#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

Symantec | Breaking Cybersecurity News | The Hacker News

Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications

Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications

May 03, 2024 Cloud Security / Threat Intelligence
Threat actors have been increasingly weaponizing  Microsoft Graph API  for malicious purposes with the aim of evading detection. This is done to "facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services," the Symantec Threat Hunter Team, part of Broadcom,  said  in a report shared with The Hacker News. Since January 2022, multiple nation-state-aligned hacking groups have been observed using Microsoft Graph API for C&C. This includes threat actors tracked as  APT28 ,  REF2924 ,  Red Stinger ,  Flea ,  APT29 , and  OilRig . The first known instance of Microsoft Graph API abuse prior to its wider adoption dates back to June 2021 in connection with an activity cluster dubbed  Harvester  that was found using a custom implant known as Graphon that utilized the API to communicate with Microsoft infrastructure. Symantec said it recently detected the use of the same technique against an unnamed organization in Ukraine, wh
Severe Flaws Disclosed in Brocade SANnav SAN Management Software

Severe Flaws Disclosed in Brocade SANnav SAN Management Software

Apr 26, 2024 Supply Chain Attack / Software Security
Several security vulnerabilities disclosed in Brocade SANnav storage area network (SAN) management application could be exploited to compromise susceptible appliances. The 18 flaws  impact  all versions up to and including 2.3.0, according to independent security researcher Pierre Barre, who discovered and reported them. The issues range from incorrect firewall rules, insecure root access, and Docker misconfigurations to lack of authentication and encryption, thus allowing an attacker to intercept credentials, overwrite arbitrary files, and completely breach the device. Some of the most severe flaws are listed below - CVE-2024-2859  (CVSS score: 8.8) - A vulnerability that could allow an unauthenticated, remote attacker to log in to an affected device using the root account and execute arbitrary commands CVE-2024-29960  (CVSS score: 7.5) - The use of hard-coded SSH keys in the OVA image, which could be exploited by an attacker to decrypt the SSH traffic to the SANnav applianc
Iranian Hackers Using MuddyC2Go in Telecom Espionage Attacks Across Africa

Iranian Hackers Using MuddyC2Go in Telecom Espionage Attacks Across Africa

Dec 19, 2023 Cyber Espionage / Cyber Attack
The Iranian nation-state actor known as  MuddyWater  has leveraged a newly discovered command-and-control (C2) framework called MuddyC2Go in its attacks on the telecommunications sector in Egypt, Sudan, and Tanzania. The Symantec Threat Hunter Team, part of Broadcom, is  tracking  the activity under the name Seedworm, which is also tracked under the monikers Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Static Kitten, TEMP.Zagros, and Yellow Nix. Active since at least 2017,  MuddyWater  is assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS), primarily singling out entities in the Middle East. The cyber espionage group's use of  MuddyC2Go  was first highlighted by Deep Instinct last month, describing it as a Golang-based replacement for  PhonyC2 , itself a successor to MuddyC3. However, there is evidence to suggest that it may have been employed as early as 2020. While the full extent of MuddyC2Go'
cyber security

Protecting Your Organization From Insider Threats - All You Need to Know

websiteWing SecuritySaaS Security
Get practical insights and strategies to manage inadequate offboarding and insider risks effectively.
What's the Right EDR for You?

What's the Right EDR for You?

May 10, 2024Endpoint Security / Threat Detection
A guide to finding the right endpoint detection and response (EDR) solution for your business' unique needs. Cybersecurity has become an ongoing battle between hackers and small- and mid-sized businesses. Though perimeter security measures like antivirus and firewalls have traditionally served as the frontlines of defense, the battleground has shifted to endpoints. This is why endpoint detection and response (EDR) solutions now serve as critical weapons in the fight, empowering you and your organization to detect known and unknown threats, respond to them quickly, and extend the cybersecurity fight across all phases of an attack.  With the growing need to defend your devices from today's cyber threats, however, choosing the right EDR solution can be a daunting task. There are so many options and features to choose from, and not all EDR solutions are made with everyday businesses and IT teams in mind. So how do you pick the best solution for your needs? Why EDR Is a Must Because of
Russian Cyber Espionage Group Deploys LitterDrifter USB Worm in Targeted Attacks

Russian Cyber Espionage Group Deploys LitterDrifter USB Worm in Targeted Attacks

Nov 18, 2023 Cyber Attack / USB Worm
Russian cyber espionage actors affiliated with the Federal Security Service (FSB) have been observed using a USB propagating worm called  LitterDrifter  in attacks targeting Ukrainian entities. Check Point, which  detailed  Gamaredon's (aka Aqua Blizzard, Iron Tilden, Primitive Bear, Shuckworm, and Winterflounder) latest tactics, branded the group as engaging in large-scale campaigns that are followed by "data collection efforts aimed at specific targets, whose selection is likely motivated by espionage goals." The LitterDrifter worm packs in two main features: automatically spreading the malware via connected USB drives as well as communicating with the threat actor's command-and-control (C&C) servers. It's also suspected to be an evolution of a PowerShell-based USB worm that was previously  disclosed  by Symantec in June 2023. Written in VBS, the spreader module is responsible for distributing the worm as a hidden file in a USB drive together with a deco
Iran-Linked OilRig Targets Middle East Governments in 8-Month Cyber Campaign

Iran-Linked OilRig Targets Middle East Governments in 8-Month Cyber Campaign

Oct 19, 2023 Cyber Attack / Cyber Espionage
The Iran-linked  OilRig threat actor  targeted an unnamed Middle East government between February and September 2023 as part of an eight-month-long campaign. The attack led to the theft of files and passwords and, in one instance, resulted in the deployment of a PowerShell backdoor called PowerExchange, the Symantec Threat Hunter Team, part of Broadcom,  said  in a report shared with The Hacker News. The cybersecurity firm is tracking the activity under the name  Crambus , noting that the adversary used the implant to "monitor incoming mails sent from an Exchange Server in  order to execute commands sent by the attackers in the form of emails, and surreptitiously forwarded results to the attackers." Malicious activity is said to have been detected on no less than 12 computers, with backdoors and keyloggers installed on a dozen other machines, indicating a broad compromise of the target. The use of PowerExchange was  first highlighted  by Fortinet FortiGuard Labs in May
Researchers Uncover Grayling APT's Ongoing Attack Campaign Across Industries

Researchers Uncover Grayling APT's Ongoing Attack Campaign Across Industries

Oct 10, 2023 Cyber Attack / Malware
A previously undocumented threat actor of unknown provenance has been linked to a number of attacks targeting organizations in the manufacturing, IT, and biomedical sectors in Taiwan. The Symantec Threat Hunter Team, part of Broadcom, attributed the attacks to an advanced persistent threat (APT) it tracks under the name  Grayling . Evidence shows that the campaign began in February 2023 and continued until at least May 2023. Also likely targeted as part of the activity is a government agency located in the Pacific Islands, as well as entities in Vietnam and the U.S. "This activity stood out due to the use by Grayling of a distinctive DLL side-loading technique that uses a custom decryptor to deploy payloads," the company  said  in a report shared with The Hacker News. "The motivation driving this activity appears to be intelligence gathering." The initial foothold to victim environments is said to have been achieved by exploiting public-facing infrastructure,
Chinese Redfly Group Compromised a Nation's Critical Grid in 6-Month ShadowPad Campaign

Chinese Redfly Group Compromised a Nation's Critical Grid in 6-Month ShadowPad Campaign

Sep 12, 2023 Critical Infrastructure Security
A threat actor called  Redfly  has been linked to a compromise of a national grid located in an unnamed Asian country for as long as six months earlier this year using a known malware referred to as  ShadowPad . "The attackers managed to steal credentials and compromise multiple computers on the organization's network," the Symantec Threat Hunter Team, part of Broadcom,  said  in a report shared with The Hacker News. "The attack is the latest in a series of espionage intrusions against [critical national infrastructure] targets." ShadowPad, also known as PoisonPlug, is a follow-up to the PlugX remote access trojan and is a modular implant capable of loading additional plugins dynamically from a remote server as required to harvest sensitive data from breached networks. It has been  widely used  by a growing list of  China-nexus   nation-state groups  since at least 2019 in attacks aimed at organizations in various industry verticals. "ShadowPad is dec
INTERPOL Nabs Hacking Crew OPERA1ER's Leader Behind $11 Million Cybercrime

INTERPOL Nabs Hacking Crew OPERA1ER's Leader Behind $11 Million Cybercrime

Jul 06, 2023 Cyber Crime / Hacking
A suspected senior member of a French-speaking hacking crew known as OPERA1ER has been arrested as part of an international law enforcement operation codenamed Nervone, Interpol has announced. "The group is believed to have stolen an estimated USD 11 million -- potentially as much as 30 million -- in more than 30 attacks across 15 countries in Africa, Asia, and Latin America," the agency  said . The arrest was made by authorities in Côte d'Ivoire early last month. Additional insight was provided by the U.S. Secret Service's Criminal Investigative Division and Booz Allen Hamilton DarkLabs. The financially motivated collective is also known by the aliases Common Raven, DESKTOP-GROUP, and NX$M$. Its modus operandi was  first exposed  by Group-IB and Orange CERT Coordination Center (Orange-CERT-CC) in November 2022, detailing its intrusions on banks, financial services, and telecom companies between March 2018 and October 2022. Earlier this January, Broadcom's S
Researchers Uncover Powerful Backdoor and Custom Implant in Year-Long Cyber Campaign

Researchers Uncover Powerful Backdoor and Custom Implant in Year-Long Cyber Campaign

May 15, 2023 Cyber Threat / Malware
Government, aviation, education, and telecom sectors located in South and Southeast Asia have come under the radar of a new hacking group as part of a highly-targeted campaign that commenced in mid-2022 and continued into the first quarter of 2023. Symantec, by Broadcom Software, is tracking the activity under its insect-themed moniker  Lancefly , with the attacks making use of a "powerful" backdoor called Merdoor. Evidence gathered so far points to the custom implant being utilized as far back as 2018. The ultimate goal of the campaign, based on the tools and the victimology pattern, is assessed to be intelligence gathering. "The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted," Symantec  said  in an analysis shared with The Hacker News. "The attackers in this campaign also have access to an updated version of the ZXShell rootkit."
Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach

Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach

Apr 22, 2023 Supply Chain / Cyber Threat
Lazarus, the prolific North Korean hacking group behind the cascading  supply chain attack targeting 3CX , also breached two critical infrastructure organizations in the power and energy sector and two other businesses involved in financial trading using the trojanized X_TRADER application. The new findings, which come courtesy of  Symantec's Threat Hunter Team , confirm earlier suspicions that the X_TRADER application compromise affected more organizations than 3CX. The names of the organizations were not revealed. Eric Chien, director of security response at Broadcom-owned Symantec, told The Hacker News in a statement that the attacks took place between September 2022 and November 2022. "The impact from these infections is unknown at this time – more investigation is required and is on-going," Chien said, adding it's possible that there's "likely more to this story and possibly even other packages that are trojanized." The development comes as Ma
Bluebottle Cybercrime Group Preys on Financial Sector in French-Speaking African Nations

Bluebottle Cybercrime Group Preys on Financial Sector in French-Speaking African Nations

Jan 05, 2023 Cybercrime / Banking Security
A cybercrime group dubbed Bluebottle has been linked to a set of targeted attacks against the financial sector in Francophone countries located in Africa from at least July 2022 to September 2022. "The group makes extensive use of living-off-the-land, dual use tools, and commodity malware, with no custom malware deployed in this campaign," Symantec, a division of Broadcom Software,  said  in a report shared with The Hacker News. The cybersecurity firm said the activity shares overlaps with a threat cluster tracked by Group-IB under the name  OPERA1ER , which has carried out dozens of attacks aimed at banks, financial services, and telecom companies in Africa, Asia, and Latin America between 2018 and 2022. The attribution stems from similarities in the toolset used, the attack infrastructure, the absence of bespoke malware, and the targeting of French-speaking nations in Africa. Three different unnamed financial institutions in three African nations were breached, although
Budworm Hackers Resurface with New Espionage Attacks Aimed at U.S. Organization

Budworm Hackers Resurface with New Espionage Attacks Aimed at U.S. Organization

Oct 13, 2022
An advanced persistent threat (APT) actor known as  Budworm  targeted a U.S.-based entity for the first time in more than six years, according to latest research. The attack was aimed at an unnamed U.S. state legislature, the Symantec Threat Hunter team, part of Broadcom Software,  said  in a report shared with The Hacker News. Other "strategically significant" intrusions mounted over the past six months were directed against a government of a Middle Eastern country, a multinational electronics manufacturer, and a hospital in South East Asia. Budworm , also called APT27, Bronze Union, Emissary Panda, Lucky Mouse, and Red Phoenix, is a threat actor that's believed to operate on behalf of China through attacks that leverage a mix of custom and openly available tools to exfiltrate information of interest. "Bronze Union maintains a high degree of operational flexibility in order to adapt to the environments it operates in," Secureworks  notes  in a profile of
SparklingGoblin APT Hackers Using New Linux Variant of SideWalk Backdoor

SparklingGoblin APT Hackers Using New Linux Variant of SideWalk Backdoor

Sep 14, 2022
A Linux variant of a backdoor known as SideWalk was used to target a Hong Kong university in February 2021, underscoring the cross-platform abilities of the implant.  Slovak cybersecurity firm ESET, which detected the malware in the university's network, attributed the backdoor to a nation-state actor dubbed  SparklingGoblin . The unnamed university is said to have been already targeted by the group in May 2020 during the  student protests . "The group continuously targeted this organization over a long period of time, successfully compromising multiple key servers, including a print server, an email server, and a server used to manage student schedules and course registrations," ESET  said  in a report shared with The Hacker News. SparklingGoblin is the name given to a Chinese advanced persistent threat (APT) group with connections to the  Winnti umbrella  (aka APT41, Barium, Earth Baku, or Wicked Panda). It's primarily known for its attacks targeting various en
Russian State Hackers Continue to Attack Ukrainian Entities with Infostealer Malware

Russian State Hackers Continue to Attack Ukrainian Entities with Infostealer Malware

Aug 16, 2022
Russian state-sponsored actors are continuing to strike Ukrainian entities with information-stealing malware as part of what's suspected to be an espionage operation. Symantec, a division of Broadcom Software,  attributed  the malicious campaign to a threat actor tracked  Shuckworm , also known as  Actinium ,  Armageddon , Gamaredon, Primitive Bear, and Trident Ursa. The findings have been  corroborated  by the Computer Emergency Response Team of Ukraine (CERT-UA). The threat actor, active since at least 2013, is known for explicitly singling out public and private entities in Ukraine. The attacks have since ratcheted up in the wake of Russia's military invasion in late 2022. The latest set of attacks are said to have commenced on July 15, 2022, and ongoing as recently as August 8, with the infection chains leveraging phishing emails disguised as newsletters and combat orders, ultimately leading to the deployment of a PowerShell stealer malware dubbed  GammaLoad.PS1_v2 .
Another Chinese Hacking Group Spotted Targeting Ukraine Amid Russia Invasion

Another Chinese Hacking Group Spotted Targeting Ukraine Amid Russia Invasion

Mar 26, 2022
A Chinese-speaking threat actor called Scarab has been linked to a custom backdoor dubbed HeaderTip as part of a campaign targeting Ukraine since Russia embarked on an invasion last month, making it the second China-based hacking group after  Mustang Panda  to capitalize on the conflict. "The malicious activity represents one of the first public examples of a Chinese threat actor targeting Ukraine since the invasion began," SentinelOne researcher Tom Hegel  said  in a report published this week. SentinelOne's analysis follows an advisory from Ukraine's Computer Emergency Response Team (CERT-UA) earlier this week  outlining  a spear-phishing campaign that leads to the delivery of a RAR archive file, which comes with an executable that's designed to open a decoy file while stealthily dropping a malicious DLL called HeaderTip in the background. Scarab was  first documented  by the Symantec Threat Hunter Team, part of Broadcom Software, in January 2015, when i
Newly Uncovered 'SowBug' Cyber-Espionage Group Stealing Diplomatic Secrets Since 2015

Newly Uncovered 'SowBug' Cyber-Espionage Group Stealing Diplomatic Secrets Since 2015

Nov 07, 2017
A previously unknown hacking and cyber-espionage group that has been in operation since at least 2015 have conducted a series of highly targeted attacks against a host of government organizations in South America and Southeast Asia to steal their sensitive data. Codenamed Sowbug , the hacking group has been exposed by Symantec security researchers, who spotted the group conducting clandestine attacks against foreign policy institutions, government bodies and diplomatic targets in countries, including Argentina, Brazil, Ecuador, Peru and Malaysia. Symantec analysis found that the Sowbug hacking group uses a piece of malware dubbed "Felismus" to launch its attacks and infiltrate their targets. First identified in late March of this year, Felismus is a sophisticated, well-written piece of remote access Trojan (RAT) with a modular construction that allows the backdoor trojan to hide and or extend its capabilities. The malware allows malicious actors to take complete
Symantec Connects 40 Cyber Attacks to CIA Hacking Tools Exposed by Wikileaks

Symantec Connects 40 Cyber Attacks to CIA Hacking Tools Exposed by Wikileaks

Apr 10, 2017
Security researchers have confirmed that the alleged CIA hacking tools recently exposed by WikiLeaks have been used against at least 40 governments and private organizations across 16 countries. Since March, as part of its " Vault 7 " series, Wikileaks has published over 8,761 documents and other confidential information that the whistleblower group claims came from the US Central Intelligence Agency (CIA). Now, researchers at cybersecurity company Symantec reportedly managed to link those CIA hacking tools to numerous real cyber attacks in recent years that have been carried out against the government and private sectors across the world. Those 40 cyber attacks were conducted by Longhorn — a North American hacking group that has been active since at least 2011 and has used backdoor trojans and zero-day attacks to target government, financial, energy, telecommunications, education, aerospace, and natural resources sectors. Although the group's targets were a
Symantec API Flaws reportedly let attackers steal Private SSL Keys and Certificates

Symantec API Flaws reportedly let attackers steal Private SSL Keys and Certificates

Mar 28, 2017
A security researcher has disclosed critical issues in the processes and third-party API used by Symantec certificate resellers to deliver and manage Symantec SSL certificates. The flaw, discovered by Chris Byrne, an information security consultant and instructor for Cloud Harmonics, could allow an unauthenticated attacker to retrieve other persons' SSL certificates, including public and private keys, as well as to reissue or revoke those certificates. Even without revoking and reissuing a certificate, attackers can conduct "man-in-the-middle" attack over the secure connections using stolen SSL certs, tricking users into believing they are on a legitimate site when in fact their SSL traffic is being secretly tampered with and intercepted. "All you had to do was click a link sent in [an] email, and you could retrieve a cert, revoke a cert, and re-issue a cert," Byrne wrote in a Facebook post published over the weekend. Symantec knew of API Flaws Si
Google Chrome to Distrust Symantec SSLs for Mis-issuing 30,000 EV Certificates

Google Chrome to Distrust Symantec SSLs for Mis-issuing 30,000 EV Certificates

Mar 24, 2017
Google announced its plans to punish Symantec by gradually distrusting its SSL certificates after the company was caught improperly issuing 30,000 Extended Validation (EV) certificates over the past few years. The Extended Validation (EV) status of all certificates issued by Symantec-owned certificate authorities will no longer be recognized by the Chrome browser for at least a year until Symantec fixes its certificate issuance processes so that it can be trusted again. Extended validation certificates are supposed to provide the highest level of trust and authentication, where before issuing a certificate, Certificate Authority must verify the requesting entity's legal existence and identity. The move came into effect immediately after Ryan Sleevi, a software engineer on the Google Chrome team, made this announcement on Thursday in an online forum . "This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, c
Cybersecurity
Expert Insights
Cybersecurity Resources