cyber espionage | Breaking Cybersecurity News | The Hacker News

A Taiwanese government-affiliated research institute that specializes in computing and associated technologies was breached by nation-state threat actors with ties to China, according to new findings from Cisco Talos. The unnamed organization was targeted as early as mid-July 2023 to deliver a variety of backdoors and post-compromise tools like ShadowPad and Cobalt Strike. It has been attributed with medium confidence to a prolific hacking group tracked as APT41 . "The ShadowPad malware used in the current campaign exploited an outdated vulnerable version of Microsoft Office IME binary as a loader to load the customized second-stage loader for launching the payload," security researchers Joey Chen, Ashley Shen, and Vitor Ventura said . "The threat actor compromised three hosts in the targeted environment and was able to exfiltrate some documents from the network." Cisco Talos said it discovered the activity in August 2023 after detecting what it described we

A Russia-linked threat actor has been linked to a new campaign that employed a car for sale as a phishing lure to deliver a modular Windows backdoor called HeadLace . "The campaign likely targeted diplomats and began as early as March 2024," Palo Alto Networks Unit 42 said in a report published today, attributing it with medium to high level of confidence to APT28 , which is also referred to as BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422. It's worth noting that car-for-sale phishing lure themes have been previously put to use by a different Russian nation-state group called APT29 as far back as May 2023, indicating that APT28 is repurposing successful tactics for its own campaigns. Earlier this May, the threat actor was implicated in a series of campaigns targeting networks across Europe with the HeadLace malware and credential-harvesting web pages. The attacks are characterize

Want to know what's the latest and greatest in SecOps for 2024? Gartner's recently released Hype Cycle for Security Operations report takes important steps to organize and mature the domain of Continuous Threat Exposure Management, aka CTEM. Three categories within this domain are included in this year's report: Threat Exposure Management, Exposure Assessment Platforms (EAP), and Adversarial Exposure Validation (AEV). These category definitions are aimed at providing some structure to the evolving landscape of exposure management technologies. Pentera, listed as a sample vendor in the newly defined AEV category, is playing a pivotal role in increasing the adoption of CTEM, with a focus on security validation. Following is our take on the CTEM related product categories and what they mean for enterprise security leaders. The Industry is Maturing CTEM, coined by Gartner in 2022, presents a structural approach for continuously assessing, prioritizing, validating, and remediating expo

Cybersecurity researchers have discovered a previously undocumented Windows backdoor that leverages a built-in feature called Background Intelligent Transfer Service ( BITS ) as a command-and-control (C2) mechanism. The newly identified malware strain has been codenamed BITSLOTH by Elastic Security Labs, which made the discovery on June 25, 2024, in connection with a cyber attack targeting an unspecified Foreign Ministry of a South American government. The activity cluster is being tracked under the moniker REF8747. "The most current iteration of the backdoor at the time of this publication has 35 handler functions including keylogging and screen capture capabilities," security researchers Seth Goodwin and Daniel Stepanic said . "In addition, BITSLOTH contains many different features for discovery, enumeration, and command-line execution." It's assessed that the tool – in development since December 2021 – is being used by the threat actors for data gatheri

Companies in Russia and Moldova have been the target of a phishing campaign orchestrated by a little-known cyber espionage group known as XDSpy . The findings come from cybersecurity firm F.A.C.C.T., which said the infection chains lead to the deployment of a malware called DSDownloader. The activity was observed this month, it added. XDSpy is a threat actor of indeterminate origin that was first uncovered by the Belarusian Computer Emergency Response Team, CERT.BY, in February 2020. A subsequent analysis by ESET attributed the group to information-stealing attacks aimed at government agencies in Eastern Europe and the Balkans since 2011. Attack chains mounted by the adversary are known to leverage spear-phishing emails in order to infiltrate their targets with a main malware module known as XDDown that, in turn, drops additional plugins for gathering system information, enumerating C: drive, monitoring external drives, exfiltrating local files, and gathering passwords. Ove

The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives. SideWinder , which is also known by the names APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, and Razor Tiger, is assessed to be affiliated with India. It has been operational since 2012, often making use of spear-phishing as a vector to deliver malicious payloads that trigger the attack chains. "SideWinder makes use of email spear-phishing, document exploitation and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants," the Canadian cybersecurity company said in an analysis published last week. The latest

The remote access trojan known as Gh0st RAT has been observed being delivered by an "evasive dropper" called Gh0stGambit as part of a drive-by download scheme targeting Chinese-speaking Windows users. These infections stem from a fake website ("chrome-web[.]com") serving malicious installer packages masquerading as Google's Chrome browser, indicating that users searching for the software on the web are being singled out. Gh0st RAT is a long-standing malware that has been observed in the wild since 2008, manifesting in the form of different variants over the years in campaigns primarily orchestrated by China-nexus cyberespionage groups. Some iterations of the trojan have also been previously deployed by infiltrating poorly-secured MS SQL server instances, using it as a conduit to install the Hidden open-source rootkit. According to cybersecurity firm eSentire, which discovered the latest activity, the targeting of Chinese-speaking users is based on &quo

A North Korea-linked threat actor known for its cyber espionage operations has gradually expanded into financially-motivated attacks that involve the deployment of ransomware, setting it apart from other nation-state hacking groups linked to the country. Google-owned Mandiant is tracking the activity cluster under a new moniker APT45 , which overlaps with names such as Andariel, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Silent Chollima, and Stonefly. "APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009," researchers Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, and Michael Barnhart said . "APT45 has been the most frequently observed targeting critical infrastructure." It's worth mentioning that APT45, along with APT38 (aka BlueNoroff), APT43 (aka Kimsuky), and Lazarus Group (aka TEMP.Hermit), are elements within North Korea's Reconnaissance General Bureau

The threat actor known as Patchwork has been linked to a cyber attack targeting entities with ties to Bhutan to deliver the Brute Ratel C4 framework and an updated version of a backdoor called PGoShell. The development marks the first time the adversary has been observed using the red teaming software, the Knownsec 404 Team said in an analysis published last week. The activity cluster, also called APT-C-09, Dropping Elephant, Operation Hangover, Viceroy Tiger, and Zinc Emerson, is a state-sponsored actor likely of Indian origin. Known for conducting spear-phishing and watering hole attacks against China and Pakistan, the hacking crew is believed to be active since at least 2009, according to data shared by Chinese cybersecurity firm QiAnXin. Last July, Knownsec 404 disclosed details of an espionage campaign aimed at universities and research organizations in China that leveraged a .NET-based implant codenamed EyeShell to fetch and execute commands from an attacker-controlled

Organizations in Taiwan and a U.S. non-governmental organization (NGO) based in China have been targeted by a Beijing-affiliated state-sponsored hacking group called Daggerfly using an upgraded set of malware tools. The campaign is a sign that the group "also engages in internal espionage," Symantec's Threat Hunter Team, part of Broadcom, said in a new report published today. "In the attack on this organization, the attackers exploited a vulnerability in an Apache HTTP server to deliver their MgBot malware." Daggerfly, also known by the names Bronze Highland and Evasive Panda, was previously observed using the MgBot modular malware framework in connection with an intelligence-gathering mission aimed at telecom service providers in Africa. It's known to be operational since 2012. "Daggerfly appears to be capable of responding to exposure by quickly updating its toolset to continue its espionage activities with minimal disruption," the compan

The Computer Emergency Response Team of Ukraine (CERT-UA) has alerted of a spear-phishing campaign that targeted a scientific research institution in the country with malware known as HATVIBE and CHERRYSPY. The agency attributed the attack to a threat actor it tracks under the name UAC-0063 , which was previously observed targeting various government entities to gather sensitive information using keyloggers and backdoors. The attack is characterized by the use of a compromised email account belonging to an employee of the organization to send phishing messages to "dozens" of recipients containing a macro-laced Microsoft Word (DOCX) attachment. Opening the document and enabling macros results in the execution of an encoded HTML Application (HTA) named HATVIBE, which sets up persistence on the host using a scheduled task and paves the way for a Python backdoor codenamed CHERRYSPY, which is capable of running commands issued by a remote server. CERT-UA said it detected &q

A suspected pro-Houthi threat group targeted at least three humanitarian organizations in Yemen with Android spyware designed to harvest sensitive information. These attacks, attributed to an activity cluster codenamed OilAlpha , entail a new set of malicious mobile apps that come with their own supporting infrastructure, Recorded Future's Insikt Group said . Targets of the ongoing campaign include, CARE International, the Norwegian Refugee Council (NRC), and the Saudi Arabian King Salman Humanitarian Aid and Relief Centre. "The OilAlpha threat group is highly likely active and executing targeted activity against humanitarian and human rights organizations operating in Yemen, and potentially throughout the Middle East," the cybersecurity company said. OilAlpha was first documented in May 2023 in connection with an espionage campaign targeting development, humanitarian, media, and non-governmental organizations in the Arabian peninsula. These attacks leveraged What

Several organizations operating within global shipping and logistics, media and entertainment, technology, and automotive sectors in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. have become the target of a "sustained campaign" by the prolific China-based APT41 hacking group. "APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims' networks since 2023, enabling them to extract sensitive data over an extended period," Google-owned Mandiant said in a new report published Thursday. The threat intelligence firm described the adversarial collective as unique among China-nexus actors owing to its use of "non-public malware typically reserved for espionage operations in activities that appear to fall outside the scope of state-sponsored missions." Attack chains involve the use of web shells (ANTSWORD and BLUEBEAM), custom droppers (DUSTPAN and DUSTTRAP), and publicly available tools (SQLULDR2 and PINEGROV

Unknown threat actors have been observed leveraging open-source tools as part of a suspected cyber espionage campaign targeting global government and private sector organizations. Recorded Future's Insikt Group is tracking the activity under the temporary moniker TAG-100, noting that the adversary likely compromised organizations in at least ten countries across Africa, Asia, North America, South America, and Oceania, including two unnamed Asia-Pacific intergovernmental organizations. Also singled out since February 2024 are diplomatic, government, semiconductor supply-chain, non-profit, and religious entities located in Cambodia, Djibouti, the Dominican Republic, Fiji, Indonesia, Netherlands, Taiwan, the U.K., the U.S., and Vietnam. "TAG-100 employs open-source remote access capabilities and exploits various internet-facing devices to gain initial access," the cybersecurity company said . "The group used open-source Go backdoors Pantegana and Spark RAT post-e

Cybersecurity researchers have discovered an updated variant of a known stealer malware that attackers affiliated with the Democratic People's Republic of Korea (DPRK) have delivered as part of prior cyber espionage campaigns targeting job seekers. The artifact in question is an Apple macOS disk image (DMG) file named "MiroTalk.dmg" that mimics the legitimate video call service of the same name, but, in reality, serves as a conduit to deliver a native version of BeaverTail, security researcher Patrick Wardle said . BeaverTail refers to a JavaScript stealer malware that was first documented by Palo Alto Networks Unit 42 in November 2023 as part of a campaign dubbed Contagious Interview that aims to infect software developers with malware through a supposed job interview process. Securonix is tracking the same activity under the moniker DEV#POPPER . Besides siphoning sensitive information from web browsers and crypto wallets, the malware is capable of delivering addi

A China-linked threat actor called APT17 has been observed targeting Italian companies and government entities using a variant of a known malware referred to as 9002 RAT. The two targeted attacks took place on June 24 and July 2, 2024, Italian cybersecurity company TG Soft said in an analysis published last week. "The first campaign on June 24, 2024 used an Office document, while the second campaign contained a link," the company noted . "Both campaigns invited the victim to install a Skype for Business package from a link of an Italian government-like domain to convey a variant of 9002 RAT." APT17 was first documented by Google-owned Mandiant (then FireEye) in 2013 as part of cyber espionage operations called DeputyDog and Ephemeral Hydra that leveraged zero-day flaws in Microsoft's Internet Explorer to breach targets of interest. It's also known by the monikers Aurora Panda, Bronze Keystone, Dogfish, Elderwood, Helium, Hidden Lynx, and TEMP.Avenge

The Iranian nation-state actor known as MuddyWater has been observed using a never-before-seen backdoor as part of a recent attack campaign, shifting away from its well-known tactic of deploying legitimate remote monitoring and management (RMM) software for maintaining persistent access. That's according to independent findings from cybersecurity firms Check Point and Sekoia, which have codenamed the malware strain BugSleep and MuddyRot , respectively. "Compared to previous campaigns, this time MuddyWater changed their infection chain and did not rely on the legitimate Atera remote monitoring and management tool (RRM) as a validator," Sekoia said in a report shared with The Hacker News. "Instead, we observed that they used a new and undocumented implant." Some elements of the campaign were first shared by Israeli cybersecurity company ClearSky on June 9, 2024. Targets include countries like Turkey, Azerbaijan, Jordan, Saudi Arabia, Israel, and Portugal.

Two Russian-born Australian citizens have been arrested and charged in the country for spying on behalf of Russia as part of a "complex" law enforcement operation codenamed BURGAZADA . This includes a 40-year-old woman, an Australian Defence Force (ADF) Army Private, and her husband, a 62-year-old self-employed laborer. Media reports have identified them as Kira Korolev and Igor Korolev, respectively, noting that they had been in Australia for over a decade. The married couple were arrested at their home in the Brisbane suburb of Everton Park on July 11, 2024, the Australian Federal Police (AFP) said in a statement. They have been charged with one count each of preparing for an espionage offense, which carries a maximum penalty of 15 years' imprisonment. "It is the first time an espionage offense has been laid in Australia since new laws were introduced by the Commonwealth in 2018," the AFP said . The federal law enforcement agency has alleged the pair

The China-linked advanced persistent threat (APT) group codenamed APT41 is suspected to be using an "advanced and upgraded version" of a known malware called StealthVector to deliver a previously undocumented backdoor dubbed MoonWalk. The new variant of StealthVector – which is also referred to as DUSTPAN – has been designated DodgeBox by Zscaler ThreatLabz, which discovered the loader strain in April 2024. "DodgeBox is a loader that proceeds to load a new backdoor named MoonWalk," security researchers Yin Hong Chang and Sudeep Singh said . "MoonWalk shares many evasion techniques implemented in DodgeBox and utilizes Google Drive for command-and-control (C2) communication." APT41 is the moniker assigned to a prolific state-sponsored threat actor affiliated with China that's known to be active since at least 2007. It's also tracked by the broader cybersecurity community under the names Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atl