Tag: APT

The Most Dangerous People on the Internet in 2018

This year thankfully avoided any world-breaking ransomware attacks like NotPetya. It even had some small victories, like GitHub beating back the biggest DDoS attack in history. Still, online threats are manifold, lurking and evolving, making the internet a more hostile place than ever.

The biggest threats online continued to mirror the biggest threats in the real world, with nation states fighting proxy battles and civilians bearing the brunt of the assault. In many cases, the most dangerous people online are also the most dangerous in the real world. The distinction has never mattered less.

Read the list of most dangerous people on the Internet for 2018 on Wired.

Five other countries formally accuse China of APT10 hacking spree

After the US Department of Justice charged two Chinese nationals for being members of a state-sponsored hacking group and accused the Chinese government of orchestrating a string of hacks around the world, five other governments have stepped in with similar accusations.

Australia, Canada, Japan, New Zealand, and the UK have published official statements today formally blaming China of hacking their government agencies and local companies. All statements are in regards to the supposed involvement of the Chinese Ministry of State Security (MSS) in supporting the activity of a hacking group known as APT10.

Read more about this story on ZDNet.

U.S. Indicts China-Backed Duo for Massive, Years-Long Spy Campaign

The Department of Justice charged two Chinese hackers with stealing “hundreds of gigabytes” of data from more than 45 other governmental organizations and U.S.-based companies. This has potentially significant national security ramifications: Targets included the NASA Goddard Space Center and Jet Propulsion Laboratory; U.S. Department of Energy’s Lawrence Berkeley National Laboratory; and the Navy.

The two hackers, Zhang Shilong and Zhang Jianguo, are alleged to be members of APT10, a well-known China-based threat actor, which is believed to be directly connected to the Chinese Ministry of State Security’s (MSS) Tianjin bureau.

Read more about the charges against the Chinese hackers on ThreatPost.

Russian Cyberspies Build ‘Go’ Version of Their Trojan

The Russian-linked cyber-espionage group Sofacy has developed a new version of their Zebrocy tool using the Go programming language, Palo Alto Networks security researchers warn. The first-stage malware was initially analyzed in April this year, and has been observed in numerous attacks in October and November. Last month, however, the researchers also observed a new Trojan being used in the group’s attacks.

Also known as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, the state-sponsored actor has been active for several years, focusing on cyber-espionage and believed to have orchestrated the attacks targeting the 2016 presidential election in the United States.

Read more about the new malware used by Sofacy on SecurityWeek.

Cyber-espionage group uses Chrome extension to infect victims

In what appears to be a first on the cyber-espionage scene, a nation-state-backed hacking group has used a Google Chrome extension to infect victims and steal passwords and cookies from their browsers.

This is the first time an APT (Advanced Persistent Threat –an industry term for nation-state hacking groups) has been seen (ab)using a Chrome extension. A pending report by the ASERT team at Netscout reveals the details of a spear-phishing campaign that’s been pushing a malicious Chrome extension since at least May 2018. Researchers said they found evidence suggesting that the group may be based in North Korea.

Read more about the cyber-espionage campaign on ZDNet.

Adobe Fixes Zero-Day Flash Player Vulnerability Used in APT Attack on Russia

Adobe has released an update for Flash Player that fixes a zero-day vulnerability that was used as part of an APT attack against Russia. This attack is being named “Operation Poison Needles” and targeted the Russian FSBI “Polyclinic #2” medical clinic.

According to research from Qihoo’s 360 Advanced Threat Response Team and Gigamon, on November 29, 2018 an attack was detected against Russia’s FSBI “Polyclinic #2” clinic. The site for this clinic indicates it provides medical and cosmetic services to the executive and higher level employees of the Russian Federation.

Read more about the zero-day and the APT attack on BleepingComputer.

Sofacy APT Takes Aim with Novel ‘Cannon’ Trojan

The Sofacy APT group is back, with a new second-stage custom malware payload that researchers have dubbed “Cannon.” A campaign against several government entities around the globe, including in North America, Europe and a former Soviet state, came in waves during late October and early November, according to Palo Alto’s Unit 42.

The researchers attributed it to Russian-speaking Sofacy, a.k.a. Fancy Bear, Sednit or APT28, after intercepting a series of weaponized documents that load remote templates containing a malicious macro. Unit 42 was able to retrieve the payloads, which included the known Zebrocy trojan in the first stage, and a new malware, the Cannon dropper trojan, for the second stage.

Read more about the recent activity of the Fancy Bear APT on Threatpost.

Russian APT comes back to life with new US spear-phishing campaign

A Russian state-sponsored cyber-espionage group has come back to life after a one-year period of inactivity with a relative large spear-phishing campaign that has targeted both the US government and private sector.

The hacking group is known in infosec circles as Cozy Bear, APT29, The Dukes, or PowerDuke, and is infamous because it’s one of the two Russian state hacking crews that hacked the Democratic National Committee before the 2016 US Presidential Elections. “On 14 November 2018, CrowdStrike detected a widespread spear-phishing campaign against multiple sectors,” Adam Meyers, VP of Intelligence told ZDNet.

Read more about the new attack campaign by Cozy Bear on ZDNet.

Winter Olympic Games hackers are back with an updated arsenal

The hacking team behind a cyberattack which impacted the Winter Olympic Games is back with an updated cache of droppers and hacking tools. Researchers from Check Point said that Hades, the advanced persistence threat (APT) group believed to be behind an attack this year levied against systems used in the Winter Olympic Games, has begun a potential evolutionary shift.

“Over the last few weeks, we have noticed new activity from Hades,” the researchers say. “This new wave of attack shares a lot with those previously attributed to the group but it seems that this time we are witnessing significant changes that may hint at a new evolution from the group.”

Read more about the new activity of the Hades APT on ZDNet.

Hacking group returns, switches attacks from ransomware to trojan malware

A prolific hacking group has returned with a new campaign which looks to deliver a new remote access trojan (RAT) to victims in order to create a backdoor into PCs to steal credentials and banking information.

The campaign is suspected to be the work of TA505, a well-resourced hacking group which has been active since at least 2014. Now TA505 is running a new campaign, which has been detailed by researchers at security company Proofpoint. In line with a change of focus by other cyber criminal groups, TA505 has shifted away from ransomware and banking trojans and now appears to focus on RATs.

Read more about the new campaign by TA505 on ZDNet.