杭州江阴科强工业胶带有限公司 https://securityaffairs.com/category/intelligence Read, think, share … Security is everyone's responsibility Sun, 06 Oct 2024 21:04:02 +0000 en-US hourly 1 29506073 杭州江阴科强工业胶带有限公司 https://securityaffairs.com/169460/apt/salt-typhoon-hacked-us-broadband-providers.html Sun, 06 Oct 2024 21:04:00 +0000 https://securityaffairs.com/?p=169460

China-linked APT group Salt Typhoon breached U.S. broadband providers, potentially accessing systems for lawful wiretapping and other data.

China-linked APT group (also known as  and ) breached U.S. broadband providers, including Verizon, AT&T, and Lumen Technologies, potentially accessing systems for lawful wiretapping and other data.

According to the Wall Street Journal, which reported the news exclusively, the security breach poses a major national security risk. The WSJ states that the compromise remained undisclosed due to possible impact on national security. Experts believe that threat actors are aimed at gathering intelligence.

“A cyberattack tied to the Chinese government penetrated the networks of a swath of U.S. broadband providers, potentially accessing information from systems the federal government uses for court-authorized network wiretapping requests.” .

“For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data, according to people familiar with the matter, which amounts to a major national security risk.”

The group targeted surveillance systems used by the US government to investigate crimes and threats to national security, including activities carried out by nation-state actors.

The investigation into the breaches of the U.S. broadband providers is still ongoing, government experts are assessing its scope.

Experts suspect the state-sponsored hackers have gathered extensive internet traffic and potentially compromised sensitive data.

This attack is the latest incident linked to China’s expansive espionage strategies.

U.S. officials are increasingly concerned about Chinese cyber efforts to infiltrate critical infrastructure. Intelligence experts believe that security breaches like this could enable disruptive attacks during potential future conflicts.

The Salt Typhoon campaign is part of this broader strategy. Experts are still investigating the origins of the attack and whether threat actors compromised Cisco routers.

This week Wall Street Journal first  that experts are investigating the security breaches to determine if the attackers gained access to Cisco Systems routers, which are core network components of the ISP infrastructures.

A Cisco spokeswoman confirmed the investigation and said that “at this time, there is no indication that Cisco routers are involved” in the Salt Typhoon activity, the spokeswoman said.

“Hackers linked to the Chinese government have broken into a handful of U.S. internet-service providers in recent months in pursuit of sensitive information, according to people familiar with the matter.” Wall Street Journal .

“The hacking campaign, called Salt Typhoon by investigators, hasn’t previously been publicly disclosed and is the latest in a series of incursions that U.S. investigators have linked to China in recent years. The intrusion is a sign of the stealthy success  has had breaking into valuable computer networks in the U.S. and around the globe.”

China has long targeted global internet service providers and recent attacks are aligned with past operations linked to Beijing.

Intelligence and cybersecurity experts warn that Chinese nation-state actors have shifted from stealing secrets to infiltrate critical U.S. infrastructure, suggesting that they are now targeting the core of America’s digital networks.

The Salt Typhoon hacking campaign, linked to China, appears focused on intelligence gathering rather than crippling infrastructure, unlike the attacks carried out by another China-linked APT group called . Chris Krebs from SentinelOne suggested that the group behind Salt Typhoon may be affiliated with China’s Ministry of State Security, specifically the  group, which specializes in intelligence collection. This group was publicly called out by the U.S. and its allies for hacking activities in July.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Salt Typhoon)

]]>
169460
杭州江阴科强工业胶带有限公司 https://securityaffairs.com/169338/apt/microsoft-and-doj-seized-100-domains-used-by-russia-callisto-group.html Fri, 04 Oct 2024 07:04:14 +0000 https://securityaffairs.com/?p=169338

Microsoft and the U.S. DoJ seized over 100 domains used by the Russia-linked Callisto Group for launching attacks on U.S. government and nonprofits.

The Justice Department revealed the unsealing of a warrant to seize 41 domains used by Russia-linked (formerly , also known as ) for computer fraud in the United States.

US DoJ coordinated its operation with Microsoft, this IT giant took civil action to restrain 66 additional domains.

“Microsoft’s Digital Crimes Unit (DCU) is disrupting the technical infrastructure used by a persistent Russian nation-state actor Microsoft Threat Intelligence tracks as . Today, the United States District Court for the District of Columbia unsealed a civil action brought by Microsoft’s DCU, including its order authorizing Microsoft to seize 66 unique domains used by Star Blizzard in cyberattacks targeting Microsoft customers globally, including throughout the United States.” reads the published by Microsoft. “Between January 2023 and August 2024, Microsoft observed Star Blizzard target over 30 civil society organizations – journalists, think tanks, and non-governmental organizations (NGOs) core to ensuring democracy can thrive – by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities.  “

A reveals that the APT group targeted a wide range of U.S. entities, including companies and current or former employees of the U.S. Intelligence Community, Department of Defense, Department of State, Department of Energy, and military defense contractors.

“Today’s seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action – using all tools to disrupt and deter malicious, state-sponsored cyber actors,” . “The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials. With the continued support of our private sector partners, we will be relentless in exposing Russian actors and cybercriminals and depriving them of the tools of their illicit trade.”

In December 2023, the UK National Cyber Security Centre (NCSC) and Microsoft that the Russia-linked APT group  was targeting organizations worldwide. The nation-state actor is carrying out spear-phishing attacks for cyberespionage purposes.

The Callisto APT group (aka ““, “Star Blizzard”, “ColdRiver”, “TA446”) targeted government officials, military personnel, journalists and think tanks since at least 2015.

In the past, the group’s activity involved persistent phishing and credential theft campaigns leading to intrusions and data theft. The APT primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.

In December 2023, the Reddit security team  the leak of US-UK trade documents through its platform to a coordinated information campaign linked to Russia.

“We were recently made aware of a  that included leaked documents from the UK,” the statement said. “We investigated this account and the accounts connected to it, and today we believe this was part of a campaign that has been reported as originating from Russia.”

“Earlier this year Facebook discovered a  on its platform, which was further analyzed by the Atlantic Council and dubbed ‘,’” Reddit’s announcement said. “Suspect accounts on Reddit were recently reported to us, along with indicators from law enforcement, and we were able to confirm that they did indeed show a pattern of coordination.”

According to a press release published by the UK government, the UK and its allies observed a series of attempts by the Russian Intelligence Services to target high-profile individuals and entities through cyber operations. The nation-state actor aimed at obtaining information to interfere in UK politics and democratic processes.   

The UK Government linked the activity to Centre 18, a unit within Russia’s Intelligence Services FSB tracked as  Star Blizzard.

“While some attacks resulted in documents being leaked, attempts to interfere with UK politics and democracy have not been successful.” reads the press release. ” The group has also selectively leaked and amplified the release of information in line with Russian confrontation goals, including to undermine trust in politics in the UK and likeminded states.”

The UK believes that the FSB coordinated at least the following activities:

  • Cyber attacks against parliamentarians from multiple political parties since at least 2015.
  • The theft of UK-US trade documents leaked before the 2019 General Election. The leak was previously attributed to the Russian state via a Written Ministerial Statement in 2020.
  • The 2018 hack of the Institute for Statecraft, a UK think tank engaged in initiatives to safeguard democracy against disinformation. The state-sponsored hackers gained access to the account of its founder Christopher Donnelly from December 2021.
  • Attacks against universities, journalists, the public sector, non-governmental organizations, and other civil society organizations, many of which play a crucial role in UK democracy.

The National Crime Agency investigation identifies two members of Star Blizzard and the UK and US governments sanctioned them. The two individuals are:

  • Ruslan Aleksandrovich PERETYATKO, who is a Russian FSB intelligence officer and a member of Star Blizzard AKA the Callisto Group 
  • Andrey Stanislavovich KORINETS, AKA Alexey DOGUZHIEV, who is a member of Star Blizzard AKA the Callisto Group 

Back to nowadays, Microsoft admitted that disrupting the domains will not completely stop the group’s spear-phishing activities.

“While we expect Star Blizzard to always be establishing new infrastructure, today’s action impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern,” the company said.

“Together, we have seized more than 100 websites. Rebuilding infrastructure takes time, absorbs resources, and costs money. By collaborating with DOJ, we have been able to expand the scope of disruption and seize more infrastructure, enabling us to deliver greater impact against Star Blizzard.” concludes Microsoft. “While we expect Star Blizzard to always be establishing new infrastructure, today’s action impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern. It will also enable us to quickly disrupt any new infrastructure we identify through an existing court proceeding. Furthermore, through this civil action and discovery, Microsoft’s DCU and Microsoft Threat Intelligence will gather additional valuable intelligence about this actor and the scope of its activities, which we can use to improve the security of our products, share with cross-sector partners to aid them in their own investigations and identify and assist victims with remediation efforts. ”

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Callisto Group)

]]>
169338
杭州江阴科强工业胶带有限公司 https://securityaffairs.com/169328/hacking/dutch-police-breached-by-state-actor.html Thu, 03 Oct 2024 21:27:34 +0000 https://securityaffairs.com/?p=169328

The Dutch government blames a “state actor” for hacking a police system, exposing the contact details of all police officers, according to the justice minister.

The Dutch police blame a state actor for the recent data breach that exposed officers’ contact details, the justice minister told lawmakers.

The incident took place on September 26, 2024, and the police have reported the security breach to the Data Protection Authority.

Threat actors broke into a police system and gained access to work-related contact details of multiple officers. The attackers had access to names, emails, phone numbers, and some private information belonging to police officers.

“Last week it became known that a police account was hacked. Work-related contact details of police officers were stolen.” reads the data breach notice published by Dutch police. “Apart from the names of colleagues, it does not concern private data or research data. Specialists within the police are investigating the impact of the incident.”

The police state that internal cyber specialists are investigating the security breach and the investigation is still ongoing. The Dutch police announced that they have identified the attackers, however, they haven’t publicly attributed it to a specific actor.

“The police have been informed by the intelligence services that it is very likely a ‘state actor’, in other words: another country or perpetrators on behalf of another country.” reads the update on the data breach published by Dutch Polite. “Based on the information from the intelligence services, the police immediately implemented strong security measures against this attack. In order not to make the perpetrators any wiser and not to harm further investigation, no more can be said at this time.” 

Dutch intelligence agencies believe it is highly likely that a state actor was behind the recent police data breach. Justice Minister David van Weel assured lawmakers that police and national security partners are working to protect impacted officers and prevent further damage.

“Nine Kooiman, chair of the Netherlands Police Union, called the hack “a nightmare. It is now important to protect data, protect colleagues” and track down the perpetrators.” the Associated Press.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Dutch police)

]]>
169328
杭州江阴科强工业胶带有限公司 https://securityaffairs.com/169162/apt/kimsuky-apt-hit-diehl-defence.html Tue, 01 Oct 2024 07:04:02 +0000 https://securityaffairs.com/?p=169162

North Korea-linked APT Kimsuky has been linked to a cyberattack on Diehl Defence, a German manufacturer of advanced military systems.

North Korea-linked APT group has been linked to a cyberattack on Diehl Defence, a defense firm specializing in the production of advanced military systems.

Diehl Defence GmbH & Co. KG is a German weapon manufacturer headquartered in Überlingen. It operates as a division of Diehl Stiftung and specializes in the production of missiles and ammunition.

The German defense firm also produces Iris-T air-to-air missiles recently acquired by South Korea.

The Kimsuky APT group breached Diehl Defence through a sophisticated phishing campaign, reported the German newspaper Der Spiegel. The cyber attack was discovered by Google-owned cybersecurity firm Mandiant.

“Researchers from Mandiant, a Google subsidiary, uncovered and analyzed a cyberattack by the North Korean hacking group Kimsuky targeting Diehl Defence.” reported Der Spiegel. “The hackers used fake, lucrative job offers from U.S. arms suppliers to deceive Diehl employees. By clicking on a malicious PDF, victims would unknowingly download malware, allowing the hackers to spy on their systems.”

The attackers used fake job offers and specially crafted PDF files to target employees, luring them with offers of jobs at U.S. defense contractors. The experts believe that the attack is significant due to Diehl Defence’s role in manufacturing of missiles, ammunition, and other advanced military systems.

The hackers concealed their attack server using the name “Uberlingen,” referencing Diehl Defence’s location in Überlingen, Germany. The server hosted realistic, German-language login pages mimicking Telekom and GMX, likely aiming to steal login credentials from German users.

A spokesperson for Germany’s Federal Office for Information Security (BSI) confirmed that Kimsuky (aka ) is conducting a broader cyber campaign targeting Germany. The BSI confirmed that other German organizations have also been targeted as part of this ongoing campaign.

Kimsuky cyberespionage group (aka Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, ) was first by Kaspersky researcher in 2013. The APT group mainly targets think tanks and organizations in South Korea, other victims were in the United States, Europe, and Russia.

In 2023 the state-sponsored group focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine.

In May 2024, Symantec researchers observed the North Korea-linked group  using a new Linux backdoor dubbed Gomir. The malware is a version of the GoBear backdoor which was delivered in a recent campaign by Kimsuky via Trojanized software installation packages.

In December 2023, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctions against the North Korea-linked APT group .

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Kimsuky)

]]>
169162
杭州江阴科强工业胶带有限公司 https://securityaffairs.com/168941/apt/salt-typhoon-china-linked-threat-actors-breached-us-isp.html Thu, 26 Sep 2024 14:04:10 +0000 https://securityaffairs.com/?p=168941

China-linked threat actors compromised some U.S. internet service providers (ISPs) as part of a cyber espionage campaign code-named Salt Typhoon.

China-linked threat actors have breached several U.S. internet service providers in recent months as part of a cyber espionage campaign code-named Salt Typhoon.

The state-sponsored hackers aimed at gathering intelligence from the targets or carrying out disruptive cyberattacks.

The Wall Street Journal  that experts are investigating into the security breached to determine if the attackers gained access to Cisco Systems routers, which are core network components of the ISP infrastructures.

A Cisco spokeswoman confirmed the investigation and said that “at this time, there is no indication that Cisco routers are involved” in the Salt Typhoon activity, the spokeswoman said.

The cyber campaign is attributed to the China-linked APT group Salt Typhoon, which is also known as  and .

“Hackers linked to the Chinese government have broken into a handful of U.S. internet-service providers in recent months in pursuit of sensitive information, according to people familiar with the matter.” Wall Street Journal .

“The hacking campaign, called Salt Typhoon by investigators, hasn’t previously been publicly disclosed and is the latest in a series of incursions that U.S. investigators have linked to China in recent years. The intrusion is a sign of the stealthy success  has had breaking into valuable computer networks in the U.S. and around the globe.”

China has long targeted global internet service providers and recent attacks are aligned with past operations linked to Beijing.

Intelligence and cybersecurity experts warn that Chinese nation-state actors have shifted from stealing secrets to infiltrate critical U.S. infrastructure, suggesting that they are now targeting the core of America’s digital networks.

The Salt Typhoon hacking campaign, linked to China, appears focused on intelligence gathering rather than crippling infrastructure, unlike the attacks carried out by another China-linked APT group called . Chris Krebs from SentinelOne suggested that the group behind Salt Typhoon may be affiliated with China’s Ministry of State Security, specifically the group, which specializes in intelligence collection. This group was publicly called out by the U.S. and its allies for hacking activities in July.

In July, Cisco fixed an actively exploited NX-OS zero-day that was exploited to install previously unknown malware as root on vulnerable switches.

Cisco addressed an NX-OS zero-day, tracked as CVE-2024-20399 (CVSS score of 6.0), that the China-linked group  exploited to deploy previously unknown malware as root on vulnerable switches.

Cybersecurity firm Sygnia observed the attacks on April 2024 and reported them to Cisco.

“Sygnia identified that CVE-2024-20399 was exploited in the wild by a China-nexus threat group as a ‘zero-day’ and shared the details of the vulnerability with Cisco. By exploiting this vulnerability, a threat group – dubbed ‘Velvet Ant’ – successfully executed commands on the underlying operating system of Cisco Nexus devices.” reads the report published by Sygnia. “This exploitation led to the execution of a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices.“

In August, Volexity researchers that a China-linked APT group, tracked as StormBamboo (aka , , and StormCloud), successfully compromised an undisclosed internet service provider (ISP) in order to poison DNS responses for target organizations.

The threat actors targeted insecure software update mechanisms to install malware on macOS and Windows victim machines.

In mid-2023, Volexity discovered multiple malware infections affecting macOS and Windows systems within victim organizations. The company linked the attacks to StormBamboo APT group. Upon investigating the incidents, the researchers determined that a DNS poisoning attack at the ISP level caused the infection. The attackers altered DNS responses for domains related to software updates to deploy multiple malware families, including  and  (MGBot). The attacker’s methods resemble those of DriftingBamboo, suggesting a possible connection between the two threat actors.

Daggerfly has been active for at least a decade, the group is known for the use of the custom MgBot malware framework. In 2023, Symantec identified a Daggerfly intrusion at an African telecom operator, using new MgBot plugins. This highlights the group’s ongoing evolution in cyber espionage tactics.

The Macma macOS backdoor was first detailed by Google in 2021 and has been used since at least 2019. At the time of discovery, threat actors employed the malware in watering hole attacks involving compromised websites in Hong Kong. The watering hole attacks used exploits for iOS and macOS devices. Attackers exploited the privilege escalation vulnerability  to install Macma on macOS devices.

Macma is a modular backdoor that supports multiple functionalities, including device fingerprinting, executing commands, screen capture, keylogging, audio capture, uploading and downloading files.

Although Macma was widely used in cyber operations carried out by nation-state actors, it was not linked to a particular group.

“During one incident investigated by Volexity, it was discovered that StormBamboo poisoned DNS requests to deploy malware via an HTTP automatic update mechanism and poison responses for legitimate hostnames that were used as second-stage, command-and-control (C2) servers.” reads the  published by Volexity. “The DNS records were poisoned to resolve to an attacker-controlled server in Hong Kong at IP address 103.96.130[.]107. Initially, Volexity suspected the initial victim organization’s firewall may have been compromised. However, further investigation revealed the DNS poisoning was not performed within the target infrastructure, but further upstream at the ISP level.”

Volexity promptly alerted the ISP, which then investigated key traffic-routing devices on their network. After rebooting and taking parts of the network offline, the DNS poisoning stopped. The researchers were not able to identify a specific compromised device, however, updating or deactivating various infrastructure components effectively ended the malicious activity.

“The logic behind the abuse of automatic updates is the same for all the applications: the legitimate application performs an HTTP request to retrieve a text-based file (the format varies) containing the latest application version and a link to the installer.” continues the report. “Since the attacker has control of the DNS responses for any given DNS name, they abuse this design, redirecting the HTTP request to a C2 server they control hosting a forged text file and a malicious installer. The AiTM workflow is shown below.”

StormBamboo targeted various software vendors with insecure update mechanisms, using complex methods to deploy malware. For example, they targeted 5KPlayer’s update process for the “youtube-dl” dependency to deliver a backdoored installer from their C2 servers. Once compromised systems, the attackers installed a malicious Google Chrome extension called ReloadText to steal browser cookies and email data.

In June 2019, researchers at Cybereason an ongoing long-running espionage campaign, tracked as Operation Soft Cell, that targets telco providers. Tactics, techniques, and procedures, and the type of targets suggest the involvement of a nation-state actor likely linked to Chinese APT10.

Once compromised the networks of telecommunication companies, attackers can access to mobile phone users’ call data records.

“Based on the data available to us, Operation Soft Cell has been active since at least 2012, though some evidence suggests even earlier activity by the threat actor against telecommunications providers. The attack was aiming to obtain CDR records of a large telecommunications provider.” reads the  published by Cybereason.

“The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.”

According to Amit Serper, head of security research at Cybereason, attackers exfiltrated gigabytes of data from the target networks, but always in relatively smaller amounts to remain under the radar.

In mid-September, Lumen’s Black Lotus Labs a new botnet, named Raptor Train, composed of small office/home office (SOHO) and IoT devices. The experts believe the botnet is controlled by a Chine-linked APT group  (also called  or RedJuliett).

The botnet has been active since at least May 2020, reaching its peak with 60,000 compromised devices in June 2023.

Since May 2020, over 200,000 devices, including SOHO routers, NVR/DVR devices, NAS servers, and IP cameras, have been compromised and added to the Raptor Train botnet, making it one of the largest China-linked IoT botnets discovered. A command and control (C2) domain from a recent campaign even appeared on the Cloudflare Radar and Cisco Umbrella “top 1 million” lists, indicating widespread device exploitation. Researchers estimate that hundreds of thousands of devices have likely been compromised since the botnet’s creation.

China has consistently denied accusations from Western governments and tech firms about its involvement in cyberattacks. Liu Pengyu, a spokesman for the Chinese Embassy in Washington, recently accused U.S. spy agencies and cybersecurity firms of fabricating evidence to blame China. Despite these denials, China-linked APT groups have a history of targeting global telecommunications infrastructure.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Salt Typhoon)

]]>
168941
杭州江阴科强工业胶带有限公司 https://securityaffairs.com/168817/intelligence/did-israel-infiltrate-lebanese-telecoms-networks.html Tue, 24 Sep 2024 11:13:10 +0000 https://securityaffairs.com/?p=168817

Israel has been sending text messages, recordings, and hacking radio networks to warn Lebanese citizens to evacuate certain areas.

Israel has been sending text messages, recordings, and hacking radio networks to warn Lebanese citizens to evacuate certain areas in the country, likely due to an imminent full-scale strike. Following these warnings, massive bombings in southern and eastern Lebanon killed over 270 people.

According to Al Jazeera, Israeli intelligence has been gathering data on Lebanon’s citizens for years.

Experts also speculate that the Israeli cyber army might have gained access to the private communication details of people across Lebanon.

Israel is believed to have infiltrated Lebanese telecom networks, allowing it to send targeted warnings to specific individuals. Experts believe that Israel has real-time access to data on Lebanese civilians, not just Hezbollah members, enhancing its intelligence capabilities in the region.

Residents in southern Lebanon and parts of Beirut received messages and phone calls early Monday, warning them to evacuate areas that are hosting Hezbollah. The warnings were sent from Lebanese numbers.

“If you are in a building with Hezbollah weapons, stay away from the village until further notice.” reads the message sent to Lebanese citizens.

One message seen by Al Jazeera urged people to stay away from villages with Hezbollah weapons. These coordinated warnings sparked concerns about escalating conflict in the region.

“In Beirut, Lebanese Information Minister Ziad Makary was among those who received a recorded phone call, according to the state-run National News Agency.” .

“What we don’t know is how Israel got these details of people — cellphone numbers, locations. … Is it because of data leaks or because Israel has hacked into Lebanon’s telecoms infrastructure?” Ibrahim said.

However, media reported that Israeli forces bombed buildings whose residents received no warnings.

The messages are also part of the campaigns conducted by the IDF to destabilize local communities and isolate members of Hezbollah.

According to intelligence analysts, Israel had hacked Lebanese networks well before October 8, gaining access to almost any technology used in the country, including landlines, systems managing car plate numbers, and mobile phones.

Israeli cyber units have developed sophisticated spyware and hacking tools that allow their intelligence to track both Lebanese citizens and visitors.

In 2018, Lebanon’s UN representative Amal Mudallali Israel of hacking Lebanese telecom networks, sending recorded messages to civilians in Kafr Kila warning of imminent explosions during tensions with Hezbollah.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, warfare)

]]>
168817
杭州江阴科强工业胶带有限公司 https://securityaffairs.com/168767/apt/earth-baxia-apt-targets-apac-geotools-flaw.html Mon, 23 Sep 2024 07:23:03 +0000 https://securityaffairs.com/?p=168767

Suspected China-linked APT Earth Baxia targeted a government organization in Taiwan by exploiting a recently patched OSGeo GeoServer GeoTools flaw.

Trend Micro researchers reported that China-linked APT group Earth Baxia has targeted a government organization in Taiwan and potentially other countries in the Asia-Pacific (APAC) region.

The threat actor used spear-phishing emails and exploited the recently patched GeoServer vulnerability .

GeoServer is an open-source server that allows users to share and edit geospatial data.

The vulnerability  (CVSS score of 9.8) is a Remote Code Execution (RCE) issue caused by unsafe evaluation of property names as XPath expressions. 

GeoServer versions before 2.23.6, 2.24.4, and 2.25.2 to this issue. Threat actors exploited the flaw to download or copy malicious components.

In July, the researchers detected suspicious activity targeting a government organization in Taiwan and other entities in APAC countries. Attackers deployed customized Cobalt Strike components on compromised systems and installed a new backdoor called EAGLEDOOR, which supports multiple protocols.

Earth Baxia primarily targeted government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand.

Upon investigation, the experts discovered that multiple servers were hosted on the Alibaba cloud service or located in Hong Kong. Some samples employed in the campaign were uploaded to VirusTotal from China.

“After checking one of the Cobalt Strike watermarks (666666) used by the threat actors on Shodan, we also found that only a few machines were linked to this watermark, most of which were in China (Table 1). Therefore, we suspect that the APT group behind these campaigns originates from China.” .

The APT group relies on GrimResource and AppDomainManager injection to deploy additional payloads, to lower the victim’s guard and avoid detection.

The phishing emails in this campaign have carefully tailored subject lines, with a ZIP file attachment containing a decoy MSC file named RIPCOY. Upon opening this file, an obfuscated VBScript downloads multiple files from a public cloud service like AWS, including a decoy PDF, .NET applications, and a configuration file. The .NET applications use AppDomainManager injection, which allows arbitrary code execution within a target application by injecting a custom application domain. This enables the execution of .NET applications to load managed DLLs, either locally or remotely, without invoking Windows API calls.

The EAGLEDOOR backdoor can communicate with C2 via DNS, HTTP, TCP, and Telegram. While TCP, HTTP, and DNS are used to send the victim machine’s status, the main backdoor functionality is handled through the Telegram Bot API. The malicious code supports methods like getFile, getUpdates, sendDocument, and sendMessage to gather information, transfer files, and execute payloads. However, in the collected samples, only TCP and HTTP protocols were observed on the victim’s side. Earth Baxia exfiltrates data in archives that are transferred using curl.exe.

“Earth Baxia, likely based in China, conducted a sophisticated campaign targeting government and energy sectors in multiple APAC countries.” concludes the report. “They used advanced techniques like GeoServer exploitation, spear-phishing, and customized malware (Cobalt Strike and EAGLEDOOR) to infiltrate and exfiltrate data. The use of public cloud services for hosting malicious files and the multi-protocol support of EAGLEDOOR highlight the complexity and adaptability of their operations.”

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Earth Baxia)

]]>
168767
杭州江阴科强工业胶带有限公司 https://securityaffairs.com/168656/apt/unc1860-provides-iran-linked-apts-access-middle-east.html Fri, 20 Sep 2024 13:51:51 +0000 https://securityaffairs.com/?p=168656

Iran-linked APT group UNC1860 is operating as an initial access facilitator that provides remote access to Middle Eastern Networks.

Mandiant researchers warn that an Iran-linked APT group, tracked as UNC1860, is operating as an initial access facilitator that provides remote access to target networks in the Middle East.

UNC1860 is linked to Iran’s Ministry of Intelligence and Security (MOIS), the APT specializes in using customized tools and passive backdoors to gain persistent access to high-profile networks. Targets include organizations in the government and telecommunications sectors across the Middle East. UNC1860 shares similar tactics with other Iran-linked threat groups, such as and Storm-0861, which have facilitated destructive operations in Israel and Albania. The experts observed the use of the malware BABYWIPER in Israel in 2022 and the malware in Albania in 2022. 

Although Mandiant cannot confirm UNC1860’s involvement in these attacks, the experts observed the use of custom malaew used by the group suggesting a role in providing initial access for such operations. The group is known for maintaining long-term access to victim networks.

“Mandiant identified two custom, GUI-operated malware controllers tracked as TEMPLEPLAY and VIROGREEN that we assess were used to provide a team outside of UNC1860 remote access to victim networks.” Mandiant . “This tooling, coupled with  and evidence suggesting that the group collaborates with MOIS-affiliated groups such as APT34, strengthens the assessment that UNC1860 acts as an initial access agent.”

Mandiant noticed that organizations compromised by the Iran-linked group in 2019 and 2020 had also been previously breached by UNC1860, suggesting UNC1860 may support Iranian state-sponsored hackers in performing lateral movement. Additionally, both APT34-related clusters and UNC1860 have recently shifted their focus toward targets based in Iraq.

The UNC1860 APT uses web shells and droppers like STAYSHANTE and SASHEYAWAY, to gain initial access to compromised systems. These tools allow attackers to perform hand-off operations. In March 2024, the Israeli National Cyber Directorate identified wiper activity targeting various sectors in Israel, with indicators including STAYSHANTE and SASHEYAWAY, both linked to UNC1860. STAYSHANTE is disguised as Windows server files, controlled by the VIROGREEN framework. SASHEYAWAY enables the execution of passive backdoors like TEMPLEDOOR, FACEFACE, and SPARKLOAD. SASHEYAWAY has a low detection rate

“UNC1860 GUI-operated malware controllers TEMPLEPLAY and VIROGREEN could provide third-party actors who have no previous knowledge of the target environment the ability to remotely access infected networks via RDP and to control previously installed malware on victim networks with ease.” continues the report. “These controllers additionally could provide third-party operators an interface that walks operators through how to deploy custom payloads and perform other operations such as conducting internal scanning and exploitation within the target network.”

TEMPLEPLAY is a .NET-based controller for TEMPLEDOOR, it supports backdoor funcionalitiess, file transfers, and proxy connections to target servers. The UNC1860’s arsenal includes a wide range of passive tools and backdoors supporting initial access, lateral movement, and data gathering.

The implants used by the APT group demonstrate a deep knowledge of the Windows OS, reverse engineering of kernel components, and detection evasion techniques. Their passive implants, such as TOFUDRV and TOFULOAD, do not initiate outbound traffic, instead relying on inbound commands from volatile sources, making detection harder. These implants use HTTPS-encrypted traffic and undocumented Input/Output Control commands to evade network monitoring and endpoint detection. Tools like TEMPLEDROP repurpose Iranian antivirus drivers to protect files, while TEMPLELOCK, a .NET-based utility, terminates and restarts the Windows Event Log service to evade detection.

“These capabilities demonstrate that UNC1860 is a formidable threat actor that likely supports various objectives ranging from espionage to network attack operations.” concludes the report. “As tensions continue to ebb and flow in the Middle East, we believe this actor’s adeptness in gaining initial access to target environments represents a valuable asset for the Iranian cyber ecosystem that can be exploited to answer evolving objectives as needs shift.” 

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Iran)

]]>
168656
杭州江阴科强工业胶带有限公司 https://securityaffairs.com/168563/malware/raptor-train-botnet-iot.html Wed, 18 Sep 2024 19:50:14 +0000 https://securityaffairs.com/?p=168563

Researchers warn of a new IoT botnet called Raptor Train that already compromised over 200,000 devices worldwide.

Cybersecurity researchers from Lumen’s Black Lotus Labs discovered a new botnet, named Raptor Train, composed of small office/home office (SOHO) and IoT devices. The experts believe the botnet is controlled by a Chine-linked APT group (also called or RedJuliett).

The botnet has been active since at least May 2020, reaching its peak with 60,000 compromised devices in June 2023.

Since May 2020, over 200,000 devices, including SOHO routers, NVR/DVR devices, NAS servers, and IP cameras, have been compromised and added to the Raptor Train botnet, making it one of the largest China-linked IoT botnets discovered. A command and control (C2) domain from a recent campaign even appeared on the Cloudflare Radar and Cisco Umbrella “top 1 million” lists, indicating widespread device exploitation. Researchers estimate that hundreds of thousands of devices have likely been compromised since the botnet’s creation.

“The botnet operators manage this large and varied network through a series of distributed payload and C2 servers, a centralized Node.js backend, and a cross-platform  application front-end that the actors have dubbed “Sparrow.” This is a robust, enterprise-grade control system used to manage upwards of 60 C2 servers and their infected nodes at any given time.” reads the published by Lumen. “This service enables an entire suite of activities, including scalable exploitation of bots, vulnerability and exploit management, remote management of C2 infrastructure, file uploads and downloads, remote command execution, and the ability to tailor IoT-based distributed denial of service (DDoS) attacks at-scale.”

The three-tiered architecture consists of the following levels:

  • Tier 1: Compromised SOHO/IoT devices
  • Tier 2: Exploitation servers, payload servers, and command-and-control (C2) servers
  • Tier 3: Centralized management nodes and a cross-platform Electron application front-end referred to as Sparrow (aka Node Comprehensive Control Tool, or NCCT)

The Raptor Train botnet operates as a multi-tiered, evolving network with at least three levels of activity observed over four years. Tier 3 “Sparrow” nodes initiate bot tasks, which are routed through Tier 2 command and control (C2) servers to Tier 1 bots. Tier 1, the largest level, is composed of compromised devices with a short lifecycle, averaging 17 days. Tiers 2 and 3 use Virtual Private Servers (VPSs), lasting around 77 days, with Tier 3 primarily based in Hong Kong and China. Tier 2 servers are distributed globally, managing the control and exploitation capabilities of the bot.

Below are some of the devices included in the botnet: 

Modems/Routers 

  • ActionTec PK5000 
  • ASUS RT-*/GT-*/ZenWifi 
  • TP-LINK 
  • DrayTek Vigor 
  • Tenda Wireless 
  • Ruijie 
  • Zyxel USG* 
  • Ruckus Wireless 
  • VNPT iGate 
  • Mikrotik 
  • TOTOLINK 

IP Cameras 

  • D-LINK DCS-* 
  • Hikvision 
  • Mobotix 
  • NUUO 
  • AXIS 
  • Panasonic 

NVR/DVR 

  • Shenzhen TVT NVRs/DVRs 

NAS 

  • QNAP (TS Series) 
  • Fujitsu 
  • Synology 

The attribution of the Raptor Train botnet to the Chinese nation-state actor is based on multiple factors, including the operational timelines, targeting of sectors aligned with Chinese interests, use of the Chinese language, and other tactics, techniques, and procedures (TTPs) that overlap with known Chinese cyber activities.

“This botnet has targeted entities in the U.S. and Taiwan across various sectors, including military, government, higher education, telecommunications, defense industrial base, and IT.” concludes the report. “The investigation has yielded insights into the botnet’s network architecture, exploitation campaigns, malware components, and operational use, illuminating the evolving tactics and techniques employed by the threat actors. A major concern of the Raptor Train botnet is the DDoS capability that we have not yet observed actively deployed, but we suspect is being maintained for future use. “

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, botnet)

]]>
168563
杭州江阴科强工业胶带有限公司 https://securityaffairs.com/168550/security/intellexa-consortium-sactions.html Wed, 18 Sep 2024 10:03:51 +0000 https://securityaffairs.com/?p=168550

The U.S. Department of Treasury issued new sanctions against five executives and one entity linked to the Intellexa Consortium.

The Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued new sanctions against five individuals and one entity associated with the for their role in developing, operating, and distributing commercial spyware.

The Intellexa Consortium was created in 2019, it has acted as a marketing umbrella for various offensive cyber companies that provide  and surveillance tools designed for targeted and mass surveillance campaigns. The name “Predator” spyware was used to refer to a collection of surveillance tools that allows to compromise victims’ devices through zero-click attacks.

Predator spyware is known for its extensive data-stealing and surveillance capabilities.

The Department of the Treasury states that commercial spyware poses a significant threat to the national security of the United States.

The fresh package of sanctions issued by the U.S. government is part of the effort against .

“These designations complement concerted U.S. government actions against commercial spyware vendors, including previous  individuals and entities associated with the Intellexa Consortium; the Department of Commerce’s  to the Entity List; and the Department of State’s  targeting those who misuse or profit from the misuse of commercial spyware, subsequently exercised on .” reads the published by the OFAC.  

The US government sanctioned the following individuals and entities linked to the Intellexa Consortium:

  • Aliada Group Inc., a company that facilitated significant financial transactions within the Consortium.
  • Felix Bitzios, an owner and manager of Intellexa S.A., involved in supplying Predator to foreign governments.
  • Andrea Nicola Constantino Hermes Gambazzi, owner of Thalestris Limited and Intellexa Limited, both part of the Intellexa Consortium.
  • Merom Harpaz, a senior Intellexa executive and manager of Intellexa S.A.
  • Panagiota Karaoli, director of Intellexa entities under Thalestris Limited.
  • Artemis Artemiou, a manager at Intellexa S.A. and Cytrox Holdings.

The sanctions also targeted financial entities linked to the Intellexa Consortium’s sale of surveillance software. Aliada Group Inc. facilitated major financial transactions for the Consortium, while Thalestris Limited processed transactions on behalf of other Intellexa Consortium entities.

“The Intellexa Consortium is a complex international web of decentralized companies that built and commercialized a comprehensive suite of highly invasive spyware products, primarily marketed under the brand-name “Predator.”” continues the press release.

In March 2024, the US Government sanctioned the Intellexa Consortium’s Israeli founder, Tal Jonathan Dilian, and Polish corporate specialist, Sara Aleksandra Fayssal Hamou.

The US government also sanctioned the following companies:

  • Intellexa S.A. is a Greece-based software development company within the Intellexa Consortium and has exported its surveillance tools to authoritarian regimes.
  • Intellexa Limited is an Ireland-based company within the Intellexa Consortium and acts as a technology reseller and holds assets on behalf of the consortium.
  • Cytrox AD is a North Macedonia-based company within the Intellexa Consortium and acts as a developer of the consortium’s Predator spyware.
  • Cytrox Holdings Zartkoruen Mukodo Reszvenytarsasag (Cytrox Holdings ZRT) is a Hungary-based entity within the Intellexa Consortium. Cytrox Holdings ZRT previously developed the Predator spyware for the group before production moved to Cytrox AD in North Macedonia.
  • Thalestris Limited is an Ireland-based entity within the Intellexa Consortium that holds distribution rights to the Predator spyware and acts as a financial holding company for the Consortium.   

In February 2024, the U.S. State Department  it is implementing a new policy to impose visa restrictions on individuals involved in the misuse of commercial spyware.

The policy underscores the U.S. government’s commitment to addressing the misuse of surveillance software, which poses a significant threat to society.

The policy specifically addresses the abuse of commercial spyware for unlawfully surveilling, harassing, suppressing, or intimidating individuals.

Visa restrictions target individuals believed to facilitate or derive financial benefit from the misuse of commercial spyware and also surveillance companies that act on behalf of governments.

The restrictions are extended to the immediate family members of the targeted individuals, including spouses and children of any age.

In March 2023, the US Government  an Executive Order on the prohibition on use by the United States Government of commercial spyware that poses risks to national security.

In July 2023, the Commerce Department’s Bureau of Industry and Security (BIS)  surveillance technology vendors  and  to the Entity List for trafficking in cyber exploits used to gain access to information systems.

The Entity List maintained by the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) is a trade control list created and maintained by the U.S. government. It identifies foreign individuals, organizations, companies, and government entities that are subject to specific export controls and restrictions due to their involvement in activities that threaten the U.S. national security or foreign policy interests.

The U.S. Government warns of the key role that surveillance technology plays in surveillance activities that can lead to repression and other human rights abuses.

The Commerce Department’s action targeted the above companies because their technology could contribute to the development of surveillance tools that pose a risk of misuse in violations or abuses of human rights.

The financial entities added to the Entity List include Intellexa S.A. in Greece, Cytrox Holdings Crt in Hungary, Intellexa Limited in Ireland, and Cytrox AD in North Macedonia.

In early September 2024, Recorded Future researchers that the Predator spyware has resurfaced with fresh infrastructure after a decline caused by US .

Recorded Future reported that the decline was likely associated with changes in TTPs adopted by the company in an attempt to evade detection.

“This resurgence highlights Predator’s ongoing use by customers in countries such as the Democratic Republic of the Congo (DRC) and Angola.” reads the Recorded Future’s . “While Predator continues to pose significant privacy and security risks, especially to high-profile individuals like politicians and executives, new infrastructure changes make tracking users more difficult. “

Predator spyware operators added several layers to enhance their infrastructure, anonymize operations and evade detection, making it harder to identify which countries are using the spyware.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Intellexa Consortium)

]]>
168550