#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Spear Phishing | Breaking Cybersecurity News | The Hacker News

APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme

APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme

Mar 18, 2024 Cyber Warfare / Malware
The Russia-linked threat actor known as  APT28  has been linked to multiple ongoing phishing campaigns that employ lure documents imitating government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. "The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production," IBM X-Force  said  in a report published last week. The tech company is tracking the activity under the moniker  ITG05 , which is also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, and UAC-028. The disclosure comes more than three months after the adversary was spotted using decoys related to the ongoing I
Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware

Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware

Dec 22, 2023 Social Engineering / Malware Analysis
A new phishing campaign is leveraging decoy Microsoft Word documents as bait to deliver a backdoor written in the  Nim programming language . "Malware written in uncommon programming languages puts the security community at a disadvantage as researchers and reverse engineers' unfamiliarity can hamper their investigation," Netskope researchers Ghanashyam Satpathy and Jan Michael Alcantara  said . Nim-based malware has been a rarity in the threat landscape, although that has been slowly changing in recent years as attackers continue to either develop custom tools from scratch using the language or port existing versions of their nefarious programs to it. This has been demonstrated in the case of loaders such as  NimzaLoader ,  Nimbda ,  IceXLoader , as well as ransomware families tracked under the names  Dark Power  and  Kanti . The attack chain documented by Netskope begins with a phishing email containing a Word document attachment that, when opened, urges the recipi
How to Find and Fix Risky Sharing in Google Drive

How to Find and Fix Risky Sharing in Google Drive

Mar 06, 2024Data Security / Cloud Security
Every Google Workspace administrator knows how quickly Google Drive becomes a messy sprawl of loosely shared confidential information. This isn't anyone's fault; it's inevitable as your productivity suite is purposefully designed to enable real-time collaboration – both internally and externally.  For Security & Risk Management teams, the untenable risk of any Google Drive footprint lies in the toxic combinations of sensitive data, excessive permissions, and improper sharing. However, it can be challenging to differentiate between typical business practices and potential risks without fully understanding the context and intent.  Material Security, a company renowned for its innovative method of protecting sensitive data within employee mailboxes, has recently launched  Data Protection for Google Drive  to safeguard the sprawl of confidential information scattered throughout Google Drive with a powerful discovery and remediation toolkit. How Material Security helps organ
N. Korea's Kimsuky Targeting South Korean Research Institutes with Backdoor Attacks

N. Korea's Kimsuky Targeting South Korean Research Institutes with Backdoor Attacks

Dec 08, 2023 Cyber Espionage / Cryptocurrency
The North Korean threat actor known as  Kimsuky  has been observed targeting research institutes in South Korea as part of a spear-phishing campaign with the ultimate goal of distributing backdoors on compromised systems. "The threat actor ultimately uses a backdoor to steal information and execute commands," the AhnLab Security Emergency Response Center (ASEC)  said  in an analysis posted last week. The attack chains commence with an import declaration lure that's actually a malicious JSE file containing an obfuscated PowerShell script, a Base64-encoded payload, and a decoy PDF document. The next stage entails opening the PDF file as a diversionary tactic, while the PowerShell script is executed in the background to launch the backdoor. The malware, for its part, is configured to collect network information and other relevant data (i.e., host name, user name, and operating system version) and transmit the encoded details to a remote server. It's also capable of
cyber security

Uncover Critical Gaps in 7 Core Areas of Your Cybersecurity Program

websiteArmor PointCyber Security / Assessment
Turn potential vulnerabilities into strengths. Start evaluating your defenses today. Download the Checklist.
Microsoft Warns of COLDRIVER's Evolving Evasion and Credential-Stealing Tactics

Microsoft Warns of COLDRIVER's Evolving Evasion and Credential-Stealing Tactics

Dec 07, 2023 Threat Intelligence / Cyber Espionage
The threat actor known as COLDRIVER has continued to engage in credential theft activities against entities that are of strategic interests to Russia while simultaneously improving its detection evasion capabilities. The Microsoft Threat Intelligence team is tracking under the cluster as  Star Blizzard  (formerly SEABORGIUM). It's also called Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), Gossamer Bear, and TA446. The adversary "continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests," Redmond  said . Star Blizzard , linked to Russia's Federal Security Service (FSB), has a  track record  of setting up lookalike domains that impersonate the login pages of targeted companies. It's known to be active since at least 2017. In August 2023,
Iran's MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign

Iran's MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign

Nov 02, 2023 Cyber Attack / Malware
The Iranian nation-state actor known as  MuddyWater  has been linked to a new spear-phishing campaign targeting two Israeli entities to ultimately deploy a legitimate remote administration tool from N-able called  Advanced Monitoring Agent . Cybersecurity firm Deep Instinct, which disclosed details of the attacks,  said  the campaign "exhibits updated TTPs to previously reported MuddyWater activity," which has, in the past, used similar attack chains to distribute other remote access tools like  ScreenConnect, RemoteUtilities, Syncro , and  SimpleHelp . While the latest development marks the first time MuddyWater has been observed using N-able's remote monitoring software, it also underscores the fact that the largely unchanged modus operandi continues to yield some level of success for the threat actor. The findings have also been separately confirmed by cybersecurity company Group-IB in a post shared on X (formerly Twitter). The state-sponsored group is a  cyber
YoroTrooper: Researchers Warn of Kazakhstan's Stealthy Cyber Espionage Group

YoroTrooper: Researchers Warn of Kazakhstan's Stealthy Cyber Espionage Group

Oct 26, 2023 Endpoint Protection / Malware
A relatively new threat actor known as  YoroTrooper  is likely made up of operators originating from Kazakhstan. The assessment, which comes from Cisco Talos, is based on their fluency in Kazakh and Russian, use of Tenge to pay for operating infrastructure, and very limited targeting of Kazakhstani entities, barring the government's Anti-Corruption Agency. "YoroTrooper attempts to obfuscate the origin of their operations, employing various tactics to make its malicious activity appear to emanate from Azerbaijan, such as using VPN exit nodes local to that region," security researchers Asheer Malhotra and Vitor Ventura  said . First documented by the cybersecurity company in March 2023, the adversary is  known to be active  since at least June 2022, singling out various state-owned entities in the Commonwealth of Independent States (CIS) countries. Slovak cybersecurity firm ESET is tracking the activity under the name  SturgeonPhisher . YoroTrooper's attack cycles
Iranian APT Group OilRig Using New Menorah Malware for Covert Operations

Iranian APT Group OilRig Using New Menorah Malware for Covert Operations

Sep 30, 2023 Cyber Espionage / Malware
Sophisticated cyber actors backed by Iran known as  OilRig  have been linked to a spear-phishing campaign that infects victims with a new strain of malware called Menorah. "The malware was designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware," Trend Micro researchers Mohamed Fahmy and Mahmoud Zohdy  said  in a Friday report. The victimology of the attacks is not immediately known, although the use of decoys indicates at least one of the targets is an organization located in Saudi Arabia. Also tracked under the names APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten,  OilRig  is an Iranian advanced persistent threat (APT) group that specializes in covert intelligence gathering operations to infiltrate and maintain access within targeted networks. The revelation builds on  recent findings  from NSFOCUS, which uncovered an OilRig phishing attack resulting in the deploymen
North Korean UNC2970 Hackers Expands Operations with New Malware Families

North Korean UNC2970 Hackers Expands Operations with New Malware Families

Mar 10, 2023 Cyber Attack / Malware
A North Korean espionage group tracked as  UNC2970  has been observed employing previously undocumented malware families as part of a spear-phishing campaign targeting U.S. and European media and technology organizations since June 2022. Google-owned Mandiant said the threat cluster shares "multiple overlaps" with a  long-running   operation   dubbed  " Dream Job " that employs job recruitment lures in email messages to trigger the infection sequence. UNC2970 is the new moniker designated by the threat intelligence firm to a set of North Korean cyber activity that maps to UNC577 (aka Temp.Hermit ), and which also comprises another nascent threat cluster tracked as UNC4034. The UNC4034 activity, as  documented  by Mandiant in September 2022, entailed the use of WhatsApp to socially engineer targets into downloading a  backdoor  called AIRDRY.V2 under the pretext of sharing a skills assessment test. "UNC2970 has a concerted effort towards obfuscation and emp
Iranian Hackers Target Women Involved in Human Rights and Middle East Politics

Iranian Hackers Target Women Involved in Human Rights and Middle East Politics

Mar 09, 2023 Cyber Espionage
Iranian state-sponsored actors are continuing to engage in social engineering campaigns targeting researchers by impersonating a U.S. think tank. "Notably the targets in this instance were all women who are actively involved in political affairs and human rights in the Middle East region," Secureworks Counter Threat Unit (CTU)  said  in a report shared with The Hacker News. The cybersecurity company attributed the activity to a hacking group it tracks as  Cobalt Illusion , and which is also known by the names APT35, Charming Kitten, ITG18, Phosphorus, TA453, and Yellow Garuda. The targeting of academics, activists, diplomats, journalists, politicians, and researchers by the threat actor  has been   well-documented   over  the  years . The group is suspected to be operating on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC) and has exhibited a pattern of using fake personas to establish contact with individuals who are of strategic interest to the governmen
Researchers Uncover MirrorFace Cyber Attacks Targeting Japanese Political Entities

Researchers Uncover MirrorFace Cyber Attacks Targeting Japanese Political Entities

Dec 15, 2022 Advanced Persistent Threat
A Chinese-speaking advanced persistent threat (APT) actor codenamed  MirrorFace  has been attributed to a spear-phishing campaign targeting Japanese political establishments. The activity, dubbed  Operation LiberalFace  by ESET, specifically focused on members of an unnamed political party in the nation with the goal of delivering an implant called LODEINFO and a hitherto unseen credential stealer named MirrorStealer. The Slovak cybersecurity company said the campaign was launched a little over a week prior to the  Japanese House of Councillors election  that took place on July 10, 2022. "LODEINFO was used to deliver additional malware, exfiltrate the victim's credentials, and steal the victim's documents and emails," ESET researcher Dominik Breitenbacher  said  in a technical report published Wednesday. MirrorFace is said to share overlaps with another threat actor tracked as  APT10  (aka Bronze Riverside, Cicada, Earth Tengshe, Stone Panda, and Potassium) and
Researchers Uncover Covert Attack Campaign Targeting Military Contractors

Researchers Uncover Covert Attack Campaign Targeting Military Contractors

Sep 29, 2022
A new covert attack campaign singled out multiple military and weapons contractor companies with spear-phishing emails to trigger a multi-stage infection process designed to deploy an unknown payload on compromised machines. The highly-targeted intrusions, dubbed  STEEP#MAVERICK  by Securonix, also targeted a strategic supplier to the F-35 Lightning II fighter aircraft. "The attack was carried out starting in late summer 2022 targeting at least two high-profile military contractor companies," Den Iuzvyk, Tim Peck, and Oleg Kolesnikov  said  in an analysis. Infection chains begin with a phishing mail with a ZIP archive attachment containing a shortcut file that claims to be a PDF document about "Company & Benefits," which is then used to retrieve a stager -- an initial binary that's used to download the desired malware -- from a remote server. This PowerShell stager sets the stage for a "robust chain of stagers" that progresses through seven m
Russian Hackers Exploiting Microsoft Follina Vulnerability Against Ukraine

Russian Hackers Exploiting Microsoft Follina Vulnerability Against Ukraine

Jun 22, 2022
The Computer Emergency Response Team of Ukraine (CERT-UA) has  cautioned  of a new set of spear-phishing attacks exploiting the "Follina" flaw in the Windows operating system to deploy password-stealing malware. Attributing the intrusions to a Russian nation-state group tracked as APT28 (aka Fancy Bear or Sofacy), the agency said the attacks commence with a lure document titled "Nuclear Terrorism A Very Real Threat.rtf" that, when opened, exploits the recently disclosed vulnerability to download and execute a malware called CredoMap. Follina ( CVE-2022-30190 , CVSS score: 7.8), which concerns a case of remote code execution affecting the Windows Support Diagnostic Tool (MSDT), was addressed by Microsoft on June 14, as part of its Patch Tuesday updates , but not before it was subjected to widespread zero-day exploit activity by numerous threat actors. According to an independent report published by Malwarebytes,  CredoMap  is a variant of the .NET-based credenti
New Saitama backdoor Targeted Official from Jordan's Foreign Ministry

New Saitama backdoor Targeted Official from Jordan's Foreign Ministry

May 13, 2022
A spear-phishing campaign targeting Jordan's foreign ministry has been observed dropping a new stealthy backdoor dubbed Saitama. Researchers from Malwarebytes and Fortinet FortiGuard Labs  attributed  the campaign to an Iranian cyber espionage threat actor tracked under the moniker APT34, citing  resemblances  to past campaigns staged by the group. "Like many of these attacks, the email contained a malicious attachment," Fortinet researcher Fred Gutierrez  said . "However, the attached threat was not a garden-variety malware. Instead, it had the capabilities and techniques usually associated with advanced persistent threats (APTs)." APT34, also known as OilRig, Helix Kitten, and Cobalt Gypsy, is known to be active since at least 2014 and has a track record of striking telecom, government, defense, oil, and financial sectors in the Middle East and North Africa (MENA) via targeted phishing attacks. Earlier this February, ESET  tied  the group to a long-runni
This Asia-Pacific Cyber Espionage Campaign Went Undetected for 5 Years

This Asia-Pacific Cyber Espionage Campaign Went Undetected for 5 Years

May 07, 2020
An advanced group of Chinese hackers has recently been spotted to be behind a sustained cyber espionage campaign targeting government entities in Australia, Indonesia, Philippines, Vietnam, Thailand, Myanmar, and Brunei—which went undetected for at least five years and is still an ongoing threat. The group, named 'Naikon APT,' once known as one of the most active APTs in Asia until 2015, carried out a string of cyberattacks in the Asia-Pacific (APAC) region in search of geopolitical intelligence. According to the latest investigation report Check Point researchers shared with The Hacker News, the Naikon APT group had not gone silent for the last 5 years, as initially suspected; instead, it was using a new backdoor, called " Aria-body ," to operate stealthily. "Given the characteristics of the victims and capabilities presented by the group, it is evident that the group's purpose is to gather intelligence and spy on the countries whose governments it
Targeted Phishing Attacks Successfully Hacked Top Executives At 150+ Companies

Targeted Phishing Attacks Successfully Hacked Top Executives At 150+ Companies

Apr 30, 2020
In the last few months, multiple groups of attackers successfully compromised corporate email accounts of at least 156 high-ranking officers at various firms based in Germany, the UK, Netherlands, Hong Kong, and Singapore. Dubbed ' PerSwaysion ,' the newly spotted cyberattack campaign leveraged Microsoft file-sharing services—including Sway, SharePoint, and OneNote—to launch highly targeted phishing attacks. According to a report Group-IB Threat Intelligence team published today and shared with The Hacker News, PerSwaysion operations attacked executives of more than 150 companies around the world, primarily with businesses in finance, law, and real estate sectors. "Among these high-ranking officer victims, more than 20 Office365 accounts of executives, presidents, and managing directors appeared." So far successful and still ongoing, most PerSwaysion operations were orchestrated by scammers from Nigeria and South Africa who used a Vue.js JavaScript framewor
Why Minimizing Human Error is the Only Viable Defense Against Spear Phishing

Why Minimizing Human Error is the Only Viable Defense Against Spear Phishing

Feb 25, 2020
Phishing attacks have become one of the business world's top cybersecurity concerns. These social engineering attacks have been rising over the years, with the most recent report from the Anti-Phishing Working Group coalition identifying over 266,000 active spoofed websites, which is nearly double the number detected during Q4 2018. Hackers have evolved their methods, from regular phishing attacks to spear phishing, where they use email messages disguised as coming from legitimate sources to dupe specific individuals. This is why the global spear phishing protection software market is estimated to reach $1.8 billion by 2025. However, conventional defenses can still fall short due to one particular weakness in the security perimeter – the human factor. Indeed, some 33 percent of 2019's data breaches involved humans falling victim to social engineering attacks. And given how sophisticated and creative the phishing perpetrators have been getting, it's easy to see h
Cybersecurity Resources