metasploit," researchers wrote on Wednesday. They also identified several Android APK files on the phishing server, some of these files were made using Metasploit. 

Reportedly, SideWinder is a very proactive group that made headlines for attacking mobile devices via Binder exploit. This Year many states were being attacked, namely Bangladesh, China, and Pakistan, using files of Corona Virus. 


Updated Malware: Vietnamese Hacking Group Targeting MacOS Users

 

Researchers have discovered a new MacOS backdoor that steals credentials and confidential information. As cyber threats continue to rise, the newly discovered malware is believed to be operated by Vietnamese hacking group OceanLotus, colloquially known as APT 32. Other common names include APT-C-00, SeaLotus, and Cobalt Kitty. 
 
The nation-state backed hacking group has been operating across Asia and is known to target governments, media organizations, research institutes, human rights organizations, corporate sector, and political entities across the Philippines, Laos, Vietnam, and Cambodia. Other campaigns by the hacking group also focused on maritime construction companies. Notably, OceanLotus APT also made headlines for distributing malware through Apps on Google Play along with malicious websites. 
 
The attackers found the MacOS backdoor in a malicious Word document that supposedly came via an email. However, there is no information regarding the targets that the campaign is focusing on. In order to set the attack into motion, the victims are encouraged to run a Zip file appearing to be a Word document (disguised as a Word icon). Upon running the Zip file, the app bundled in it carrying the malware gets installed; there are two files in it, one is the shell script and another one is the Word file. The MacOS backdoor is designed by attackers to provide them with a window into the affected system, allowing them to steal sensitive data.

"Like older versions of the OceanLotus backdoor, the new version contains two main functions: one for collecting operating system information and submitting this to its malicious C&C servers and receiving additional C&C communication information, and another for the backdoor capabilities," TrendMicro explained in a blogpost. 

In an analysis, Researchers told, “When a user looks for the fake doc folder via the macOS Finder app or the terminal command line, the folder’s name shows ‘ALL tim nha Chi Ngoc Canada.doc’ (‘tìm nhà Chị Ngọc’ roughly translates to ‘find Mrs. Ngoc’s house’).”

“However, checking the original .zip file that contains the folder shows three unexpected bytes between ‘.’ and ‘doc’.”


Microsoft discovers Vietnamese Govt sponsored threat actor deploying cryptocurrancy malware

Microsoft on Monday claimed that Vietnamese government-backed hackers have been behind the cryptocurrency-mining malware campaign.

These state-run cyberspies have started additional activities of gaining financial aid along with running government-backed projects. Similar groups have been already reported from Russia, China, and Korea making it difficult to determine whether the campaign is for intelligence gathering or capital gain.  
Discovered by Microsoft Security Intelligence, Bismuth based in Vietnam also known as APT32 and OceanLotus has been active since 2012 doing backhand work for the government like hacking and data/info gathering for political, economic, and foreign policy matters. But, recently Microsoft observed a transformation in their activities earlier in the year.

 "In campaigns from July to August 2020, the group deployed Monero coin miners in attacks that targeted both the private sector and government institutions in France and Vietnam," Microsoft said in their blog.

Microsoft suspects two theories behind this change: 

One of the reason could be to avoid suspicion and throw light over random crimes like crypto-mining malware and hide their cyber-espionage pursuits. This tactic will help them disguise and decrease security responses. 

Another and the more likely reason Microsoft believes is - it is what it looks like. These groups as they have total immunity from the government are expanding into gaining revenue from the systems they already went through during their spying operations. 

 Crypto-miners usually are suspected to be cybercriminals and not government-sponsored threat actors and are also not taken into account by security in normal routine checkups. But, these APT from the Chinese, Russian, Iranian, and North Korean state have started upside businesses of gaining capital via tactics like crypto-mining. 

 The reason being, since these groups are state-sponsored, they have total immunity. In-home state, they help the government and these countries doesn't have extradition treaties with the US, they can do anything with little or no consequence.

Chinese State-Sponsored Hackers Exploiting Zerologon Vulnerability

 

Chinese state-sponsored threat actors have been observed exploiting the Zerologon vulnerability in a global campaign targeting businesses from multiple industries in Japan and 17 other regions across the world including the United States and Europe. The attacked industries include engineering, automotive, managed service providers, and pharmaceutical. 

According to the information gathered by Symantec’s Broadcom division, these attacks have been attributed to the Cicada group also known as APT10, Cloud Hopper, or Stone Panda. 
 
The attackers are known for their sophistication, in certain cases, they were recorded to have hidden their suspicious acts effectively and remained undetected while operating for around a complete year. Previously, the state-backed actors have stolen data from militaries, businesses, and intelligence, and seemingly, Japanese subsidiaries are their newly found target. 
 
The links between the attacks and Cicada have been drawn based on the similar obfuscation methods and shellcode on loader DLLs to deliver malicious payloads, being used as noticed in the past along with various other similarities like living-off-the-land tools, backdoor QuasarRAT final payloads commonly employed by the hacking group. 
 
"The initial Cloud Analytics alert allowed our threat hunting team to identify further victims of this activity, build a more complete picture of this campaign, and attribute this activity to Cicada," Symantec said in their report. 
 
"The companies hit are, in the main, large, well-known organizations, many of which have links to Japan or Japanese companies, which is one of the main factors tying the victims together," the report further read. 
 
In September, Iranian-sponsored hacking group MuddyWater (MERCURY and SeedWorm) was seen to be actively exploiting Zerologon vulnerability. Another hacking group that exploited Zerologon was the financially-motivated TA505 threat group, also known as Chimborazo.
 
"The affected companies are from manufacturing, construction, and government-related industries, with top victims having around $143 billion, $33 billion and $2 billion yearly revenue," as per a report published by KELA, an Israel based Cybersecurity organization. 

"[M]ore and more threat actors, Advanced APT group and nation-state actors are considering Japanese organizations as valuable targets and are actively attacking them via opportunistic and targeted attacks," KELA further added.

Hackers Use Backdoor to Infiltrate Governments and Companies, Motive, not Money.


According to findings by cybersecurity firms Avast and ESET, an APT (Advanced Persistent Threat) cyberattack targeted companies and government authorities in Central Asia, using backdoors to gain entry into company networks for a long period. The targets involved telecom companies, gas agencies, and one government body in Central Asia. APT attacks, unlike other cyberattacks, don't work for money profits but have different motives.


According to cybersecurity experts, APT attacks are state-sponsored, and their purpose is to get intel on politics and inside information, not money. According to research findings, the hackers responsible for the APT attack in Central Asia is a group from China that uses RAT (Remote Access Tools). The attack was not their first, as experts believe that the same group was responsible for the 2017 cyberattacks against the Russian military and the Belarusian government.

APT attacks remain lowkey 

Unlike ransomware attacks that are famous for infiltrating the company networks, involving some top IT companies, the APT actors like to stay out of the radar and remain unnoticed. The motive of these attacks is not blackmail by having sensitive information. These attacks aim to remain unnoticed for as long as possible, as it allows hackers to have access to the company's network and data. Experts say that they currently don't have substantial evidence about the data that was deleted or manipulated. After the attack, the hackers part away as to avoid any suspicion or identification. Confidential info like Espionage, government policies, and trade, is what these hackers are after.

The cyberattacks are on the rise due to people working from home, giving opportunities to hackers. It has been very tough to protect users from malware attacks in the current times, due to millions of malware. The reason is the COVID-19 pandemic, and the best chance to stay safe from hackers is to be on alert after the pandemic ends. Users should check every link they get, before opening it or passing it to someone else. People working from home should keep their systems and device updated, along with the applications.

China Alleges India for Cyber-attacks Amid the Coronavirus Outbreak. Demands International Cooperation.


China, who is currently battling against the deadly coronavirus epidemic said last Friday that it needs international support from countries across as it is in the midst of an 'exceptional' and 'full-on war' against the deadly virus. The statement arrived after reports of local media claimed that cybercriminals from India had attacked the Chinese hospitals during the coronavirus epidemic. "It appears that Indian hackers had attacked regional health institutes and Chinese hospitals while China was busy fighting the coronavirus epidemic," said a Chinese cybersecurity firm in a statement.


"We have proof that hackers from India attacked Chinese health institutes using 'phishing' e-mails technique," said 360 Technology, a Chinese tech company, in a conversation with a national newspaper, Global Times. In acknowledgment of the comments made, the foreign ministry of China said: "We have to come to this conclusion after considering various reports of local media." "A country which is strictly opposed to cyber hacking of any kind, China, a significant cybersecurity nation, has currently become a victim of hacking," said Hua Chunying, spokesperson, Foreign Ministry of China, last Friday, without mentioning India in the statement.

"It is in these times of misery, that we believe all the countries across the globe should come together as one to fight against this major problem of cyber attacks and hacking. It is only after this would we be able to maintain a safe, secure and helpful cyber world," said Chunying via an e-press conference. She further says: "It is a matter of great concern for China as we are currently amid a crisis of battling a deadly epidemic. Witnessing the current public health emergency, the nations should cooperate to battle this issue."

"Indian hackers have been launching APTs (Advanced Persistent Threat) and attacking Chinese health institutes by sending phishing e-mail schemes," said the company to Global Times. "A suspected group of hackers from India named 'Bitter' have launched APT cyberattacks since March 2019, targeting the Chinese health institutes and research centers, and also the Ministry of Foreign Affairs," said an opinion column from Global Times.

Another Chinese state-sponsored hacking groups discovered - would be the fourth one to be found


A group of cyber security analyst, Intrusion Truth have found their fourth Chinese state-sponsored hacking operation APT 40.
"APT groups in China have a common blueprint: contract hackers and specialists, front companies, and an intelligence officer," the Intrusion Truth team said. "We know that multiple areas of China each have their own APT."
APT stands for Advanced Persistent Threat and is used to describe government supported and sponsored hacking groups. 

Intrusion Truth has previously exposed three government supported APTs, APT3 (believed to operate out of the Guangdong province), APT10 (Tianjin province), and APT17 (Jinan province),  they have now doxed APT40, China's cyber apparatus in the state of Hainan, an island in the South China Sea.

In a blog post, they said they've discovered 13 companies that serve as a front for APT activists. These companies use offline details, overlapping contacts and no online presence except to recruit cyber experts. 

"Looking beyond the linked contact details though, some of the skills that these adverts are seeking are on the aggressive end of the spectrum," the Intrusion Truth team said.

"While the companies stress that they are committed to information security and cyber-defense, the technical job adverts that they have placed seek skills that would more likely be suitable for red teaming and conducting cyber-attacks," they further said. 

APT40 RECRUITMENT MANAGED BY A PROFESSOR

Intrusion Truth was able to link all these companies mentioned above to a single person, a professor in the Information Security Department at the Hainan University.

One of the 13 companies was even headquartered at the university's library. This professor was also a former member of China's military. 

"[Name redacted by ZDNet] appeared to manage a network security competition at the university and was reportedly seeking novel ways of cracking passwords, offering large amounts of money to those able to do so," the anonymous researchers said.Intrusion Truth are pretty credible and have a good track record, US authorities have investigated  two of their three APT expose.