The Hacker News - Cybersecurity News and Analysis: Cyber Attack

An active espionage campaign has been attributed to the threat actor known as Molerats that abuses legitimate cloud services like Google Drive and Dropbox to host malware payloads and for command-and-control and the exfiltration of data from targets across the Middle East. The cyber offensive is believed to have been underway since at least July 2021,  according  to cloud-based information security company Zscaler, continuing  previous efforts  by the hacking group to conduct reconnaissance on the target hosts and plunder sensitive information. Molerats , also tracked as TA402, Gaza Hackers Team, and Extreme Jackal, is an advanced persistent threat (APT) group that's largely focused on entities operating in the Middle East. Attack activity associated with the actor has leveraged geopolitical and military themes to entice users to open Microsoft Office attachments and click on malicious links. The latest campaign detailed by Zscaler is no different in that it makes use of deco

A coordinated law enforcement operation has resulted in the arrest of 11 members allegedly belonging to a Nigerian cybercrime gang notorious for perpetrating business email compromise (BEC) attacks targeting more than 50,000 victims in recent years. The disruption of the BEC network is the result of a ten-day investigation dubbed  Operation Falcon II  undertaken by the Interpol along with participation from the Nigeria Police Force's Cybercrime Police Unit in December 2021. Cybersecurity firms  Group-IB  and Palo Alto Networks'  Unit 42 , both of which shared information on the threat actors and their infrastructure, said six of the 11 suspects are believed to be a part of a prolific group of Nigerian cyber actors known as SilverTerrier (aka TMT). BEC attacks, which began to gain dominance in 2013, are  sophisticated scams  that target legitimate business email accounts through social engineering schemes to infiltrate corporate networks and subsequently leverage their acce

A threat actor with potential links to an Indian cybersecurity company has been nothing if remarkably persistent in its attacks against military organizations based in South Asia, including Bangladesh, Nepal, and Sri Lanka, since at least September 2020 by deploying different variants of its bespoke malware framework. Slovak cybersecurity firm ESET attributed the highly targeted attack to a hacking group known as  Donot Team . "Donot Team has been consistently targeting the same entities with waves of spear-phishing emails with malicious attachments every two to four months," researchers Facundo Muñoz and Matías Porolli  said . Operating since at least 2016, Donot Team (also known as APT-C-35 and SectorE02) has been linked to a string of intrusions primarily targeting embassies, governments, and military entities in Bangladesh, Sri Lanka, Pakistan, and Nepal with Windows and Android malware. In October 2021, Amnesty International  unearthed evidence  tying the group'

The financially motivated  FIN8 actor , in all likelihood, has resurfaced with a never-before-seen ransomware strain called " White Rabbit " that was recently deployed against a local bank in the U.S. in December 2021. That's according to new findings published by Trend Micro, calling out the malware's overlaps with Egregor, which was taken down by Ukrainian law enforcement authorities in February 2021. "One of the most notable aspects of White Rabbit's attack is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine," the researchers  noted . "This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis." Egregor, which commenced operations in September 2020 until its operations took a huge hit, is widely believed to be a  reincarnation of Maze , which shut down its criminal enterp

The coordinated cyberattacks targeting  Ukrainian government websites  and the deployment of a data-wiper malware called  WhisperGate  on select government systems are part of a broader wave of malicious activities aimed at  sabotaging critical infrastructure  in the country. The Secret Service of Ukraine on Monday confirmed that the two incidents are related, adding the breaches also exploited the recently disclosed  Log4j vulnerabilities  to gain access to some of the compromised systems. "The attack used vulnerabilities in the site's content management systems (October CMS) and Log4j, as well as compromised accounts of employees of the development company," the SSU  said , corroborating prior disclosure from the  Ukraine CERT team . The disclosure comes days after Microsoft warned of a malware operation aimed at government, non-profit, and information technology entities in Ukraine, attributing the attacks to a threat cluster codenamed "DEV-0586." "

The government of Ukraine on Sunday formally accused Russia of masterminding the attacks that targeted websites of public institutions and government agencies this past week. "All the evidence points to the fact that Russia is behind the cyber attack," the Ministry of Digital Transformation  said  in a statement. "Moscow continues to wage a hybrid war and is actively building forces in the information and cyberspace." The purpose of the attack, said the ministry, "is not only to intimidate society," but to also "destabilize the situation in Ukraine by stopping the work of the public sector and undermining the confidence in the government on the part of Ukrainians." Russia, however, has denied it was behind the intrusion. "We have nothing to do with it, and Russia has nothing to do with these cyberattacks," Dmitry Peskov, press secretary for President Vladimir Putin,  told  CNN, adding "We are nearly accustomed to the fact that

Cybersecurity teams from Microsoft on Saturday disclosed they identified evidence of a new destructive malware operation dubbed " WhisperGate " targeting government, non-profit, and information technology entities in Ukraine amid brewing geopolitical tensions between the country and Russia. "The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable," Tom Burt, corporate vice president of customer security and trust at Microsoft, said , adding the intrusions were aimed at government agencies that provide critical executive branch or emergency response functions. Also among those affected by the malware is an IT firm that "manages websites for public and private sector clients, including government agencies whose websites were recently defaced ," Burt noted. The computing giant, which first detected the malware on January 13, attributed the attacks to an emerging threat cluster codenam

Operators associated with the Lazarus sub-group BlueNoroff have been linked to a series of cyberattacks targeting small and medium-sized companies worldwide with an aim to drain their cryptocurrency funds, in what's yet another financially motivated operation mounted by the prolific North Korean state-sponsored actor. Russian cybersecurity company Kaspersky, which is tracking the intrusions under the name " SnatchCrypto ," noted that the campaign has been running since at 2017, adding the attacks are aimed at startups in the FinTech sector located in China, Hong Kong, India, Poland, Russia, Singapore, Slovenia, the Czech Republic, the U.A.E., the U.S., Ukraine, and Vietnam. "The attackers have been subtly abusing the trust of the employees working at targeted companies by sending them a full-featured Windows backdoor with surveillance functions, disguised as a contract or another business file," the researchers  said . "In order to eventually empty the v

Cybersecurity researchers have decoded the mechanism by which the versatile Qakbot banking trojan handles the insertion of encrypted configuration data into the  Windows Registry . Qakbot, also known as QBot, QuackBot and Pinkslipbot, has been  observed   in the wild  since 2007. Although mainly fashioned as an information-stealing malware, Qakbot has since shifted its goals and acquired new functionality to deliver post-compromise attack platforms such as Cobalt Strike Beacon, with the final objective of loading ransomware on infected machines. "It has been continually developed, with new capabilities introduced such as lateral movement, the ability to exfiltrate email and browser data, and to install additional malware," Trustwave researchers Lloyd Macrohon and Rodel Mendrez said in a report shared with The Hacker News. In recent months, phishing campaigns have culminated in the distribution of a  new loader  called  SQUIRRELWAFFLE , which acts as a channel to retrieve

The U.S. Cyber Command (USCYBERCOM) on Wednesday officially confirmed MuddyWater's ties to the Iranian intelligence apparatus, while simultaneously detailing the various tools and tactics adopted by the espionage actor to burrow into victim networks. "MuddyWater has been seen using a variety of techniques to maintain access to victim networks," USCYBERCOM's Cyber National Mission Force (CNMF)  said  in a statement. "These include side-loading  DLLs  in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions." The agency characterized the hacking efforts as a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), corroborating earlier reports about the nation-state actor's provenance. Also tracked under the monikers Static Kitten, Seedworm, Mercury and TEMP.Zagros,  MuddyWater  is known for its  attacks  primarily directed against a wide gamut of en

Amid renewed tensions between the U.S. and Russia over  Ukraine  and  Kazakhstan , American cybersecurity and intelligence agencies on Tuesday released a joint advisory on how to detect, respond to, and mitigate cyberattacks orchestrated by Russian state-sponsored actors. To that end, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) have laid bare the tactics, techniques, and procedures (TTPs) adopted by the adversaries, including spear-phishing, brute-force, and  exploiting known vulnerabilities  to gain initial access to target networks. The list of flaws exploited by Russian hacking groups to gain an initial foothold, which the agencies said are "common but effective," are below — CVE-2018-13379  (FortiGate VPNs) CVE-2019-1653  (Cisco router) CVE-2019-2725  (Oracle WebLogic Server) CVE-2019-7609  (Kibana) CVE-2019-9670  (Zimbra software) CVE-2019-10149  (Exim Simple Mail Transf

Microsoft is warning of continuing attempts by nation-state adversaries and commodity attackers to take advantage of  security vulnerabilities  uncovered in the Log4j open-source logging framework to deploy malware on vulnerable systems. "Exploitation attempts and testing have remained high during the last weeks of December," Microsoft Threat Intelligence Center (MSTIC)  said  in revised guidance published earlier this week. "We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks." Publicly disclosed by the Apache Software Foundation on December 10, 2021, the remote code execution (RCE) vulnerability in Apache Log4j 2, aka  Log4Shell , has emerged as a new attack vector for  widespread exploitation  by a variety of threat actors. In the subsequent weeks, four more weaknesses in the utility have come to light —  CVE-2021-45046 ,  CVE-2021-45105 , 

A never-before-seen China-based targeted intrusion adversary dubbed Aquatic Panda has been observed leveraging  critical flaws  in the Apache Log4j logging library as an access vector to perform various post-exploitation operations, including reconnaissance and credential harvesting on targeted systems. Cybersecurity firm CrowdStrike said the infiltration, which was ultimately foiled, was aimed at an unnamed "large academic institution." The state-sponsored group is believed to have been operating since mid-2020 in pursuit of intelligence collection and industrial espionage, with its attacks primarily directed against companies in the telecommunications, technology, and government sectors. The attempted intrusion exploited the newly discovered  Log4Shell  flaw (CVE-2021-44228, CVSS score: 10.0) to gain access to a vulnerable instance of the  VMware Horizon  desktop and app virtualization product, followed by running a series of malicious commands orchestrated to fetch thr

Cybersecurity researchers have disclosed details of an evasive malware campaign that makes use of valid code signing certificates to sneak past security defenses and stay under the radar with the goal of deploying Cobalt Strike and BitRAT payloads on compromised systems. The binary, a loader, has been dubbed "Blister" by researchers from Elastic Security, with the malware samples having  negligible  to  zero  detections on VirusTotal. As of writing, the infection vector used to stage the attack, as well as the ultimate objectives of the intrusion, remains unknown. A notable aspect of the attacks is that they leverage a valid code signing certificate issued by  Sectigo . The malware has been observed signed with the certificate in question dating back to September 15, 2021. Elastic said it reached out to the company to ensure that the abused certificates are revoked. "Executables with valid code signing certificates are often scrutinized to a lesser degree than unsig

The last several years have seen an ever-increasing number of cyber-attacks, and while the frequency of such attacks has increased, so too has the resulting damage. One needs only to look at  CISA's list of significant cyber incidents  to appreciate the magnitude of the problem. In May of 2021, for example, a ransomware attack brought down the Colonial Pipeline, causing a serious fuel disruption for much of the United States. Just last month, a hacking group gained access to call logs and text messages from telecommunications carriers all over the world. These are just two of dozens of cyber-attacks occurring this year. Because of these and other cyber security incidents, the Department of Homeland Security issues a  compulsory directive  to federal agencies to better protect federal information systems and the data that they contain against cyber-attack. This directive is based around  CISA's catalog of vulnerabilities  that are known to pose a significant risk. The directi

A U.S. federal government commission associated with international rights has been targeted by a backdoor that reportedly compromised its internal network in what the researchers described as a "classic APT-type operation."  "This attack could have given total visibility of the network and complete control of a system and thus could be used as the first step in a multi-stage attack to penetrate this, or other networks more deeply," Czech security company Avast  said  in a report published last week. The name of the federal entity was not disclosed, but reports from  Ars Technica  and  The Record  tied it to the U.S. Commission on International Religious Freedom ( USCIRF ). Avast said it was making its findings public after unsuccessful attempts to directly notify the agency about the intrusion and through other channels put in place by the U.S. government. At this stage, only "parts of the attack puzzle" have been uncovered, leaving the door open for

The issues with Log4j continued to stack up as the Apache Software Foundation (ASF) on Friday rolled out yet another patch — version 2.17.0 — for the widely used logging library that could be exploited by malicious actors to stage a denial-of-service (DoS) attack. Tracked as  CVE-2021-45105  (CVSS score: 7.5), the new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16.0, which the open-source nonprofit shipped earlier this week to remediate a second flaw that could result in remote code execution ( CVE-2021-45046 ), which, in turn, stemmed from an "incomplete" fix for  CVE-2021-44228 , otherwise called the Log4Shell vulnerability. "Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups," the ASF  explained  in a revised advisory. "When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control o

Industrial and government organizations, including enterprises in the military-industrial complex and research laboratories, are the targets of a new malware botnet dubbed  PseudoManyscrypt  that has infected roughly 35,000 Windows computers this year alone. The name comes from its similarities to the  Manuscrypt   malware , which is part of the  Lazarus  APT group's attack toolset, Kaspersky researchers said, characterizing the operation as a "mass-scale spyware attack campaign." The Russian cybersecurity company said it first detected the series of intrusions in June 2021. At least 7.2% of all computers attacked by the malware are part of industrial control systems (ICS) used by organizations in engineering, building automation, energy, manufacturing, construction, utilities, and water management sectors that are located mainly in India, Vietnam, and Russia. Approximately a third (29.4%) of non-ICS computers are situated in Russia (10.1%), India (10%), and Brazil (9.

Malicious actors are deploying a previously undiscovered binary, an Internet Information Services ( IIS ) webserver module dubbed " Owowa ," on Microsoft Exchange Outlook Web Access servers with the goal of stealing credentials and enabling remote command execution. "Owowa is a C#-developed .NET v4.0 assembly that is intended to be loaded as a module within an IIS web server that also exposes Exchange's Outlook Web Access (OWA)," Kaspersky researchers Paul Rascagneres and Pierre Delcher  said . "When loaded this way, Owowa will steal credentials that are entered by any user in the OWA login page, and will allow a remote operator to run commands on the underlying server." The idea that a rogue IIS module can be fashioned as a backdoor is not new. In August 2021, an exhaustive study of the IIS threat landscape by Slovak cybersecurity company ESET revealed  as many as 14 malware families that were developed as native IIS modules in an attempt to interc