Search This Blog

Showing posts with label Cyberespionage. Show all posts

New Cyber Espionage Group Targeting Ministries of Foreign Affairs

 

Researchers unveiled a new cyber espionage group on Thursday, which is behind the series of targeted operations attacking diplomatic entities and telecommunication corporations in Africa and the Middle East since at least 2017. 

The campaign, dubbed "BackdoorDiplomacy," involves exploiting flaws in internet-exposed devices like web servers to carry out various cyber-hacking operations, including moving laterally across the network to execute a custom implant called Turian which is capable of exfiltrating sensitive data stored on removable media. 

Jean-Ian Boutin, head of threat research at Slovak cybersecurity firm ESET said, "BackdoorDiplomacy shares tactics, techniques, and procedures with other Asia-based groups. Turian likely represents a next stage evolution of Quarian, the backdoor last observed in use in 2013 against diplomatic targets in Syria and the U.S." 

The cross-platform group, which targets both Windows and Linux operating systems, singles out management interfaces for networking equipment and servers with internet-exposed ports, most likely abusing unsecured flaws to implement the China Chopper web shell for initial access, which is then used to conduct reconnaissance and install the backdoor. 

F5 BIG-IP devices (CVE-2020-5902), Microsoft Exchange servers, and Plesk web hosting control panels are among the systems affected. Victims have been identified in many African countries' foreign ministries and those in Europe, the Middle East, and Asia. Furthermore, in Africa and at least one Middle Eastern country, telecom carriers have also been hit. 

The researchers stated, "In each case, operators employed similar tactics, techniques, and procedures (TTPs), but modified the tools used, even within close geographic regions, likely to make tracking the group more difficult."

BackdoorDiplomacy is also believed to overlap with previously reported campaigns operated by a Chinese-speaking group Kaspersky tracks as "CloudComputating.

According to ESET researchers, apart from its features to gather system information, take screenshots, and carry out file operations, Turian's network encryption protocol is nearly identical to that used by WhiteBird, a C++ backdoor operated by an Asia-based threat actor named Calypso that was installed within diplomatic organizations in Kazakhstan and Kyrgyzstan at the same timeframe as BackdoorDiplomacy.

Chinese APT Actors Attack Russian Defense In An Espionage Attack

An earlier anonymous backdoor malware, called PortDoor, is probably being used by Chinese APT (advanced persistent threat) hackers to attack Russian defense system, according to reports. Cybersecurity firm 'Cybereason Nocturnus' looked into hackers specifically targeting Rubin Design Bureau, an organization that builds submarines for Russian Navy Federation. The main target was director general named Igor Vladimirovich, who received a phishing mail, say experts. The attack started with "Royalroad weoponizer" aka RTF exploit builder/8.t Dropper, which, according to cybersecurity experts, is a tool used by Chinese APT's to orchestrate their attacks, like Tick, Tonto Team and TA428. 


RoyalRoad makes weaponized RTF documents that attack vulnerabilities CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802) in Equation Editor of Microsoft. RoyalRoad's use in the attack is the reason why the victim suspects Chinese hackers to be behind the attack. Cybereason analysis said, "the accumulated evidence, such as the infection vector, social-engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware, all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests." 

A Subtle Spying Malware 

Experts found the malware stealing unique PortDoor sample when the corrupt RTF file is opened, which is built cautiously to stealth. It has various functions that include spying, target profiling, delivering additional payloads, process manipulation, privilege escalation, AES- encrypted data exfiltration, static detection antivirus evasion, one-byte XOR encryption and much more. If deployed, backdoor decodes strings with the help of hard-coded 0xfe XOR key in order to get configuration info. It includes C2C server address, target locator, and other trivial information. 

Cybersecurity report said, "the backdoor is able to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports." "Lastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the development of the PortDoor backdoor,” researchers concluded. “We hope that as time goes by, and with more evidence gathered, the attribution could be more concrete."

Kaspersky Discovered Purple Lambert to be a Part of the CIA

 

Kaspersky Lab, a cybersecurity company, has uncovered a new malware that analysts believe is linked to the US Central Intelligence Agency. Multiple antivirus providers obtained a series of malware samples in February 2019, according to Kaspersky experts, some of which cannot be linked to the operation of established APT classes. There were no parallels between these malware strains and malware affiliated with other APT classes.

Although an initial investigation revealed no common code with any previously-known malware samples, Kaspersky recently re-analyzed the files and discovered that “the samples have intersections with coding patterns, style, and techniques that have been used in different Lambert families,” according to the company. Lamberts is Kaspersky's internal codename for tracking CIA hacking operations.

Kasperksy has dubbed this new malware cluster Purple Lambert due to the shared similarity between these recently found samples and previous CIA malware. The malware samples seem to have been collected seven years earlier, in 2014, according to Purple Lambert metadata. Although Kaspersky has not seen any of these samples in the wild, it believes Purple Lambert samples were “most certainly deployed in 2014 and probably as late as 2015.”

“Although we have not found any shared code with any other known malware, the samples have intersections of coding patterns, style and techniques that have been seen in various Lambert families. We therefore named this malware Purple Lambert.” states the APT trends report Q1 2021 published by Kaspersky. “Purple Lambert is composed of several modules, with its network module passively listening for a magic packet. It is capable of providing an attacker with basic information about the infected system and executing a received payload. Its functionality reminds us of Gray Lambert, another user-mode passive listener. Gray Lambert turned out to be a replacement of the kernel-mode passive-listener White Lambert implant in multiple incidents. In addition, Purple Lambert implements functionality similar to, but in different ways, both Gray Lambert and White Lambert.” 

While the Lambert APT (also known as the Longhorn APT) has been present since at least 2008, the first samples were discovered in 2014. The group is extremely advanced, and it has penetrated organisations all over the world with a sophisticated cyberattack network that can hack both Windows and Mac systems. The researchers discovered and studied numerous backdoors and hacking methods that make up the cyberespionage group's arsenal over the years.

Spy Campaign: SideWinder APT Leverages South Asian Border Disputes


The SideWinder advanced persistent threat (APT) group, which seems to be active since 2012, now has started a new malicious activity, wherein the threat actors are leveraging the rising border disputes between developing states namely India-China, India-Nepal, and Nepal-Pakistan. 

The aim of this phishing and malware initiative is to gather sensitive information from its targets, mainly located in two territories, Nepal and Afghanistan. A recent study says the SideWinder group primarily targets victims in South Asia and its surroundings, interestingly this latest campaign is no exception. 

According to the researchers, this phishing and malware initiative is targeting multiple government and military units for countries in the region. The Nepali Ministries of Defense and Foreign Affairs, the Nepali Army, the Afghanistan National Security Council, the Sri Lankan Ministry of Defense, the Presidential Palace in Afghanistan are its prime targets, to name a few. 

Malicious actors are targeting Webmail login pages aimed at harvesting credentials. Actual webmail login pages were copied from their victims and subsequently are being used for phishing, as per the Trend Micro researchers. For instance, “mail-nepalgovnp[.]duckdns[.]org”,  which appears the legitimate domain of Nepal's government, however, it is just tricking people into believing so. 

The Catch

When the users “log in”, they are either directly sent to the actual login pages or redirected to different news pages, documents, which can be related either to political fodder or COVID-19. Researchers noted that some of the pages also include articles titled “China has nothing to do with India, India should see that. Similarly, many articles are being used which includes hot topics from recent ongoing issues between states. 

Cyber Espionage: No Limits? 

"We also found multiple Android APK files on their phishing server. While some of them are benign, we also discovered malicious files created with Metasploit," researchers wrote on Wednesday. They also identified several Android APK files on the phishing server, some of these files were made using Metasploit. 

Reportedly, SideWinder is a very proactive group that made headlines for attacking mobile devices via Binder exploit. This Year many states were being attacked, namely Bangladesh, China, and Pakistan, using files of Corona Virus. 


Chinese espionage campaign hit telecommunications firms around the world






Hackers have breached into the systems of more than a dozen global telecommunications companies and have to hold on a large amount of personal as well as corporate data, researchers from a cybersecurity company said on Tuesday.

Security researchers from a cybersecurity firm Cybereason, which is a collaboration of US-Israel, said that the attackers compromised companies in more than 30 countries. 

The main aim behind this espionage is to gather information about individuals who are working in government, law enforcement and politics. The group is linked to a Chinese cyber-espionage campaign.

The tools used by hackers were similar to other attacks which were carried out by Beijing, but the country denied of involvement in any kind of mischievous activity. 

Lior Div, chief executive of Cybereason. “For this level of sophistication, it’s not a criminal group. It is a government that has capabilities that can do this kind of attack,” he told Reuters.

Cybereason said in a blog post. “They built a perfect espionage environment. They could grab information as they please on the targets that they are interested in.”



“We managed to find not just one piece of software, we managed to find more than five different tools that this specific group used,” Div said.

New 'KeyBoy' malware targets users from India, Vietnam

Security researchers have discovered a new piece of malware that targets users from India, Vietnam.  The backdoor is designed to steal information from the victim.

The malware campaign uses well-crafted Microsoft word document that exploits patched vulnerability in Microsoft office to drop a new malware referred as 'KeyBoy', according to Rapid7.

The first document found by the researchers targeting users from Vietnam is written in Vietnamese and is about reviewing and discussing best practices for teaching scientific topics.

The second document found by the researchers is written in English with title "All INDIA Bharat Sanchar Nigam Limited Executives' Association".  The title suggests the document is designed to target Indians.  The report says the document pretends to be authored by someone called Amir Kumar Gupta.  


Once the crafted-documents opened, it attempts to exploit known remote code execution vulnerabilities in Microsoft office.  If successful, the documents installs a backdoor malware dubbed as 'KeyBoy'.

After analyzing the malware, researchers identified a code that is designed to steal the login credentials stored in the Firefox and Internet explorer browsers.