Spear-Phishing | Breaking Cybersecurity News | The Hacker News

The threat actor known as Bitter has been assessed to be a state-backed hacking group that's tasked with gathering intelligence that aligns with the interests of the Indian government. That's according to new findings jointly published by Proofpoint and Threatray in an exhaustive two-part analysis. "Their diverse toolset shows consistent coding patterns across malware families, particularly in system information gathering and string obfuscation," researchers Abdallah Elshinbary, Jonas Wagner, Nick Attfield, and Konstantin Klinger said. Bitter, also known as APT-C-08, APT-Q-37, Hazy Tiger, Orange Yali, T-APT-17, and TA397, has a history of focusing primarily on South Asian entities , with select intrusions also targeting China, Saudi Arabia, and South America. In December 2024, evidence emerged of the threat actor's targeting of Turkey using malware families such as WmRAT and MiyaRAT, indicating a gradual geographical expansion. Stating that Bitter fr...

Threat hunters have shed more light on a previously disclosed malware campaign undertaken by the China-aligned MirrorFace threat actor that targeted a diplomatic organization in the European Union with a backdoor known as ANEL. The attack, detected by ESET in late August 2024, singled out a Central European diplomatic institute with lures related to Word Expo , which is scheduled to kick off in Osaka, Japan, next month. The activity has been codenamed Operation AkaiRyū (Japanese for RedDragon). Active since at least 2019, MirrorFace is also referred to as Earth Kasha. It's assessed to be a subgroup within the APT10 umbrella. While known for its exclusive targeting of Japanese entities, the threat actor's attack on a European organization marks a departure from its typical victimology footprint. That's not all. The intrusion is also notable for deploying a heavily customized variant of AsyncRAT and ANEL (aka UPPERCUT), a backdoor previously linked to APT10. The use ...

A spear-phishing email campaign has been observed targeting recruiters with a JavaScript backdoor called More_eggs, indicating persistent efforts to single out the sector under the guise of fake job applications. "A sophisticated spear-phishing lure tricked a recruitment officer into downloading and executing a malicious file disguised as a resume, leading to a more_eggs backdoor infection," Trend Micro researchers Ryan Soliven, Maria Emreen Viray, and Fe Cureg said in an analysis. More_eggs, sold as a malware-as-a-service (MaaS), is a malicious software that comes with capabilities to siphon credentials, including those related to online bank accounts, email accounts, and IT administrator accounts. It's attributed to a threat actor called the Golden Chickens group (aka Venom Spider), and has been put to use by several other e-crime groups like FIN6 (aka ITG08 ), Cobalt, and Evilnum. Earlier this June, eSentire disclosed details of a similar attack that leverages ...

U.S. federal prosecutors on Friday unsealed criminal charges against three Iranian nationals who are allegedly employed with the Islamic Revolutionary Guard Corps (IRGC) for their targeting of current and former officials to steal sensitive data. The Department of Justice (DoJ) accused Masoud Jalili, 36, Seyyed Ali Aghamiri, 34, and Yasar (Yaser) Balaghi, 37, of participating in a conspiracy with other known and unknown actors to undermine the U.S. electoral process . They are alleged to have hacked into accounts of current and former U.S. officials, members of the media, nongovernmental organizations, and individuals associated with U.S. political campaigns. None of the three operatives, said to be members of the Basij Resistance Force, have been arrested. "The activity was part of Iran's continuing efforts to stoke discord, erode confidence in the U.S. electoral process, and unlawfully acquire information relating to current and former U.S. officials that could be us...

Russian and Belarusian non-profit organizations, Russian independent media, and international non-governmental organizations active in Eastern Europe have become the target of two separate spear-phishing campaigns orchestrated by threat actors whose interests align with that of the Russian government. While one of the campaigns – dubbed River of Phish – has been attributed to COLDRIVER , an adversarial collective with ties to Russia's Federal Security Service (FSB), the second set of attacks have been deemed the work of a previously undocumented threat cluster codenamed COLDWASTREL. Targets of the campaigns also included prominent Russian opposition figures-in-exile, officials and academics in the US think tank and policy space, and a former U.S. ambassador to Ukraine, according to a joint investigation from Access Now and the Citizen Lab. "Both kinds of attacks were highly tailored to better deceive members of the target organizations," Access Now said . "The m...

The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives. SideWinder , which is also known by the names APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, and Razor Tiger, is assessed to be affiliated with India. It has been operational since 2012, often making use of spear-phishing as a vector to deliver malicious payloads that trigger the attack chains. "SideWinder makes use of email spear-phishing, document exploitation and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants," the Canadian cybersecurity company said in an analysis published last week. The latest...

Microsoft on Monday said it detected Kremlin-backed nation-state activity exploiting a now-patched critical security flaw in its Outlook email service to gain unauthorized access to victims' accounts within Exchange servers. The tech giant  attributed  the intrusions to a threat actor it called  Forest Blizzard  (formerly Strontium), which is also widely tracked under the monikers APT28, BlueDelta, Fancy Bear, FROZENLAKE, Iron Twilight, Sednit, Sofacy, and TA422. The security vulnerability in question is  CVE-2023-23397  (CVSS score: 9.8), a critical privilege escalation bug that could allow an adversary to access a user's Net-NTLMv2 hash that could then be used to conduct a relay attack against another service to authenticate as the user. It was patched by Microsoft in March 2023. The goal, according to the Polish Cyber Command (DKWOC), is to obtain unauthorized access to mailboxes belonging to public and private entities in the country. "In the next...

The China-linked Mustang Panda actor has been linked to a cyber attack targeting a Philippines government entity amid  rising tensions  between the two countries over the disputed South China Sea. Palo Alto Networks Unit 42 attributed the adversarial collective to three campaigns in August 2023, primarily singling out organizations in the South Pacific. "The campaigns leveraged legitimate software including Solid PDF Creator and SmadavProtect (an Indonesian-based antivirus solution) to sideload malicious files," the company  said . "Threat authors also creatively configured the malware to impersonate legitimate Microsoft traffic for command-and-control (C2) connections." Mustang Panda, also tracked under the names Bronze President, Camaro Dragon, Earth Preta, RedDelta, and Stately Taurus, is assessed to be a Chinese advanced persistent threat (APT) active since at least 2012,  orchestrating   cyber espionage   campaigns  targeting non-governmenta...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added three security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog based on evidence of active exploitation in the wild. The  vulnerabilities  are as follows - CVE-2023-36584  (CVSS score: 5.4) - Microsoft Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability CVE-2023-1671  (CVSS score: 9.8) - Sophos Web Appliance Command Injection Vulnerability CVE-2020-2551  (CVSS score: 9.8) - Oracle Fusion Middleware Unspecified Vulnerability CVE-2023-1671 relates to a critical  pre-auth command injection vulnerability  that allows for the execution of arbitrary code. CVE-2020-2551 is a  flaw  in the WLS Core Components that allows an unauthenticated attacker with network access to compromise the WebLogic Server. There are currently no public reports documenting in-the-wild attacks leveraging CVE-2023-1671, but Cybernews disclosed in July ...