Tag: APT

Cyber-espionage group uses Chrome extension to infect victims

In what appears to be a first on the cyber-espionage scene, a nation-state-backed hacking group has used a Google Chrome extension to infect victims and steal passwords and cookies from their browsers.

This is the first time an APT (Advanced Persistent Threat –an industry term for nation-state hacking groups) has been seen (ab)using a Chrome extension. A pending report by the ASERT team at Netscout reveals the details of a spear-phishing campaign that’s been pushing a malicious Chrome extension since at least May 2018. Researchers said they found evidence suggesting that the group may be based in North Korea.

Read more about the cyber-espionage campaign on ZDNet.

Adobe Fixes Zero-Day Flash Player Vulnerability Used in APT Attack on Russia

Adobe has released an update for Flash Player that fixes a zero-day vulnerability that was used as part of an APT attack against Russia. This attack is being named “Operation Poison Needles” and targeted the Russian FSBI “Polyclinic #2” medical clinic.

According to research from Qihoo’s 360 Advanced Threat Response Team and Gigamon, on November 29, 2018 an attack was detected against Russia’s FSBI “Polyclinic #2” clinic. The site for this clinic indicates it provides medical and cosmetic services to the executive and higher level employees of the Russian Federation.

Read more about the zero-day and the APT attack on BleepingComputer.

Sofacy APT Takes Aim with Novel ‘Cannon’ Trojan

The Sofacy APT group is back, with a new second-stage custom malware payload that researchers have dubbed “Cannon.” A campaign against several government entities around the globe, including in North America, Europe and a former Soviet state, came in waves during late October and early November, according to Palo Alto’s Unit 42.

The researchers attributed it to Russian-speaking Sofacy, a.k.a. Fancy Bear, Sednit or APT28, after intercepting a series of weaponized documents that load remote templates containing a malicious macro. Unit 42 was able to retrieve the payloads, which included the known Zebrocy trojan in the first stage, and a new malware, the Cannon dropper trojan, for the second stage.

Read more about the recent activity of the Fancy Bear APT on Threatpost.

Russian APT comes back to life with new US spear-phishing campaign

A Russian state-sponsored cyber-espionage group has come back to life after a one-year period of inactivity with a relative large spear-phishing campaign that has targeted both the US government and private sector.

The hacking group is known in infosec circles as Cozy Bear, APT29, The Dukes, or PowerDuke, and is infamous because it’s one of the two Russian state hacking crews that hacked the Democratic National Committee before the 2016 US Presidential Elections. “On 14 November 2018, CrowdStrike detected a widespread spear-phishing campaign against multiple sectors,” Adam Meyers, VP of Intelligence told ZDNet.

Read more about the new attack campaign by Cozy Bear on ZDNet.

Winter Olympic Games hackers are back with an updated arsenal

The hacking team behind a cyberattack which impacted the Winter Olympic Games is back with an updated cache of droppers and hacking tools. Researchers from Check Point said that Hades, the advanced persistence threat (APT) group believed to be behind an attack this year levied against systems used in the Winter Olympic Games, has begun a potential evolutionary shift.

“Over the last few weeks, we have noticed new activity from Hades,” the researchers say. “This new wave of attack shares a lot with those previously attributed to the group but it seems that this time we are witnessing significant changes that may hint at a new evolution from the group.”

Read more about the new activity of the Hades APT on ZDNet.

Hacking group returns, switches attacks from ransomware to trojan malware

A prolific hacking group has returned with a new campaign which looks to deliver a new remote access trojan (RAT) to victims in order to create a backdoor into PCs to steal credentials and banking information.

The campaign is suspected to be the work of TA505, a well-resourced hacking group which has been active since at least 2014. Now TA505 is running a new campaign, which has been detailed by researchers at security company Proofpoint. In line with a change of focus by other cyber criminal groups, TA505 has shifted away from ransomware and banking trojans and now appears to focus on RATs.

Read more about the new campaign by TA505 on ZDNet.

Internet Explorer scripting engine becomes North Korean APT’s favorite target in 2018

Internet Explorer’s scripting engine was the favorite target of a North Korean cyber-espionage group this year, after the hackers deployed two zero-days, but also crafted new exploits for two other older vulnerabilities. The group’s name is DarkHotel, a cyber-espionage group that McAfee and many other cyber-security firms have already linked to the Pyongyang regime.

The group has been active since 2007, but it was publicly exposed in 2014. Despite being ousted in public reports, DarkHotel didn’t stop its attacks.

Read more about the recent activity of the DarkHotel APT on ZDNet.

Cylance researchers discover powerful new nation-state APT

When a Belgian locksmith attacked the Pakistani Air Force, researchers at Cylance took notice. The locksmith probably never knew his website had been taken over by a nation-state hacking group as a command-and-control server, nor that exploit-laden Microsoft Word documents crafted to spear-phish Pakistani Air Force officers were hosted there for over six months.

The Belgian locksmith was just a pawn in a global game of cyberespionage fought by a new nation-state hacking group. The incredibly sophisticated layers of misdirection used by the malware to mislead and delay forensics analysis worries security researchers.

Read more about the new APT, dubbed White Company, which is likely Middle Eastern, but shows fingerprints of U.S.-trained personnel, on CSO.

Recently-Patched Adobe ColdFusion Flaw Exploited By APT

An Adobe ColdFusion vulnerability, patched two months ago, was being exploited in the wild by a China-linked APT group, researchers found. The vulnerability, CVE-2018-15961, is a critical unrestricted file upload bug that could also lead to arbitrary code-execution, researchers at Volexity, who discovered the exploitation, have said.

“Volexity recently observed active exploitation of a newly patched vulnerability in Adobe ColdFusion, for which no public details or proof-of-concept code exists,” researchers said in a post. “In the attack detected by Volexity, a suspected Chinese APT group was able to compromise a vulnerable ColdFusion server by directly uploading a China Chopper webshell.”

Read more about the exploited vulnerability on Threatpost.

StrongPity APT Changes Tactics to Stay Stealthy

The APT group behind the sophisticated malware known as StrongPity (a.k.a. Promethium) has changed its tactics, after various research groups analyzed the malware and exposed its methods of deployment. The efforts have allowed the group to return to hidden status, even after being labeled a known quantity, according to Cylance researchers.

A fresh analysis reveals that the StrongPity group made only minor adjustments, requiring minimal effort and code changes – but that these have been enough to be effective in keeping their infrastructure out of the limelight. Now researchers say they have observed new domains and new IP addresses, plus filename changes and small encryption enhancements.

Read more about the findings of the new Cylance report on Threatpost.