Advanced Persistent Threat | Breaking Cybersecurity News | The Hacker News

A suspected China-based threat actor has been linked to a series of cyber attacks targeting high-profile organizations in Southeast Asia since at least October 2023. The espionage campaign targeted organizations in various sectors spanning government ministries in two different countries, an air traffic control organization, a telecoms company, and a media outlet, the Symantec Threat Hunter Team said in a new report shared with The Hacker News. The attacks, which leveraged tools previously identified as linked to China-based advanced persistent threat (APT) groups, are characterized by the use of both open-source and living-off-the-land (LotL) techniques. This includes the use of reverse proxy programs such as Rakshasa and Stowaway , as well as asset discovery and identification tools, keyloggers, and password stealers. Also deployed during the course of the attacks is PlugX (aka Korplug), a remote access trojan put to use by several Chinese hacking groups. "The threat ac...

The Russia-linked advanced persistent threat (APT) group known as Turla has been linked to a previously undocumented campaign that involved infiltrating the command-and-control (C2) servers of a Pakistan-based hacking group named Storm-0156 to conduct its own operations since 2022. The activity, first observed in December 2022, is the latest instance of the nation-state adversary "embedding themselves" in another group's malicious operations to further their own objectives and cloud attribution efforts, Lumen Technologies Black Lotus Labs said. "In December 2022, Secret Blizzard initially gained access to a Storm-0156 C2 server and by mid-2023 had expanded their control to a number of C2s associated with the Storm-0156 actor," the company said in a report shared with The Hacker News. By leveraging their access to these servers, Turla has been found to take advantage of the intrusions already orchestrated by Storm-0156 to deploy custom malware families refe...

Vulnerability Management (VM) has long been a cornerstone of organizational cybersecurity. Nearly as old as the discipline of cybersecurity itself, it aims to help organizations identify and address potential security issues before they become serious problems. Yet, in recent years, the limitations of this approach have become increasingly evident.  At its core, Vulnerability Management processes remain essential for identifying and addressing weaknesses. But as time marches on and attack avenues evolve, this approach is beginning to show its age. In a recent report, How to Grow Vulnerability Management into Exposure Management (Gartner, How to Grow Vulnerability Management Into Exposure Management, 8 November 2024, Mitchell Schneider Et Al.), we believe Gartner® addresses this point precisely and demonstrates how organizations can – and must – shift from a vulnerability-centric strategy to a broader Exposure Management (EM) framework. We feel it's more than a worthwhile read an...

The China-aligned advanced persistent threat (APT) actor known as Gelsemium has been observed using a new Linux backdoor dubbed WolfsBane as part of cyber attacks likely targeting East and Southeast Asia. That's according to findings from cybersecurity firm ESET based on multiple Linux samples uploaded to the VirusTotal platform from Taiwan, the Philippines, and Singapore in March 2023. WolfsBane has been assessed to be a Linux version of the threat actor's Gelsevirine backdoor, a Windows malware put to use as far back as 2014. Also discovered by the company is another previously undocumented implant named FireWood that's connected to a different malware toolset known as Project Wood . FireWood has been attributed to Gelsemium with low confidence, given the possibility that it could be shared by multiple China-linked hacking crews. "The goal of the backdoors and tools discovered is cyber espionage targeting sensitive data such as system information, user crede...

A threat actor affiliated with Hamas has expanded its malicious cyber operations beyond espionage to carry out disruptive attacks that exclusively target Israeli entities. The activity, linked to a group called WIRTE , has also targeted the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt, Check Point said in an analysis. "The [Israel-Hamas] conflict has not disrupted the WIRTE's activity, and they continue to leverage recent events in the region in their espionage operations," the company said . "In addition to espionage, the threat actor recently engaged in at least two waves of disruptive attacks against Israel." WIRTE is the moniker assigned to a Middle Eastern advanced persistent threat (APT) that has been active since at least August 2018, targeting a broad spectrum of entities across the region. It was first documented by Spanish cybersecurity company S2 Grupo. The hacking crew is assessed to be part of a politically motivated group ca...

The Russian threat actor known as RomCom has been linked to a new wave of cyber attacks aimed at Ukrainian government agencies and unknown Polish entities since at least late 2023. The intrusions are characterized by the use of a variant of the RomCom RAT dubbed SingleCamper (aka SnipBot or RomCom 5.0), said Cisco Talos, which is monitoring the activity cluster under the moniker UAT-5647. "This version is loaded directly from the registry into memory and uses a loopback address to communicate with its loader," security researchers Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer, and Vitor Ventura noted . RomCom, also tracked as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has engaged in multi-motivational operations such as ransomware, extortion, and targeted credential gathering since its emergence in 2022. It's been assessed that the operational tempo of their attacks has increased in recent months with an aim to set up long-term persisten...

An advanced persistent threat (APT) actor with suspected ties to India has sprung forth with a flurry of attacks against high-profile entities and strategic infrastructures in the Middle East and Africa. The activity has been attributed to a group tracked as SideWinder , which is also known as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, and T-APT-04. "The group may be perceived as a low-skilled actor due to the use of public exploits, malicious LNK files and scripts as infection vectors, and the use of public RATs, but their true capabilities only become apparent when you carefully examine the details of their operations," Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov said . Targets of the attacks include government and military entities, logistics, infrastructure and telecommunications companies, financial institutions, universities, and oil trading companies located in Bangladesh, Djibouti, Jordan, Malaysia, the...

A little-known threat actor tracked as GoldenJackal has been linked to a series of cyber attacks targeting embassies and governmental organizations with an aim to infiltrate air-gapped systems using two disparate bespoke toolsets. Victims included a South Asian embassy in Belarus and a European Union (E.U.) government organization, Slovak cybersecurity company ESET said. "The ultimate goal of GoldenJackal seems to be stealing confidential information, especially from high-profile machines that might not be connected to the internet," security researcher Matías Porolli noted in an exhaustive analysis. GoldenJackal first came to light in May 2023, when Russian security vendor Kaspersky detailed the threat cluster's attacks on government and diplomatic entities in the Middle East and South Asia. The adversary's origins stretch back to at least 2019. An important characteristic of the intrusions is the use of a worm named JackalWorm that's capable of infectin...

Threat actors with ties to North Korea have been observed delivering a previously undocumented backdoor and remote access trojan (RAT) called VeilShell as part of a campaign targeting Cambodia and likely other Southeast Asian countries. The activity, dubbed SHROUDED#SLEEP by Securonix, is believed to be the handiwork of APT37 , which is also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft. Active since at least 2012, the adversarial collective is assessed to be part of North Korea's Ministry of State Security (MSS). Like with other state-aligned groups, those affiliated with North Korea, including the Lazarus Group and Kimsuky, vary in their modus operandi and likely have ever-evolving objectives based on state interests. A key malware in its toolbox is RokRAT (aka Goldbackdoor), although the group has also developed custom tools to facilitate covert intelligence gathering. It's currently not known how the first stage payload, a ZIP arc...

Threat actors with ties to North Korea have been observed leveraging two new malware strains dubbed KLogEXE and FPSpy. The activity has been attributed to an adversary tracked as Kimsuky , which is also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail, and Velvet Chollima. "These samples enhance Sparkling Pisces' already extensive arsenal and demonstrate the group's continuous evolution and increasing capabilities," Palo Alto Networks Unit 42 researchers Daniel Frank and Lior Rochberger said . Active since at least 2012, the threat actor has been called the "king of spear-phishing" for its ability to trick victims into downloading malware by sending emails that make it seem like they are from trusted parties. Unit 42's analysis of Sparkling Pisces' infrastructure has uncovered two new portable executables referred to as KLogEXE and FPSpy. "These malware strains are known to be de...

An advanced threat actor with an India nexus has been observed using multiple cloud service providers to facilitate credential harvesting, malware delivery, and command-and-control (C2). Web infrastructure and security company Cloudflare is tracking the activity under the name SloppyLemming , which is also called Outrider Tiger and Fishing Elephant . "Between late 2022 to present, SloppyLemming has routinely used Cloudflare Workers, likely as part of a broad espionage campaign targeting South and East Asian countries," Cloudflare said in an analysis. SloppyLemming is assessed to be active since at least July 2021, with prior campaigns leveraging malware such as Ares RAT and WarHawk , the latter of which is also linked to a known hacking crew called SideWinder. The use of Ares RAT, on the other hand, has been attributed to SideCopy , a threat actor likely of Pakistani origin. Targets of the SloppyLemming's activity span government, law enforcement, energy, education...

A suspected advanced persistent threat (APT) originating from China targeted a government organization in Taiwan, and possibly other countries in the Asia-Pacific (APAC) region, by exploiting a recently patched critical security flaw impacting OSGeo GeoServer GeoTools. The intrusion activity, which was detected by Trend Micro in July 2024, has been attributed to a threat actor dubbed Earth Baxia . "Based on the collected phishing emails, decoy documents, and observations from incidents, it appears that the targets are primarily government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand," researchers Ted Lee, Cyris Tseng, Pierre Lee, Sunny Lu, and Philip Chen said . The discovery of lure documents in Simplified Chinese points to China being one of the affected countries as well, although the cybersecurity company said it does not have enough information to determine what sectors within the coun...

An Iranian advanced persistent threat (APT) threat actor likely affiliated with the Ministry of Intelligence and Security (MOIS) is now acting as an initial access facilitator that provides remote access to target networks. Google-owned Mandiant is tracking the activity cluster under the moniker UNC1860 , which it said shares similarities with intrusion sets tracked by Microsoft, Cisco Talos, and Check Point as Storm-0861 (formerly DEV-0861), ShroudedSnooper , and Scarred Manticore , respectively. "A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that [...] supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East," the company said . The group first came to light in July 2022 in connection with destructive cyber attacks targeting Albania with a rans...

The Chinese-speaking threat actor known as Earth Lusca has been observed using a new backdoor dubbed KTLVdoor as part of a cyber attack targeting an unnamed trading company based in China. The previously unreported malware is written in Golang, and thus is a cross-platform weapon capable of targeting both Microsoft Windows and Linux systems. "KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning," Trend Micro researchers Cedric Pernet and Jaromir Horejsi said in an analysis published Wednesday. Some of the tools KTLVdoor impersonates include sshd, Java, SQLite, bash, and edr-agent, among others, with the malware distributed in the form of dynamic-link library (.dll) or a shared object (.so). Perhaps the most unusual aspect of the activity cluster is the discovery of more than 50 command-and-control (C&C) s...

Cybersecurity researchers have uncovered a novel malware campaign that leverages Google Sheets as a command-and-control (C2) mechanism. The activity, detected by Proofpoint starting August 5, 2024, impersonates tax authorities from governments in Europe, Asia, and the U.S., with the goal of targeting over 70 organizations worldwide by means of a bespoke tool called Voldemort that's equipped to gather information and deliver additional payloads. Targeted sectors include insurance, aerospace, transportation, academia, finance, technology, industrial, healthcare, automotive, hospitality, energy, government, media, manufacturing, telecom, and social benefit organizations.  The suspected cyber espionage campaign has not been attributed to a specific named threat actor. As many as 20,000 email messages have been sent as part of the attacks. These emails claim to be from tax authorities in the U.S., the U.K., France, Germany, Italy, India, and Japan, alerting recipients about chan...

Chinese-speaking users are the target of a "highly organized and sophisticated attack" campaign that is likely leveraging phishing emails to infect Windows systems with Cobalt Strike payloads. "The attackers managed to move laterally, establish persistence and remain undetected within the systems for more than two weeks," Securonix researchers Den Iuzvyk and Tim Peck said in a new report. The covert campaign, codenamed SLOW#TEMPEST and not attributed to any known threat actor, commences with malicious ZIP files that, when unpacked, activates the infection chain, leading to the deployment of the post-exploitation toolkit on compromised systems. Present with the ZIP archive is a Windows shortcut (LNK) file that disguises itself as a Microsoft Word file, "违规远程控制软件人员名单.docx.lnk," which roughly translates to "List of people who violated the remote control software regulations." "Given the language used in the lure files, it's likely th...