#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter
CrowdSec

Mandiant | Breaking Cybersecurity News | The Hacker News

New COSMICENERGY Malware Exploits ICS Protocol to Sabotage Power Grids

New COSMICENERGY Malware Exploits ICS Protocol to Sabotage Power Grids
May 26, 2023 ICS/SCADA Security
A new strain of malicious software that's engineered to penetrate and disrupt critical systems in industrial environments has been unearthed. Google-owned threat intelligence firm Mandiant dubbed the malware  COSMICENERGY , adding it was uploaded to the VirusTotal public malware scanning utility in December 2021 by a submitter in Russia. There is no evidence that it has been put to use in the wild. "The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units ( RTUs ), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia," the company  said . COSMICENERGY is the latest addition to  specialized   malware  like Stuxnet, Havex, Triton, IRONGATE, BlackEnergy2, Industroyer, and PIPEDREAM, which are capable of sabotaging critical systems and wreaking havoc. Mandiant said that there are circumstantial links that it may have bee

Threat Group UNC3944 Abusing Azure Serial Console for Total VM Takeover

Threat Group UNC3944 Abusing Azure Serial Console for Total VM Takeover
May 17, 2023 SIM Swapping / Server Security
A financially motivated cyber actor has been observed abusing Microsoft Azure  Serial Console  on virtual machines (VMs) to install third-party remote management tools within compromised environments. Google-owned Mandiant attributed the activity to a threat group it tracks under the name  UNC3944 , which is also known as Roasted 0ktapus and Scattered Spider. "This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM," the threat intelligence firm  said . The emerging adversary, which first came to light late last year, is known to  leverage SIM swapping attacks  to breach telecommunications and business process outsourcing (BPO) companies since at least May 2022. Subsequently, Mandiant also  found  UNC3944 utilizing a loader named STONESTOP to install a malicious signed driver dubbed POORTRY that's designed to terminate processes associated

external linkSay Goodbye to SaaS Blind Spots: Wing Security Unveils Free Discovery Tool

SaaS
websitewww.wing.securitySaaS Security / Attack Surface
Wing Security finds and ranks all SaaS applications completely for free, removing unnecessary risk.

Why Honeytokens Are the Future of Intrusion Detection

Why Honeytokens Are the Future of Intrusion Detection
May 10, 2023 Intrusion Detection / Honeypot
A few weeks ago, the 32nd edition of RSA, one of the world's largest cybersecurity conferences, wrapped up in San Francisco. Among the highlights, Kevin Mandia, CEO of Mandiant at Google Cloud, presented a retrospective on  the state of cybersecurity . During his keynote, Mandia stated: "There are clear steps organizations can take beyond common safeguards and security tools to strengthen their defenses and increase their chances of detecting, thwarting or minimizing attack [...] Honeypots , or fake accounts deliberately left untouched by authorized users,  are effective at helping organizations detect intrusions or malicious activities that security products can't stop ". "Build honeypots" was one of his seven pieces of advice to help organizations avoid some of the attacks that might require engagement with Mandiant or other incident response firms. As a reminder, honeypots are  decoy systems  that are set up to lure attackers and divert their attentio

North Korean Hackers Uncovered as Mastermind in 3CX Supply Chain Attack

North Korean Hackers Uncovered as Mastermind in 3CX Supply Chain Attack
Apr 12, 2023 Software Security / Cyber Attack
Enterprise communications service provider 3CX confirmed that the  supply chain attack  targeting its desktop application for Windows and macOS was the handiwork of a threat actor with North Korean nexus. The findings are the result of an interim assessment conducted by Google-owned Mandiant, whose services were enlisted after the intrusion came to light late last month. The threat intelligence and incident response unit is tracking the activity under its uncategorized moniker  UNC4736 . It's worth noting that CrowdStrike has tied the attack to a Lazarus sub-group dubbed Labyrinth Chollima , citing tactical overlaps. The cybersecurity firm told The Hacker News the latest findings appear to be consistent with their previous attribution. The  attack chain , based on analyses from multiple security vendors, entailed the use of DLL side-loading techniques to load an information stealer known as ICONIC Stealer, followed by a second-stage called  Gopuram  in selective attacks aimed

Gootkit Malware Continues to Evolve with New Components and Obfuscations

Gootkit Malware Continues to Evolve with New Components and Obfuscations
Jan 29, 2023 Cyber Threat / Malware
The threat actors associated with the Gootkit malware have made "notable changes" to their toolset, adding new components and obfuscations to their infection chains. Google-owned Mandiant is  monitoring  the activity cluster under the moniker  UNC2565 , noting that the usage of the malware is "exclusive to this group." Gootkit , also called Gootloader, is spread through compromised websites that victims are tricked into visiting when searching for business-related documents like agreements and contracts via a technique called search engine optimization (SEO) poisoning. The purported documents take the form of ZIP archives that harbor the JavaScript malware, which, when launched, paves the way for additional payloads such as  Cobalt Strike Beacon , FONELAUNCH, and SNOWCONE. FONELAUNCH is a .NET-based loader designed to load an encoded payload into memory, whereas SNOWCONE is a downloader that's tasked with retrieving next-stage payloads, typically  IcedID ,

Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors

Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors
Jan 08, 2023 Cyberespionage / Threat Analysis
The Russian cyberespionage group known as Turla has been observed piggybacking on attack infrastructure used by a decade-old malware to deliver its own reconnaissance and backdoor tools to targets in Ukraine. Google-owned Mandiant, which is tracking the operation under the uncategorized cluster moniker  UNC4210 , said the hijacked servers correspond to a variant of a commodity malware called  ANDROMEDA  (aka Gamarue) that was uploaded to VirusTotal in 2013. "UNC4210 re-registered at least three expired ANDROMEDA command-and-control (C2) domains and began profiling victims to selectively deploy KOPILUWAK and QUIETCANARY in September 2022," Mandiant researchers  said  in an analysis published last week. Turla, also known by the names Iron Hunter, Krypton, Uroburos, Venomous Bear, and Waterbug, is an elite nation-state outfit that primarily targets government, diplomatic, and military organizations using a large set of custom malware. Since the onset of Russia's  milit

Trojanized Windows 10 Installer Used in Cyberattacks Against Ukrainian Government Entities

Trojanized Windows 10 Installer Used in Cyberattacks Against Ukrainian Government Entities
Dec 16, 2022 Cyber Espionage / Supply Chain Attack
Government entities in Ukraine have been breached as part of a new campaign that leveraged trojanized versions of Windows 10 installer files to conduct post-exploitation activities. Mandiant, which discovered the "socially engineered supply chain" attack around mid-July 2022, said the malicious ISO files were distributed via Ukrainian- and Russian-language Torrent websites. It's tracking the threat cluster as  UNC4166 . "Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it," the cybersecurity company  said  in a technical deep dive published Thursday. Although the adversarial collective's provenance is unknown, the intrusions are said to have targeted organizations that were previously victims of disruptive wiper attacks attributed to  APT28 , a  Russian state-sponsored actor . The ISO file, per the Google-owned threat intelligence firm, was designed to disable the transmission of te

APT29 Exploited a Windows Feature to Compromise European Diplomatic Entity Network

APT29 Exploited a Windows Feature to Compromise European Diplomatic Entity Network
Nov 09, 2022
The Russia-linked APT29 nation-state actor has been found leveraging a "lesser-known" Windows feature called Credential Roaming following a successful phishing attack against an unnamed European diplomatic entity. "The diplomatic-centric targeting is consistent with Russian strategic priorities as well as historic APT29 targeting," Mandiant researcher Thibault Van Geluwe de Berlaere  said  in a technical write-up. APT29, a Russian espionage group also called Cozy Bear, Iron Hemlock, and The Dukes, is  known  for its intrusions aimed at collecting intelligence that align with the country's strategic objectives. It's believed to be sponsored by the Foreign Intelligence Service (SVR). Some of the adversarial collective's cyber activities are tracked publicly under the moniker  Nobelium , a threat cluster responsible for the widespread supply chain compromise through SolarWinds software in December 2020. The Google-owned threat intelligence and inciden

New Chinese Cyberespionage Group Targeting IT Service Providers and Telcos

New Chinese Cyberespionage Group Targeting IT Service Providers and Telcos
Oct 14, 2022
Telecommunications and IT service providers in the Middle East and Asia are being targeted by a previously undocumented Chinese-speaking threat group dubbed WIP19 . The espionage-related attacks are characterized by the use of a stolen digital certificate issued by a Korean company called DEEPSoft to sign malicious artifacts deployed during the infection chain to evade detection. "Almost all operations performed by the threat actor were completed in a 'hands-on keyboard' fashion, during an interactive session with compromised machines," SentinelOne researchers Joey Chen and Amitai Ben Shushan Ehrlich  said  in a report this week. "This meant the attacker gave up on a stable [command-and-control] channel in exchange for stealth." WIP, short for work-in-progress, is the moniker assigned by SentinelOne to emerging or hitherto unattributed activity clusters,  similar  to the UNC####, DEV-####, and TAG-## designations given by Mandiant, Microsoft, and Reco

New Malware Families Found Targeting VMware ESXi Hypervisors

New Malware Families Found Targeting VMware ESXi Hypervisors
Sep 30, 2022
Threat actors have been found deploying never-before-seen post-compromise implants in VMware's virtualization software to seize control of infected systems and evade detection. Google's Mandiant threat intelligence division referred to it as a "novel malware ecosystem" that impacts VMware ESXi, Linux vCenter servers, and Windows virtual machines, allowing attackers to maintain persistent access to the  hypervisor  as well as execute arbitrary commands. The  hyperjacking attacks , per the cybersecurity vendor, involved the use of malicious vSphere Installation Bundles ( VIBs ) to sneak in two implants, dubbed VIRTUALPITA and VIRTUALPIE, on the ESXi hypervisors. "It is important to highlight that this is not an external remote code execution vulnerability; the attacker needs admin-level privileges to the ESXi hypervisor before they can deploy malware," Mandiant researchers Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore said in an exhaus

Researchers Identify 3 Hacktivist Groups Supporting Russian Interests

Researchers Identify 3 Hacktivist Groups Supporting Russian Interests
Sep 26, 2022
At least three alleged hacktivist groups working in support of Russian interests are likely doing so in collaboration with state-sponsored cyber threat actors, according to Mandiant. The Google-owned threat intelligence and incident response firm  said  with moderate confidence that "moderators of the purported hacktivist Telegram channels 'XakNet Team,' 'Infoccentr,' and 'CyberArmyofRussia_Reborn' are coordinating their operations with Russian Main Intelligence Directorate (GRU)-sponsored cyber threat actors." Mandiant's assessment is based on evidence that the leakage of data stolen from Ukrainian organizations occurred within 24 hours of  malicious wiper incidents  undertaken by the Russian nation-state group tracked as  APT28  (aka Fancy Bear, Sofacy, or Strontium). To that end, four of the 16 data leaks from these groups coincided with  disk wiping malware attacks  by APT28 that involved the use of a strain dubbed  CaddyWiper . APT28 , a

North Korean Hackers Spreading Trojanized Versions of PuTTY Client Application

North Korean Hackers Spreading Trojanized Versions of PuTTY Client Application
Sep 16, 2022
A threat with a North Korea nexus has been found leveraging a "novel spear phish methodology" that involves making use of trojanized versions of the PuTTY SSH and Telnet client. Google-owned threat intelligence firm Mandiant attributed the new campaign to an emerging threat cluster it tracks under the name  UNC4034 . "UNC4034 established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility," Mandiant researchers  said . The utilization of fabricated job lures as a pathway for malware distribution is an oft-used tactic by North Korean state-sponsored actors, including the Lazarus Group, as part of an enduring campaign called  Operation Dream Job . The entry point of the attack is an ISO file that masquerades as an Amazon Assessment as part of a potential job opportunity at the tech giant.

Iranian APT42 Launched Over 30 Espionage Attacks Against Activists and Dissidents

Iranian APT42 Launched Over 30 Espionage Attacks Against Activists and Dissidents
Sep 11, 2022
A state-sponsored advanced persistent threat (APT) actor newly christened APT42 (formerly UNC788) has been attributed to over 30 confirmed espionage attacks against individuals and organizations of strategic interest to the Iranian government at least since 2015. Cybersecurity firm Mandiant said the group operates as the intelligence gathering arm of Iran's Islamic Revolutionary Guard Corps (IRGC), not to mention shares partial overlaps with another cluster called  APT35 , which is also known as Charming Kitten, Cobalt Illusion, ITG18, Phosphorus, TA453, and Yellow Garuda. APT42 has exhibited a propensity to strike various industries such as non-profits, education, governments, healthcare, legal, manufacturing, media, and pharmaceuticals spanning at least 14 countries, including in Australia, Europe, the Middle East, and the U.S. Intrusions aimed at the pharmaceutical sector are also notable for the fact that they commenced at the onset of the COVID-19 pandemic in March 2020, i

Suspected Iranian Hackers Targeted Several Israeli Organizations for Espionage

Suspected Iranian Hackers Targeted Several Israeli Organizations for Espionage
Aug 23, 2022
A suspected Iranian threat activity cluster has been linked to attacks aimed at Israeli shipping, government, energy, and healthcare organizations as part of an espionage-focused campaign that commenced in late 2020. Cybersecurity firm Mandiant is tracking the group under its uncategorized moniker  UNC3890 , which is believed to conduct operations that align with Iranian interests. "The collected data may be leveraged to support various activities, from hack-and-leak, to enabling kinetic warfare attacks like those that have plagued the shipping industry in recent years," the company's Israel Research Team  noted . Intrusions mounted by the group lead to the deployment of two proprietary pieces of malware: a "small but efficient" backdoor named SUGARUSH and a browser credential stealer called SUGARDUMP that exfiltrates password information to an email address associated with Gmail, ProtonMail, Yahoo, and Yandex. Also employed is a network of command-and-con

Iranian Hackers Likely Behind Disruptive Cyberattacks Against Albanian Government

Iranian Hackers Likely Behind Disruptive Cyberattacks Against Albanian Government
Aug 05, 2022
A threat actor working to further Iranian goals is said to have been behind a set of damaging cyberattacks against Albanian government services in mid-July 2022. Cybersecurity firm Mandiant  said  the malicious activity against a NATO state represented a "geographic expansion of Iranian disruptive cyber operations." The  July 17 attacks , according to Albania's National Agency of Information Society, forced the government to "temporarily close access to online public services and other government websites" because of a "synchronized and sophisticated cybercriminal attack from outside Albania." The politically motivated disruptive operation, per Mandiant, entailed the deployment of a new ransomware family called ROADSWEEP that included a ransom note with the text: "Why should our taxes be spent on the benefit of DURRES terrorists?" A front named HomeLand Justice has since claimed responsibility for the cyber offensive, with the group als

New Hacker Group Pursuing Corporate Employees Focused on Mergers and Acquisitions

New Hacker Group Pursuing Corporate Employees Focused on Mergers and Acquisitions
May 03, 2022
A newly discovered suspected espionage threat actor has been targeting employees focusing on mergers and acquisitions as well as large corporate transactions to facilitate bulk email collection from victim environments. Mandiant is tracking the activity cluster under the uncategorized moniker UNC3524, citing a lack of evidence linking it to an existing group. However, some of the intrusions are said to mirror techniques used by different Russia-based hacking crews like  APT28  and  APT29 .  "The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasize the 'advanced' in Advanced Persistent Threat," the threat intelligence firm  said  in a Monday report. The initial access route is unknown but upon gaining a foothold, attack chains involving UNC3524 culminate in the deployment of a novel backdoor called QUIETEXIT for persistent remote access for as long as

Russian Hackers Targeting Diplomatic Entities in Europe, Americas, and Asia

Russian Hackers Targeting Diplomatic Entities in Europe, Americas, and Asia
May 02, 2022
A Russian state-sponsored threat actor has been observed targeting diplomatic and government entities as part of a series of phishing campaigns commencing on January 17, 2022. Threat intelligence and incident response firm Mandiant attributed the attacks to a hacking group tracked as APT29 (aka Cozy Bear), with some set of the activities associated with the crew assigned the moniker  Nobelium  (aka UNC2452/2652). "This latest wave of spear phishing showcases APT29's enduring interests in obtaining diplomatic and foreign policy information from governments around the world," Mandiant  said  in a report published last week. The initial access is said to have been aided through spear-phishing emails masquerading as administrative notices, using legitimate but compromised email addresses from other diplomatic entities. These emails contain an HTML dropper attachment called ROOTSAW (aka  EnvyScout ) that, when opened, triggers an infection sequence that delivers and exec
Cybersecurity Resources