#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Cyberespionage | Breaking Cybersecurity News | The Hacker News

SapphireStealer Malware: A Gateway to Espionage and Ransomware Operations

SapphireStealer Malware: A Gateway to Espionage and Ransomware Operations

Aug 31, 2023 Malware / Cyber Threat
An open-source .NET-based information stealer malware dubbed  SapphireStealer  is being used by multiple entities to enhance its capabilities and spawn their own bespoke variants. "Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for additional attacks, including operations related to espionage or ransomware/extortion," Cisco Talos researcher Edmund Brumaghin  said  in a report shared with The Hacker News. An entire ecosystem has developed over time that allows both financially motivated and nation-state actors to use services from purveyors of stealer malware to carry out various kinds of attacks. Viewed in that light, such malware not only represents an evolution of the cybercrime-as-a-service (CaaS) model, they also offer other threat actors to monetize the stolen data to distribute ransomware, conduct data theft, and other maliciou
U.S. Government Agencies' Emails Compromised in China-Backed Cyber Attack

U.S. Government Agencies' Emails Compromised in China-Backed Cyber Attack

Jul 13, 2023 Cyber Espionage / Email Security
An unnamed Federal Civilian Executive Branch (FCEB) agency in the U.S. detected anomalous email activity in mid-June 2023, leading to Microsoft's discovery of a new China-linked  espionage campaign  targeting two dozen organizations. The details come from a joint cybersecurity advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) on July 12, 2023. "In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment," the authorities  said . "Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data." While the name of the government agency was not revealed,  CNN  and  the Washington Post  reported it was the U.S. State Department, citing people familiar with the matter. Also targeted were the Commerce Department as well as the email accou
How to Find and Fix Risky Sharing in Google Drive

How to Find and Fix Risky Sharing in Google Drive

Mar 06, 2024Data Security / Cloud Security
Every Google Workspace administrator knows how quickly Google Drive becomes a messy sprawl of loosely shared confidential information. This isn't anyone's fault; it's inevitable as your productivity suite is purposefully designed to enable real-time collaboration – both internally and externally.  For Security & Risk Management teams, the untenable risk of any Google Drive footprint lies in the toxic combinations of sensitive data, excessive permissions, and improper sharing. However, it can be challenging to differentiate between typical business practices and potential risks without fully understanding the context and intent.  Material Security, a company renowned for its innovative method of protecting sensitive data within employee mailboxes, has recently launched  Data Protection for Google Drive  to safeguard the sprawl of confidential information scattered throughout Google Drive with a powerful discovery and remediation toolkit. How Material Security helps organ
State-Backed Hackers Employ Advanced Methods to Target Middle Eastern and African Governments

State-Backed Hackers Employ Advanced Methods to Target Middle Eastern and African Governments

Jun 19, 2023 Cyber Attack / Hacking
Governmental entities in the Middle East and Africa have been at the receiving end of sustained cyber-espionage attacks that leverage never-before-seen and rare credential theft and Exchange email exfiltration techniques. "The main goal of the attacks was to obtain highly confidential and sensitive information, specifically related to politicians, military activities, and ministries of foreign affairs," Lior Rochberger, senior threat researcher at Palo Alto Networks,  said  in a technical deep dive published last week. The company's Cortex Threat Research team is  tracking  the activity under the temporary name  CL-STA-0043  (where CL stands for cluster and STA stands for state-backed motivation), describing it as a "true advanced persistent threat." The infection chain is triggered by the exploitation of vulnerable on-premises Internet Information Services ( IIS ) and Microsoft Exchange servers to infiltrate target networks. Palo Alto Networks said it det
cyber security

Uncover Critical Gaps in 7 Core Areas of Your Cybersecurity Program

websiteArmor PointCyber Security / Assessment
Turn potential vulnerabilities into strengths. Start evaluating your defenses today. Download the Checklist.
Tick APT Targeted High-Value Customers of East Asian Data-Loss Prevention Company

Tick APT Targeted High-Value Customers of East Asian Data-Loss Prevention Company

Mar 15, 2023 Cyber Attack / Data Safety
A cyberespionage actor known as Tick has been attributed with high confidence to a compromise of an East Asian data-loss prevention (DLP) company that caters to government and military entities. "The attackers compromised the DLP company's internal update servers to deliver malware inside the software developer's network, and trojanized installers of legitimate tools used by the company, which eventually resulted in the execution of malware on the computers of the company's customers," ESET researcher Facundo Muñoz  said . Tick , also known as Bronze Butler, REDBALDKNIGHT , Stalker Panda, and Stalker Taurus, is a suspected China-aligned collective that has primarily gone after government, manufacturing, and biotechnology firms in Japan. It's said to be active  since at least 2006 . Other lesser-known targets include Russian, Singaporean, and Chinese enterprises. Attack chains orchestrated by the group have typically leveraged spear-phishing emails and  str
North Korean UNC2970 Hackers Expands Operations with New Malware Families

North Korean UNC2970 Hackers Expands Operations with New Malware Families

Mar 10, 2023 Cyber Attack / Malware
A North Korean espionage group tracked as  UNC2970  has been observed employing previously undocumented malware families as part of a spear-phishing campaign targeting U.S. and European media and technology organizations since June 2022. Google-owned Mandiant said the threat cluster shares "multiple overlaps" with a  long-running   operation   dubbed  " Dream Job " that employs job recruitment lures in email messages to trigger the infection sequence. UNC2970 is the new moniker designated by the threat intelligence firm to a set of North Korean cyber activity that maps to UNC577 (aka Temp.Hermit ), and which also comprises another nascent threat cluster tracked as UNC4034. The UNC4034 activity, as  documented  by Mandiant in September 2022, entailed the use of WhatsApp to socially engineer targets into downloading a  backdoor  called AIRDRY.V2 under the pretext of sharing a skills assessment test. "UNC2970 has a concerted effort towards obfuscation and emp
Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors

Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors

Jan 08, 2023 Cyberespionage / Threat Analysis
The Russian cyberespionage group known as Turla has been observed piggybacking on attack infrastructure used by a decade-old malware to deliver its own reconnaissance and backdoor tools to targets in Ukraine. Google-owned Mandiant, which is tracking the operation under the uncategorized cluster moniker  UNC4210 , said the hijacked servers correspond to a variant of a commodity malware called  ANDROMEDA  (aka Gamarue) that was uploaded to VirusTotal in 2013. "UNC4210 re-registered at least three expired ANDROMEDA command-and-control (C2) domains and began profiling victims to selectively deploy KOPILUWAK and QUIETCANARY in September 2022," Mandiant researchers  said  in an analysis published last week. Turla, also known by the names Iron Hunter, Krypton, Uroburos, Venomous Bear, and Waterbug, is an elite nation-state outfit that primarily targets government, diplomatic, and military organizations using a large set of custom malware. Since the onset of Russia's  milit
Cyber Attacks Against Middle East Governments Hide Malware in Windows Logo

Cyber Attacks Against Middle East Governments Hide Malware in Windows Logo

Sep 30, 2022
An espionage-focused threat actor has been observed using a steganographic trick to conceal a previously undocumented backdoor in a Windows logo in its attacks against Middle Eastern governments. Broadcom's Symantec Threat Hunter Team attributed the updated tooling to a hacking group it tracks under the name  Witchetty , which is also known as  LookingFrog , a subgroup operating under the TA410 umbrella. Intrusions involving TA410 – which is believed to share connections with a Chinese threat group known as APT10 (aka Cicada, Stone Panda, or TA429) – primarily feature a modular implant called LookBack. Symantec's latest analysis of attacks between February and September 2022, during which the group targeted the governments of two Middle Eastern countries and the stock exchange of an African nation, highlights the use of another backdoor dubbed Stegmap. The new malware leverages  steganography  – a technique used to embed a message (in this case, malware) in a non-secret d
Worok Hackers Target High-Profile Asian Companies and Governments

Worok Hackers Target High-Profile Asian Companies and Governments

Sep 06, 2022
High-profile companies and local governments located primarily in Asia are the subjects of targeted attacks by a previously undocumented espionage group dubbed  Worok  that has been active since late 2020. "Worok's toolset includes a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that uses steganography to extract hidden malicious payloads from PNG files," ESET researcher Thibaut Passilly  said  in a new report published today. Worok is said to share overlaps in tools and interests with another adversarial collective tracked as  TA428 , with the group linked to attacks against entities spanning energy, financial, maritime, and telecom sectors in Asia as well as a government agency in the Middle East and a private firm in southern Africa. Malicious activities undertaken by the group experienced a noticeable break from May 2021 to January 2022, before resuming the next month. The Slovak cybersecurity firm assessed the group's goals
Chinese Hackers Caught Stealing Intellectual Property from Multinational Companies

Chinese Hackers Caught Stealing Intellectual Property from Multinational Companies

May 04, 2022
An elusive and sophisticated cyberespionage campaign orchestrated by the China-backed Winnti group has managed to fly under the radar since at least 2019. Dubbed " Operation CuckooBees " by Israeli cybersecurity company Cybereason, the massive intellectual property theft operation enabled the threat actor to exfiltrate hundreds of gigabytes of information. Targets included technology and manufacturing companies primarily located in East Asia, Western Europe, and North America. "The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data," the researchers  said . "In addition, the attackers collected information that could be used for future cyberattacks, such as details about the target company's business units, network architecture, user accounts and credentials, employee emails, and customer data." Winnti, also tracked by other
Experts Detail 3 Hacking Teams Working Under the Umbrella of TA410 Group

Experts Detail 3 Hacking Teams Working Under the Umbrella of TA410 Group

Apr 28, 2022
A cyberespionage threat actor known for targeting a variety of critical infrastructure sectors in Africa, the Middle East, and the U.S. has been observed using an upgraded version of a remote access trojan with information stealing capabilities. Calling  TA410  an umbrella group comprised of three teams dubbed FlowingFrog, LookingFrog, and JollyFrog, Slovak cybersecurity firm ESET  assessed  that "these subgroups operate somewhat independently, but that they may share intelligence requirements, an access team that runs their spear-phishing campaigns, and also the team that deploys network infrastructure." TA410 — said to share behavioral and tooling overlaps with  APT10  (aka Stone Panda or TA429) — has a history of targeting U.S.-based organizations in the utilities sector as well as diplomatic entities in the Middle East and Africa. Other identified victims of the hacker collective include a manufacturing company in Japan, a mining business in India, and a charity in Is
Chinese Hackers Using Firefox Extension to Spy On Tibetan Organizations

Chinese Hackers Using Firefox Extension to Spy On Tibetan Organizations

Feb 25, 2021
Cybersecurity researchers today unwrapped a new campaign aimed at spying on vulnerable Tibetan communities globally by deploying a malicious Firefox extension on target systems. "Threat actors aligned with the Chinese Communist Party's state interests delivered a customized malicious Mozilla Firefox browser extension that facilitated access and control of users' Gmail accounts," Proofpoint said in an analysis. The Sunnyvale-based enterprise security company pinned the phishing operation on a Chinese advanced persistent threat (APT) it tracks as  TA413 , which has been previously attributed to attacks against the Tibetan diaspora by leveraging  COVID-themed lures  to deliver the Sepulcher malware with the strategic goal of espionage and civil dissident surveillance. The researchers said the attacks were detected in January and February 2021, a pattern that has continued since March 2020. The infection chain begins with a phishing email impersonating the "Tib
Iranian Hackers Utilize ScreenConnect to Spy On UAE, Kuwait Government Agencies

Iranian Hackers Utilize ScreenConnect to Spy On UAE, Kuwait Government Agencies

Feb 11, 2021
UAE and Kuwait government agencies are targets of a new cyberespionage campaign potentially carried out by Iranian threat actors, according to new research. Attributing the operation to be the work of  Static Kitten  (aka MERCURY or MuddyWater), Anomali  said  the "objective of this activity is to install a remote management tool called ScreenConnect (acquired by ConnectWise 2015) with unique launch parameters that have custom properties," with malware samples and URLs masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait and the UAE National Council. Since its origins in 2017, MuddyWater has been tied to a number of attacks primarily against Middle Eastern nations, actively  exploiting Zerologon vulnerability  in real-world attack campaigns to strike prominent  Israeli organizations  with malicious payloads. The state-sponsored hacking group is believed to be working at the behest of Iran's Islamic Republic Guard Corps, the country's primary intellig
Cybersecurity Resources