China-linked APT group (also known as and ) breached U.S. broadband providers, including Verizon, AT&T, and Lumen Technologies, potentially accessing systems for lawful wiretapping and other data.
According to the Wall Street Journal, which reported the news exclusively, the security breach poses a major national security risk. The WSJ states that the compromise remained undisclosed due to possible impact on national security. Experts believe that threat actors are aimed at gathering intelligence.
“A cyberattack tied to the Chinese government penetrated the networks of a swath of U.S. broadband providers, potentially accessing information from systems the federal government uses for court-authorized network wiretapping requests.” .
“For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data, according to people familiar with the matter, which amounts to a major national security risk.”
The group targeted surveillance systems used by the US government to investigate crimes and threats to national security, including activities carried out by nation-state actors.
The investigation into the breaches of the U.S. broadband providers is still ongoing, government experts are assessing its scope.
Experts suspect the state-sponsored hackers have gathered extensive internet traffic and potentially compromised sensitive data.
This attack is the latest incident linked to China’s expansive espionage strategies.
U.S. officials are increasingly concerned about Chinese cyber efforts to infiltrate critical infrastructure. Intelligence experts believe that security breaches like this could enable disruptive attacks during potential future conflicts.
The Salt Typhoon campaign is part of this broader strategy. Experts are still investigating the origins of the attack and whether threat actors compromised Cisco routers.
This week Wall Street Journal first that experts are investigating the security breaches to determine if the attackers gained access to Cisco Systems routers, which are core network components of the ISP infrastructures.
A Cisco spokeswoman confirmed the investigation and said that “at this time, there is no indication that Cisco routers are involved” in the Salt Typhoon activity, the spokeswoman said.
“Hackers linked to the Chinese government have broken into a handful of U.S. internet-service providers in recent months in pursuit of sensitive information, according to people familiar with the matter.” Wall Street Journal .
“The hacking campaign, called Salt Typhoon by investigators, hasn’t previously been publicly disclosed and is the latest in a series of incursions that U.S. investigators have linked to China in recent years. The intrusion is a sign of the stealthy success has had breaking into valuable computer networks in the U.S. and around the globe.”
China has long targeted global internet service providers and recent attacks are aligned with past operations linked to Beijing.
Intelligence and cybersecurity experts warn that Chinese nation-state actors have shifted from stealing secrets to infiltrate critical U.S. infrastructure, suggesting that they are now targeting the core of America’s digital networks.
The Salt Typhoon hacking campaign, linked to China, appears focused on intelligence gathering rather than crippling infrastructure, unlike the attacks carried out by another China-linked APT group called . Chris Krebs from SentinelOne suggested that the group behind Salt Typhoon may be affiliated with China’s Ministry of State Security, specifically the group, which specializes in intelligence collection. This group was publicly called out by the U.S. and its allies for hacking activities in July.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Salt Typhoon)
]]>
The Justice Department revealed the unsealing of a warrant to seize 41 domains used by Russia-linked (formerly , also known as ) for computer fraud in the United States.
US DoJ coordinated its operation with Microsoft, this IT giant took civil action to restrain 66 additional domains.
“Microsoft’s Digital Crimes Unit (DCU) is disrupting the technical infrastructure used by a persistent Russian nation-state actor Microsoft Threat Intelligence tracks as . Today, the United States District Court for the District of Columbia unsealed a civil action brought by Microsoft’s DCU, including its order authorizing Microsoft to seize 66 unique domains used by Star Blizzard in cyberattacks targeting Microsoft customers globally, including throughout the United States.” reads the published by Microsoft. “Between January 2023 and August 2024, Microsoft observed Star Blizzard target over 30 civil society organizations – journalists, think tanks, and non-governmental organizations (NGOs) core to ensuring democracy can thrive – by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities. “
A reveals that the APT group targeted a wide range of U.S. entities, including companies and current or former employees of the U.S. Intelligence Community, Department of Defense, Department of State, Department of Energy, and military defense contractors.
“Today’s seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action – using all tools to disrupt and deter malicious, state-sponsored cyber actors,” . “The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials. With the continued support of our private sector partners, we will be relentless in exposing Russian actors and cybercriminals and depriving them of the tools of their illicit trade.”
In December 2023, the UK National Cyber Security Centre (NCSC) and Microsoft that the Russia-linked APT group was targeting organizations worldwide. The nation-state actor is carrying out spear-phishing attacks for cyberespionage purposes.
The Callisto APT group (aka ““, “Star Blizzard”, “ColdRiver”, “TA446”) targeted government officials, military personnel, journalists and think tanks since at least 2015.
In the past, the group’s activity involved persistent phishing and credential theft campaigns leading to intrusions and data theft. The APT primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.
In December 2023, the Reddit security team the leak of US-UK trade documents through its platform to a coordinated information campaign linked to Russia.
“We were recently made aware of a that included leaked documents from the UK,” the statement said. “We investigated this account and the accounts connected to it, and today we believe this was part of a campaign that has been reported as originating from Russia.”
“Earlier this year Facebook discovered a on its platform, which was further analyzed by the Atlantic Council and dubbed ‘,’” Reddit’s announcement said. “Suspect accounts on Reddit were recently reported to us, along with indicators from law enforcement, and we were able to confirm that they did indeed show a pattern of coordination.”
According to a press release published by the UK government, the UK and its allies observed a series of attempts by the Russian Intelligence Services to target high-profile individuals and entities through cyber operations. The nation-state actor aimed at obtaining information to interfere in UK politics and democratic processes.
The UK Government linked the activity to Centre 18, a unit within Russia’s Intelligence Services FSB tracked as Star Blizzard.
“While some attacks resulted in documents being leaked, attempts to interfere with UK politics and democracy have not been successful.” reads the press release. ” The group has also selectively leaked and amplified the release of information in line with Russian confrontation goals, including to undermine trust in politics in the UK and likeminded states.”
The UK believes that the FSB coordinated at least the following activities:
The National Crime Agency investigation identifies two members of Star Blizzard and the UK and US governments sanctioned them. The two individuals are:
Back to nowadays, Microsoft admitted that disrupting the domains will not completely stop the group’s spear-phishing activities.
“While we expect Star Blizzard to always be establishing new infrastructure, today’s action impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern,” the company said.
“Together, we have seized more than 100 websites. Rebuilding infrastructure takes time, absorbs resources, and costs money. By collaborating with DOJ, we have been able to expand the scope of disruption and seize more infrastructure, enabling us to deliver greater impact against Star Blizzard.” concludes Microsoft. “While we expect Star Blizzard to always be establishing new infrastructure, today’s action impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern. It will also enable us to quickly disrupt any new infrastructure we identify through an existing court proceeding. Furthermore, through this civil action and discovery, Microsoft’s DCU and Microsoft Threat Intelligence will gather additional valuable intelligence about this actor and the scope of its activities, which we can use to improve the security of our products, share with cross-sector partners to aid them in their own investigations and identify and assist victims with remediation efforts. ”
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Callisto Group)
]]>The Dutch police blame a state actor for the recent data breach that exposed officers’ contact details, the justice minister told lawmakers.
The incident took place on September 26, 2024, and the police have reported the security breach to the Data Protection Authority.
Threat actors broke into a police system and gained access to work-related contact details of multiple officers. The attackers had access to names, emails, phone numbers, and some private information belonging to police officers.
“Last week it became known that a police account was hacked. Work-related contact details of police officers were stolen.” reads the data breach notice published by Dutch police. “Apart from the names of colleagues, it does not concern private data or research data. Specialists within the police are investigating the impact of the incident.”
The police state that internal cyber specialists are investigating the security breach and the investigation is still ongoing. The Dutch police announced that they have identified the attackers, however, they haven’t publicly attributed it to a specific actor.
“The police have been informed by the intelligence services that it is very likely a ‘state actor’, in other words: another country or perpetrators on behalf of another country.” reads the update on the data breach published by Dutch Polite. “Based on the information from the intelligence services, the police immediately implemented strong security measures against this attack. In order not to make the perpetrators any wiser and not to harm further investigation, no more can be said at this time.”
Dutch intelligence agencies believe it is highly likely that a state actor was behind the recent police data breach. Justice Minister David van Weel assured lawmakers that police and national security partners are working to protect impacted officers and prevent further damage.
“Nine Kooiman, chair of the Netherlands Police Union, called the hack “a nightmare. It is now important to protect data, protect colleagues” and track down the perpetrators.” the Associated Press.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Dutch police)
]]>
North Korea-linked APT group has been linked to a cyberattack on Diehl Defence, a defense firm specializing in the production of advanced military systems.
Diehl Defence GmbH & Co. KG is a German weapon manufacturer headquartered in Überlingen. It operates as a division of Diehl Stiftung and specializes in the production of missiles and ammunition.
The German defense firm also produces Iris-T air-to-air missiles recently acquired by South Korea.
The Kimsuky APT group breached Diehl Defence through a sophisticated phishing campaign, reported the German newspaper Der Spiegel. The cyber attack was discovered by Google-owned cybersecurity firm Mandiant.
“Researchers from Mandiant, a Google subsidiary, uncovered and analyzed a cyberattack by the North Korean hacking group Kimsuky targeting Diehl Defence.” reported Der Spiegel. “The hackers used fake, lucrative job offers from U.S. arms suppliers to deceive Diehl employees. By clicking on a malicious PDF, victims would unknowingly download malware, allowing the hackers to spy on their systems.”
The attackers used fake job offers and specially crafted PDF files to target employees, luring them with offers of jobs at U.S. defense contractors. The experts believe that the attack is significant due to Diehl Defence’s role in manufacturing of missiles, ammunition, and other advanced military systems.
The hackers concealed their attack server using the name “Uberlingen,” referencing Diehl Defence’s location in Überlingen, Germany. The server hosted realistic, German-language login pages mimicking Telekom and GMX, likely aiming to steal login credentials from German users.
A spokesperson for Germany’s Federal Office for Information Security (BSI) confirmed that Kimsuky (aka ) is conducting a broader cyber campaign targeting Germany. The BSI confirmed that other German organizations have also been targeted as part of this ongoing campaign.
Kimsuky cyberespionage group (aka Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, ) was first by Kaspersky researcher in 2013. The APT group mainly targets think tanks and organizations in South Korea, other victims were in the United States, Europe, and Russia.
In 2023 the state-sponsored group focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine.
In May 2024, Symantec researchers observed the North Korea-linked group using a new Linux backdoor dubbed Gomir. The malware is a version of the GoBear backdoor which was delivered in a recent campaign by Kimsuky via Trojanized software installation packages.
In December 2023, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctions against the North Korea-linked APT group .
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Kimsuky)
]]>China-linked threat actors have breached several U.S. internet service providers in recent months as part of a cyber espionage campaign code-named Salt Typhoon.
The state-sponsored hackers aimed at gathering intelligence from the targets or carrying out disruptive cyberattacks.
The Wall Street Journal that experts are investigating into the security breached to determine if the attackers gained access to Cisco Systems routers, which are core network components of the ISP infrastructures.
A Cisco spokeswoman confirmed the investigation and said that “at this time, there is no indication that Cisco routers are involved” in the Salt Typhoon activity, the spokeswoman said.
The cyber campaign is attributed to the China-linked APT group Salt Typhoon, which is also known as and .
“Hackers linked to the Chinese government have broken into a handful of U.S. internet-service providers in recent months in pursuit of sensitive information, according to people familiar with the matter.” Wall Street Journal .
“The hacking campaign, called Salt Typhoon by investigators, hasn’t previously been publicly disclosed and is the latest in a series of incursions that U.S. investigators have linked to China in recent years. The intrusion is a sign of the stealthy success has had breaking into valuable computer networks in the U.S. and around the globe.”
China has long targeted global internet service providers and recent attacks are aligned with past operations linked to Beijing.
Intelligence and cybersecurity experts warn that Chinese nation-state actors have shifted from stealing secrets to infiltrate critical U.S. infrastructure, suggesting that they are now targeting the core of America’s digital networks.
The Salt Typhoon hacking campaign, linked to China, appears focused on intelligence gathering rather than crippling infrastructure, unlike the attacks carried out by another China-linked APT group called . Chris Krebs from SentinelOne suggested that the group behind Salt Typhoon may be affiliated with China’s Ministry of State Security, specifically the group, which specializes in intelligence collection. This group was publicly called out by the U.S. and its allies for hacking activities in July.
In July, Cisco fixed an actively exploited NX-OS zero-day that was exploited to install previously unknown malware as root on vulnerable switches.
Cisco addressed an NX-OS zero-day, tracked as CVE-2024-20399 (CVSS score of 6.0), that the China-linked group exploited to deploy previously unknown malware as root on vulnerable switches.
Cybersecurity firm Sygnia observed the attacks on April 2024 and reported them to Cisco.
“Sygnia identified that CVE-2024-20399 was exploited in the wild by a China-nexus threat group as a ‘zero-day’ and shared the details of the vulnerability with Cisco. By exploiting this vulnerability, a threat group – dubbed ‘Velvet Ant’ – successfully executed commands on the underlying operating system of Cisco Nexus devices.” reads the report published by Sygnia. “This exploitation led to the execution of a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices.“
In August, Volexity researchers that a China-linked APT group, tracked as StormBamboo (aka , , and StormCloud), successfully compromised an undisclosed internet service provider (ISP) in order to poison DNS responses for target organizations.
The threat actors targeted insecure software update mechanisms to install malware on macOS and Windows victim machines.
In mid-2023, Volexity discovered multiple malware infections affecting macOS and Windows systems within victim organizations. The company linked the attacks to StormBamboo APT group. Upon investigating the incidents, the researchers determined that a DNS poisoning attack at the ISP level caused the infection. The attackers altered DNS responses for domains related to software updates to deploy multiple malware families, including and (MGBot). The attacker’s methods resemble those of DriftingBamboo, suggesting a possible connection between the two threat actors.
Daggerfly has been active for at least a decade, the group is known for the use of the custom MgBot malware framework. In 2023, Symantec identified a Daggerfly intrusion at an African telecom operator, using new MgBot plugins. This highlights the group’s ongoing evolution in cyber espionage tactics.
The Macma macOS backdoor was first detailed by Google in 2021 and has been used since at least 2019. At the time of discovery, threat actors employed the malware in watering hole attacks involving compromised websites in Hong Kong. The watering hole attacks used exploits for iOS and macOS devices. Attackers exploited the privilege escalation vulnerability to install Macma on macOS devices.
Macma is a modular backdoor that supports multiple functionalities, including device fingerprinting, executing commands, screen capture, keylogging, audio capture, uploading and downloading files.
Although Macma was widely used in cyber operations carried out by nation-state actors, it was not linked to a particular group.
“During one incident investigated by Volexity, it was discovered that StormBamboo poisoned DNS requests to deploy malware via an HTTP automatic update mechanism and poison responses for legitimate hostnames that were used as second-stage, command-and-control (C2) servers.” reads the published by Volexity. “The DNS records were poisoned to resolve to an attacker-controlled server in Hong Kong at IP address 103.96.130[.]107
. Initially, Volexity suspected the initial victim organization’s firewall may have been compromised. However, further investigation revealed the DNS poisoning was not performed within the target infrastructure, but further upstream at the ISP level.”
Volexity promptly alerted the ISP, which then investigated key traffic-routing devices on their network. After rebooting and taking parts of the network offline, the DNS poisoning stopped. The researchers were not able to identify a specific compromised device, however, updating or deactivating various infrastructure components effectively ended the malicious activity.
“The logic behind the abuse of automatic updates is the same for all the applications: the legitimate application performs an HTTP request to retrieve a text-based file (the format varies) containing the latest application version and a link to the installer.” continues the report. “Since the attacker has control of the DNS responses for any given DNS name, they abuse this design, redirecting the HTTP request to a C2 server they control hosting a forged text file and a malicious installer. The AiTM workflow is shown below.”
StormBamboo targeted various software vendors with insecure update mechanisms, using complex methods to deploy malware. For example, they targeted 5KPlayer’s update process for the “youtube-dl” dependency to deliver a backdoored installer from their C2 servers. Once compromised systems, the attackers installed a malicious Google Chrome extension called ReloadText to steal browser cookies and email data.
In June 2019, researchers at Cybereason an ongoing long-running espionage campaign, tracked as Operation Soft Cell, that targets telco providers. Tactics, techniques, and procedures, and the type of targets suggest the involvement of a nation-state actor likely linked to Chinese APT10.
Once compromised the networks of telecommunication companies, attackers can access to mobile phone users’ call data records.
“Based on the data available to us, Operation Soft Cell has been active since at least 2012, though some evidence suggests even earlier activity by the threat actor against telecommunications providers. The attack was aiming to obtain CDR records of a large telecommunications provider.” reads the published by Cybereason.
“The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.”
According to Amit Serper, head of security research at Cybereason, attackers exfiltrated gigabytes of data from the target networks, but always in relatively smaller amounts to remain under the radar.
In mid-September, Lumen’s Black Lotus Labs a new botnet, named Raptor Train, composed of small office/home office (SOHO) and IoT devices. The experts believe the botnet is controlled by a Chine-linked APT group (also called or RedJuliett).
The botnet has been active since at least May 2020, reaching its peak with 60,000 compromised devices in June 2023.
Since May 2020, over 200,000 devices, including SOHO routers, NVR/DVR devices, NAS servers, and IP cameras, have been compromised and added to the Raptor Train botnet, making it one of the largest China-linked IoT botnets discovered. A command and control (C2) domain from a recent campaign even appeared on the Cloudflare Radar and Cisco Umbrella “top 1 million” lists, indicating widespread device exploitation. Researchers estimate that hundreds of thousands of devices have likely been compromised since the botnet’s creation.
China has consistently denied accusations from Western governments and tech firms about its involvement in cyberattacks. Liu Pengyu, a spokesman for the Chinese Embassy in Washington, recently accused U.S. spy agencies and cybersecurity firms of fabricating evidence to blame China. Despite these denials, China-linked APT groups have a history of targeting global telecommunications infrastructure.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Salt Typhoon)
]]>Unit 42 researchers uncovered an ongoing campaign distributing Linux and macOS malwar PondRAT through poisoned Python packages. The campaign is attributed to North Korea-linked threat actor Gleaming Pisces (also known as ), who previously distributed the macOS remote administration tool POOLRAT (aka ). PondRAT appears to be a lighter variant of POOLRAT. The attackers uploaded malicious packages to the Python repository PyPI. Threat actors attempted to compromise developers’ systems and, in turn, the supply chain vendors and their customers.
North Korea-linked APT Gleaming Pisces has been active since at least 2018, it is known for sophisticated attacks against the cryptocurrency industry.
Researchers discovered that the PondRAT malware shares significant similarities with macOS malware used in a previous campaign attributed to the Gleaming Pisces APT group. These similarities include overlapping code structures, identical function names, encryption keys, and similar execution flows. The attribution of this campaign to the same threat actor is based on the fact that PondRAT is closely related to POOLRAT macOS remote access tool.
The researchers identified the following malware-laced packages in PyPI repository, which have been already removed:
The infection chain relies on several poisoned Python packages to decode and execute encoded code. Once the Python is installed and the malicious package is loaded, a malicious code ran several bash commands to download the RAT, modifying its permissions and executing it.
The analysis of the POOLRAT revealed that the Linux and macOS versions use an identical function structure for loading their configurations, including similar method names and functionality. Experts speculate the Linux versions borrow the code from the macOS malware one.
Analysis of PondRAT samples revealed that its command handler shares similarities with POOLRAT. PondRAT supports basic commands to upload and download files, check if the implant is active, pause operations (“sleep”), and execute commands, with the option to retrieve output. The PondRAT’s functionality is similar but more limited compared to POOLRAT, for this reason, researchers labeled PondRAT is a lighter version of POOLRAT.
“The evidence of additional Linux variants of POOLRAT showed that Gleaming Pisces has been enhancing its capabilities across both Linux and macOS platforms.” concludes the report.
“The weaponization of legitimate-looking Python packages across multiple operating systems poses a significant risk to organizations. Such attacks pose a great risk because they can easily remain under the radar and pose detection challenges. Successful installation of malicious third-party packages can result in malware infection that compromises an entire network.”
Follow me on Twitter: and and(SecurityAffairs – hacking, Gleaming Pisces)
]]>Trend Micro researchers reported that China-linked APT group Earth Baxia has targeted a government organization in Taiwan and potentially other countries in the Asia-Pacific (APAC) region.
The threat actor used spear-phishing emails and exploited the recently patched GeoServer vulnerability .
GeoServer is an open-source server that allows users to share and edit geospatial data.
The vulnerability (CVSS score of 9.8) is a Remote Code Execution (RCE) issue caused by unsafe evaluation of property names as XPath expressions.
GeoServer versions before 2.23.6, 2.24.4, and 2.25.2 to this issue. Threat actors exploited the flaw to download or copy malicious components.
In July, the researchers detected suspicious activity targeting a government organization in Taiwan and other entities in APAC countries. Attackers deployed customized Cobalt Strike components on compromised systems and installed a new backdoor called EAGLEDOOR, which supports multiple protocols.
Earth Baxia primarily targeted government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand.
Upon investigation, the experts discovered that multiple servers were hosted on the Alibaba cloud service or located in Hong Kong. Some samples employed in the campaign were uploaded to VirusTotal from China.
“After checking one of the Cobalt Strike watermarks (666666) used by the threat actors on Shodan, we also found that only a few machines were linked to this watermark, most of which were in China (Table 1). Therefore, we suspect that the APT group behind these campaigns originates from China.” .
The APT group relies on GrimResource and AppDomainManager injection to deploy additional payloads, to lower the victim’s guard and avoid detection.
The phishing emails in this campaign have carefully tailored subject lines, with a ZIP file attachment containing a decoy MSC file named RIPCOY. Upon opening this file, an obfuscated VBScript downloads multiple files from a public cloud service like AWS, including a decoy PDF, .NET applications, and a configuration file. The .NET applications use AppDomainManager injection, which allows arbitrary code execution within a target application by injecting a custom application domain. This enables the execution of .NET applications to load managed DLLs, either locally or remotely, without invoking Windows API calls.
The EAGLEDOOR backdoor can communicate with C2 via DNS, HTTP, TCP, and Telegram. While TCP, HTTP, and DNS are used to send the victim machine’s status, the main backdoor functionality is handled through the Telegram Bot API. The malicious code supports methods like getFile
, getUpdates
, sendDocument
, and sendMessage
to gather information, transfer files, and execute payloads. However, in the collected samples, only TCP and HTTP protocols were observed on the victim’s side. Earth Baxia exfiltrates data in archives that are transferred using curl.exe
.
“Earth Baxia, likely based in China, conducted a sophisticated campaign targeting government and energy sectors in multiple APAC countries.” concludes the report. “They used advanced techniques like GeoServer exploitation, spear-phishing, and customized malware (Cobalt Strike and EAGLEDOOR) to infiltrate and exfiltrate data. The use of public cloud services for hosting malicious files and the multi-protocol support of EAGLEDOOR highlight the complexity and adaptability of their operations.”
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Earth Baxia)
]]>Mandiant researchers warn that an Iran-linked APT group, tracked as UNC1860, is operating as an initial access facilitator that provides remote access to target networks in the Middle East.
UNC1860 is linked to Iran’s Ministry of Intelligence and Security (MOIS), the APT specializes in using customized tools and passive backdoors to gain persistent access to high-profile networks. Targets include organizations in the government and telecommunications sectors across the Middle East. UNC1860 shares similar tactics with other Iran-linked threat groups, such as and Storm-0861, which have facilitated destructive operations in Israel and Albania. The experts observed the use of the malware BABYWIPER in Israel in 2022 and the malware in Albania in 2022.
Although Mandiant cannot confirm UNC1860’s involvement in these attacks, the experts observed the use of custom malaew used by the group suggesting a role in providing initial access for such operations. The group is known for maintaining long-term access to victim networks.
“Mandiant identified two custom, GUI-operated malware controllers tracked as TEMPLEPLAY and VIROGREEN that we assess were used to provide a team outside of UNC1860 remote access to victim networks.” Mandiant . “This tooling, coupled with and evidence suggesting that the group collaborates with MOIS-affiliated groups such as APT34, strengthens the assessment that UNC1860 acts as an initial access agent.”
Mandiant noticed that organizations compromised by the Iran-linked group in 2019 and 2020 had also been previously breached by UNC1860, suggesting UNC1860 may support Iranian state-sponsored hackers in performing lateral movement. Additionally, both APT34-related clusters and UNC1860 have recently shifted their focus toward targets based in Iraq.
The UNC1860 APT uses web shells and droppers like STAYSHANTE and SASHEYAWAY, to gain initial access to compromised systems. These tools allow attackers to perform hand-off operations. In March 2024, the Israeli National Cyber Directorate identified wiper activity targeting various sectors in Israel, with indicators including STAYSHANTE and SASHEYAWAY, both linked to UNC1860. STAYSHANTE is disguised as Windows server files, controlled by the VIROGREEN framework. SASHEYAWAY enables the execution of passive backdoors like TEMPLEDOOR, FACEFACE, and SPARKLOAD. SASHEYAWAY has a low detection rate
“UNC1860 GUI-operated malware controllers TEMPLEPLAY and VIROGREEN could provide third-party actors who have no previous knowledge of the target environment the ability to remotely access infected networks via RDP and to control previously installed malware on victim networks with ease.” continues the report. “These controllers additionally could provide third-party operators an interface that walks operators through how to deploy custom payloads and perform other operations such as conducting internal scanning and exploitation within the target network.”
TEMPLEPLAY is a .NET-based controller for TEMPLEDOOR, it supports backdoor funcionalitiess, file transfers, and proxy connections to target servers. The UNC1860’s arsenal includes a wide range of passive tools and backdoors supporting initial access, lateral movement, and data gathering.
The implants used by the APT group demonstrate a deep knowledge of the Windows OS, reverse engineering of kernel components, and detection evasion techniques. Their passive implants, such as TOFUDRV and TOFULOAD, do not initiate outbound traffic, instead relying on inbound commands from volatile sources, making detection harder. These implants use HTTPS-encrypted traffic and undocumented Input/Output Control commands to evade network monitoring and endpoint detection. Tools like TEMPLEDROP repurpose Iranian antivirus drivers to protect files, while TEMPLELOCK, a .NET-based utility, terminates and restarts the Windows Event Log service to evade detection.
“These capabilities demonstrate that UNC1860 is a formidable threat actor that likely supports various objectives ranging from espionage to network attack operations.” concludes the report. “As tensions continue to ebb and flow in the Middle East, we believe this actor’s adeptness in gaining initial access to target environments represents a valuable asset for the Iranian cyber ecosystem that can be exploited to answer evolving objectives as needs shift.”
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Iran)
]]>Cybersecurity researchers from Lumen’s Black Lotus Labs discovered a new botnet, named Raptor Train, composed of small office/home office (SOHO) and IoT devices. The experts believe the botnet is controlled by a Chine-linked APT group (also called or RedJuliett).
The botnet has been active since at least May 2020, reaching its peak with 60,000 compromised devices in June 2023.
Since May 2020, over 200,000 devices, including SOHO routers, NVR/DVR devices, NAS servers, and IP cameras, have been compromised and added to the Raptor Train botnet, making it one of the largest China-linked IoT botnets discovered. A command and control (C2) domain from a recent campaign even appeared on the Cloudflare Radar and Cisco Umbrella “top 1 million” lists, indicating widespread device exploitation. Researchers estimate that hundreds of thousands of devices have likely been compromised since the botnet’s creation.
“The botnet operators manage this large and varied network through a series of distributed payload and C2 servers, a centralized Node.js backend, and a cross-platform application front-end that the actors have dubbed “Sparrow.” This is a robust, enterprise-grade control system used to manage upwards of 60 C2 servers and their infected nodes at any given time.” reads the published by Lumen. “This service enables an entire suite of activities, including scalable exploitation of bots, vulnerability and exploit management, remote management of C2 infrastructure, file uploads and downloads, remote command execution, and the ability to tailor IoT-based distributed denial of service (DDoS) attacks at-scale.”
The three-tiered architecture consists of the following levels:
The Raptor Train botnet operates as a multi-tiered, evolving network with at least three levels of activity observed over four years. Tier 3 “Sparrow” nodes initiate bot tasks, which are routed through Tier 2 command and control (C2) servers to Tier 1 bots. Tier 1, the largest level, is composed of compromised devices with a short lifecycle, averaging 17 days. Tiers 2 and 3 use Virtual Private Servers (VPSs), lasting around 77 days, with Tier 3 primarily based in Hong Kong and China. Tier 2 servers are distributed globally, managing the control and exploitation capabilities of the bot.
Below are some of the devices included in the botnet:
Modems/Routers
IP Cameras
NVR/DVR
NAS
The attribution of the Raptor Train botnet to the Chinese nation-state actor is based on multiple factors, including the operational timelines, targeting of sectors aligned with Chinese interests, use of the Chinese language, and other tactics, techniques, and procedures (TTPs) that overlap with known Chinese cyber activities.
“This botnet has targeted entities in the U.S. and Taiwan across various sectors, including military, government, higher education, telecommunications, defense industrial base, and IT.” concludes the report. “The investigation has yielded insights into the botnet’s network architecture, exploitation campaigns, malware components, and operational use, illuminating the evolving tactics and techniques employed by the threat actors. A major concern of the Raptor Train botnet is the DDoS capability that we have not yet observed actively deployed, but we suspect is being maintained for future use. “
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, botnet)
]]>Trend Micro spotted an allegedly China-linked threat actor, tracked TIDRONE, targeting drone manufacturers in Taiwan. The group, which was previously undocumented, uses enterprise resource planning (ERP) software and remote desktops to deploy advanced malware, including CXCLNT and CLNTEND. CXCLNT allows for file upload/download, erasing traces, gathering victim information, and downloading executable files. Since April, the group used CLNTEND, a previously undetected remote access tool (RAT), which supports a wider range of network protocols for communication, further enhancing their capabilities.
Both CXCLNT and CLNTEND backdoors are launched by sideloading a malicious DLL through the Microsoft Word application.
Trend Micro e threat actors have continuously updated their tools and refined their attack chain. They now use anti-analysis techniques in their loaders, including verifying the entry point address from the parent process and hooking common APIs like GetProcAddress to manipulate the execution flow, making detection and analysis more difficult.
The researchers analyzed CXCLNT/CLNTEND artifacts and their associated components, including the launcher and a legitimate executable used for side-loading. The components were downloaded via UltraVNC. The researchers noticed the presence of the same ERP system in the compromised environments of different victims, suggesting that the malware may have been distributed through a supply chain attack.
After executing winsrv.exe, the malware copies the token from Winlogon.exe to escalate privileges and carry out malicious actions. The attackers replace the original Update.exe in a specified directory with one supplied by the threat actors.
The researchers observed UAC Bypass, credential dumping, and the use of commands to disable antivirus software in the post-exploitation phase.
“we investigated TIDRONE, a threat actor linked to Chinese-speaking groups. The attacks were detected in Taiwan and mostly targeted military-related industries, specifically the manufacturer of drones. The activities involve advanced malware variants such as CXCLNT and CLNTEND which were spread through ERP software or remote desktops.” concludes the report. “We examined the technical details of these malicious activities to keep users informed about these types of threats.”
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, TIDRONE attack chain)
]]>