#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
CrowdSec

Symantec | Breaking Cybersecurity News | The Hacker News

Chinese Redfly Group Compromised a Nation's Critical Grid in 6-Month ShadowPad Campaign

Chinese Redfly Group Compromised a Nation's Critical Grid in 6-Month ShadowPad Campaign
Sep 12, 2023 Critical Infrastructure Security
A threat actor called  Redfly  has been linked to a compromise of a national grid located in an unnamed Asian country for as long as six months earlier this year using a known malware referred to as  ShadowPad . "The attackers managed to steal credentials and compromise multiple computers on the organization's network," the Symantec Threat Hunter Team, part of Broadcom,  said  in a report shared with The Hacker News. "The attack is the latest in a series of espionage intrusions against [critical national infrastructure] targets." ShadowPad, also known as PoisonPlug, is a follow-up to the PlugX remote access trojan and is a modular implant capable of loading additional plugins dynamically from a remote server as required to harvest sensitive data from breached networks. It has been  widely used  by a growing list of  China-nexus   nation-state groups  since at least 2019 in attacks aimed at organizations in various industry verticals. "ShadowPad is dec

INTERPOL Nabs Hacking Crew OPERA1ER's Leader Behind $11 Million Cybercrime

INTERPOL Nabs Hacking Crew OPERA1ER's Leader Behind $11 Million Cybercrime
Jul 06, 2023 Cyber Crime / Hacking
A suspected senior member of a French-speaking hacking crew known as OPERA1ER has been arrested as part of an international law enforcement operation codenamed Nervone, Interpol has announced. "The group is believed to have stolen an estimated USD 11 million -- potentially as much as 30 million -- in more than 30 attacks across 15 countries in Africa, Asia, and Latin America," the agency  said . The arrest was made by authorities in Côte d'Ivoire early last month. Additional insight was provided by the U.S. Secret Service's Criminal Investigative Division and Booz Allen Hamilton DarkLabs. The financially motivated collective is also known by the aliases Common Raven, DESKTOP-GROUP, and NX$M$. Its modus operandi was  first exposed  by Group-IB and Orange CERT Coordination Center (Orange-CERT-CC) in November 2022, detailing its intrusions on banks, financial services, and telecom companies between March 2018 and October 2022. Earlier this January, Broadcom's S

external linkThe Latest SaaS Security Information Resource

SaaS
websiteSaaS Security on TapSaaS Security
Discover SaaS Security on Tap, a video series bringing you all the ins and outs of securing your SaaS stack. Watch now.

Researchers Uncover Powerful Backdoor and Custom Implant in Year-Long Cyber Campaign

Researchers Uncover Powerful Backdoor and Custom Implant in Year-Long Cyber Campaign
May 15, 2023 Cyber Threat / Malware
Government, aviation, education, and telecom sectors located in South and Southeast Asia have come under the radar of a new hacking group as part of a highly-targeted campaign that commenced in mid-2022 and continued into the first quarter of 2023. Symantec, by Broadcom Software, is tracking the activity under its insect-themed moniker  Lancefly , with the attacks making use of a "powerful" backdoor called Merdoor. Evidence gathered so far points to the custom implant being utilized as far back as 2018. The ultimate goal of the campaign, based on the tools and the victimology pattern, is assessed to be intelligence gathering. "The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted," Symantec  said  in an analysis shared with The Hacker News. "The attackers in this campaign also have access to an updated version of the ZXShell rootkit."

Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach

Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach
Apr 22, 2023 Supply Chain / Cyber Threat
Lazarus, the prolific North Korean hacking group behind the cascading  supply chain attack targeting 3CX , also breached two critical infrastructure organizations in the power and energy sector and two other businesses involved in financial trading using the trojanized X_TRADER application. The new findings, which come courtesy of  Symantec's Threat Hunter Team , confirm earlier suspicions that the X_TRADER application compromise affected more organizations than 3CX. The names of the organizations were not revealed. Eric Chien, director of security response at Broadcom-owned Symantec, told The Hacker News in a statement that the attacks took place between September 2022 and November 2022. "The impact from these infections is unknown at this time – more investigation is required and is on-going," Chien said, adding it's possible that there's "likely more to this story and possibly even other packages that are trojanized." The development comes as Ma

Bluebottle Cybercrime Group Preys on Financial Sector in French-Speaking African Nations

Bluebottle Cybercrime Group Preys on Financial Sector in French-Speaking African Nations
Jan 05, 2023 Cybercrime / Banking Security
A cybercrime group dubbed Bluebottle has been linked to a set of targeted attacks against the financial sector in Francophone countries located in Africa from at least July 2022 to September 2022. "The group makes extensive use of living-off-the-land, dual use tools, and commodity malware, with no custom malware deployed in this campaign," Symantec, a division of Broadcom Software,  said  in a report shared with The Hacker News. The cybersecurity firm said the activity shares overlaps with a threat cluster tracked by Group-IB under the name  OPERA1ER , which has carried out dozens of attacks aimed at banks, financial services, and telecom companies in Africa, Asia, and Latin America between 2018 and 2022. The attribution stems from similarities in the toolset used, the attack infrastructure, the absence of bespoke malware, and the targeting of French-speaking nations in Africa. Three different unnamed financial institutions in three African nations were breached, although

Budworm Hackers Resurface with New Espionage Attacks Aimed at U.S. Organization

Budworm Hackers Resurface with New Espionage Attacks Aimed at U.S. Organization
Oct 13, 2022
An advanced persistent threat (APT) actor known as  Budworm  targeted a U.S.-based entity for the first time in more than six years, according to latest research. The attack was aimed at an unnamed U.S. state legislature, the Symantec Threat Hunter team, part of Broadcom Software,  said  in a report shared with The Hacker News. Other "strategically significant" intrusions mounted over the past six months were directed against a government of a Middle Eastern country, a multinational electronics manufacturer, and a hospital in South East Asia. Budworm , also called APT27, Bronze Union, Emissary Panda, Lucky Mouse, and Red Phoenix, is a threat actor that's believed to operate on behalf of China through attacks that leverage a mix of custom and openly available tools to exfiltrate information of interest. "Bronze Union maintains a high degree of operational flexibility in order to adapt to the environments it operates in," Secureworks  notes  in a profile of

SparklingGoblin APT Hackers Using New Linux Variant of SideWalk Backdoor

SparklingGoblin APT Hackers Using New Linux Variant of SideWalk Backdoor
Sep 14, 2022
A Linux variant of a backdoor known as SideWalk was used to target a Hong Kong university in February 2021, underscoring the cross-platform abilities of the implant.  Slovak cybersecurity firm ESET, which detected the malware in the university's network, attributed the backdoor to a nation-state actor dubbed  SparklingGoblin . The unnamed university is said to have been already targeted by the group in May 2020 during the  student protests . "The group continuously targeted this organization over a long period of time, successfully compromising multiple key servers, including a print server, an email server, and a server used to manage student schedules and course registrations," ESET  said  in a report shared with The Hacker News. SparklingGoblin is the name given to a Chinese advanced persistent threat (APT) group with connections to the  Winnti umbrella  (aka APT41, Barium, Earth Baku, or Wicked Panda). It's primarily known for its attacks targeting various en

Russian State Hackers Continue to Attack Ukrainian Entities with Infostealer Malware

Russian State Hackers Continue to Attack Ukrainian Entities with Infostealer Malware
Aug 16, 2022
Russian state-sponsored actors are continuing to strike Ukrainian entities with information-stealing malware as part of what's suspected to be an espionage operation. Symantec, a division of Broadcom Software,  attributed  the malicious campaign to a threat actor tracked  Shuckworm , also known as  Actinium ,  Armageddon , Gamaredon, Primitive Bear, and Trident Ursa. The findings have been  corroborated  by the Computer Emergency Response Team of Ukraine (CERT-UA). The threat actor, active since at least 2013, is known for explicitly singling out public and private entities in Ukraine. The attacks have since ratcheted up in the wake of Russia's military invasion in late 2022. The latest set of attacks are said to have commenced on July 15, 2022, and ongoing as recently as August 8, with the infection chains leveraging phishing emails disguised as newsletters and combat orders, ultimately leading to the deployment of a PowerShell stealer malware dubbed  GammaLoad.PS1_v2 .

Another Chinese Hacking Group Spotted Targeting Ukraine Amid Russia Invasion

Another Chinese Hacking Group Spotted Targeting Ukraine Amid Russia Invasion
Mar 26, 2022
A Chinese-speaking threat actor called Scarab has been linked to a custom backdoor dubbed HeaderTip as part of a campaign targeting Ukraine since Russia embarked on an invasion last month, making it the second China-based hacking group after  Mustang Panda  to capitalize on the conflict. "The malicious activity represents one of the first public examples of a Chinese threat actor targeting Ukraine since the invasion began," SentinelOne researcher Tom Hegel  said  in a report published this week. SentinelOne's analysis follows an advisory from Ukraine's Computer Emergency Response Team (CERT-UA) earlier this week  outlining  a spear-phishing campaign that leads to the delivery of a RAR archive file, which comes with an executable that's designed to open a decoy file while stealthily dropping a malicious DLL called HeaderTip in the background. Scarab was  first documented  by the Symantec Threat Hunter Team, part of Broadcom Software, in January 2015, when i

Newly Uncovered 'SowBug' Cyber-Espionage Group Stealing Diplomatic Secrets Since 2015

Newly Uncovered 'SowBug' Cyber-Espionage Group Stealing Diplomatic Secrets Since 2015
Nov 07, 2017
A previously unknown hacking and cyber-espionage group that has been in operation since at least 2015 have conducted a series of highly targeted attacks against a host of government organizations in South America and Southeast Asia to steal their sensitive data. Codenamed Sowbug , the hacking group has been exposed by Symantec security researchers, who spotted the group conducting clandestine attacks against foreign policy institutions, government bodies and diplomatic targets in countries, including Argentina, Brazil, Ecuador, Peru and Malaysia. Symantec analysis found that the Sowbug hacking group uses a piece of malware dubbed "Felismus" to launch its attacks and infiltrate their targets. First identified in late March of this year, Felismus is a sophisticated, well-written piece of remote access Trojan (RAT) with a modular construction that allows the backdoor trojan to hide and or extend its capabilities. The malware allows malicious actors to take complete

Symantec Connects 40 Cyber Attacks to CIA Hacking Tools Exposed by Wikileaks

Symantec Connects 40 Cyber Attacks to CIA Hacking Tools Exposed by Wikileaks
Apr 10, 2017
Security researchers have confirmed that the alleged CIA hacking tools recently exposed by WikiLeaks have been used against at least 40 governments and private organizations across 16 countries. Since March, as part of its " Vault 7 " series, Wikileaks has published over 8,761 documents and other confidential information that the whistleblower group claims came from the US Central Intelligence Agency (CIA). Now, researchers at cybersecurity company Symantec reportedly managed to link those CIA hacking tools to numerous real cyber attacks in recent years that have been carried out against the government and private sectors across the world. Those 40 cyber attacks were conducted by Longhorn — a North American hacking group that has been active since at least 2011 and has used backdoor trojans and zero-day attacks to target government, financial, energy, telecommunications, education, aerospace, and natural resources sectors. Although the group's targets were a

Symantec API Flaws reportedly let attackers steal Private SSL Keys and Certificates

Symantec API Flaws reportedly let attackers steal Private SSL Keys and Certificates
Mar 28, 2017
A security researcher has disclosed critical issues in the processes and third-party API used by Symantec certificate resellers to deliver and manage Symantec SSL certificates. The flaw, discovered by Chris Byrne, an information security consultant and instructor for Cloud Harmonics, could allow an unauthenticated attacker to retrieve other persons' SSL certificates, including public and private keys, as well as to reissue or revoke those certificates. Even without revoking and reissuing a certificate, attackers can conduct "man-in-the-middle" attack over the secure connections using stolen SSL certs, tricking users into believing they are on a legitimate site when in fact their SSL traffic is being secretly tampered with and intercepted. "All you had to do was click a link sent in [an] email, and you could retrieve a cert, revoke a cert, and re-issue a cert," Byrne wrote in a Facebook post published over the weekend. Symantec knew of API Flaws Si

Google Chrome to Distrust Symantec SSLs for Mis-issuing 30,000 EV Certificates

Google Chrome to Distrust Symantec SSLs for Mis-issuing 30,000 EV Certificates
Mar 24, 2017
Google announced its plans to punish Symantec by gradually distrusting its SSL certificates after the company was caught improperly issuing 30,000 Extended Validation (EV) certificates over the past few years. The Extended Validation (EV) status of all certificates issued by Symantec-owned certificate authorities will no longer be recognized by the Chrome browser for at least a year until Symantec fixes its certificate issuance processes so that it can be trusted again. Extended validation certificates are supposed to provide the highest level of trust and authentication, where before issuing a certificate, Certificate Authority must verify the requesting entity's legal existence and identity. The move came into effect immediately after Ryan Sleevi, a software engineer on the Google Chrome team, made this announcement on Thursday in an online forum . "This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, c

More than 1,400 Financial institutions in 88 Countries targeted by Banking Trojan in 2013

More than 1,400 Financial institutions in 88 Countries targeted by Banking Trojan in 2013
Dec 22, 2013
As the year draws to a close, we have seen the number of emerging threats like advance phishing attacks from the Syrian Electronic Army , financial malware and exploit kits, Cryptolocker ransomware infections, massive  Bitcoin theft, extensive privacy breach from NSA and many more. The financial malware's were the most popular threat this year. Money is always a perfect motivation for attackers and cyber criminals who are continually targeting financial institutions. On Tuesday, Antivirus firm Symantec has released a Threat report, called " The State of Financial Trojans: 2013 ", which revealed that over 1,400 financial institutions have been targeted and compromised millions of computers around the globe and the most targeted banks are in the US with 71.5% of all analyzed Trojans. Financial institutions have been fighting against malware for the last ten years to protect their customers and online transactions from threat. Over the time the attackers adapted to these counter

Linux worm targeting Routers, Set-top boxes and Security Cameras with PHP-CGI Vulnerability

Linux worm targeting Routers, Set-top boxes and Security Cameras with PHP-CGI Vulnerability
Nov 30, 2013
A Symantec researcher has discovered a new Linux worm, targeting machine-to-machine devices, and exploits a PHP vulnerability ( CVE-2012-1823 ) to propagate that has been patched as far back as May 2012. Linux worm, which has been dubbed Linux.Darlloz , poses a threat to devices such as home routers and set-top boxes, Security Cameras, and even industrial control systems. It is based on proof-of-concept code released in late October and it helps spread malware by exploiting a vulnerability in php-cgi . " Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. " the Symantec researchers explained. The malware does not appear to perform any malicious activity other than silently spreading itself and wiping a load of system

Japanese word processor 'Ichitaro' zero-day attack discovered in the wild

Japanese word processor 'Ichitaro' zero-day attack discovered in the wild
Nov 15, 2013
Japanese most popular word processing software ' Ichitaro ' and Multiple Products are vulnerable to a zero day Remote Code Execution Flaw Vulnerability, allowing the execution of arbitrary code to compromise a user's system. According to assigned CVE-2013-5990 ,  malicious attacker is able to gain system access and execute arbitrary code with the privileges of a local user. The vulnerability is caused due to an unspecified error when handling certain document files. " We confirm the existence of vulnerabilities in some of our products. " company blog says. In a blog post, Antivirus Firm Symantec confirmed that in September 2013, they have discovered attacks in the wild attempting to exploit this vulnerability during, detected as  Trojan.Mdropper , which is a variant of  Backdoor.Vidgrab . Researchers mentioned that  Backdoor.Vidgrab variant was used as a payload for a watering hole attack exploiting the Microsoft Internet Explorer Memory

Stuxnet 0.5 : Symantec study reveals Stuxnet was dated 2005

Stuxnet 0.5 : Symantec study reveals Stuxnet was dated 2005
Feb 27, 2013
Today social media are spreading a shocking news, authors of Stuxnet virus that hit Iranian nuclear program in 2010 according a new research proposed by Symantec security company started in 2005 and contrary to successive instance of the malware he was designed to manipulate the nuclear facility's gas valves. The attacker strategy was to destroy the nuclear plant causing an explosion due the sabotage of gas valves, hackers purpose was physical destruction of the targets, due this reason the press and security community labeled Stuxnet as first cyber weapon of the history.  Francis deSouza, Symantec's president of products and services, during an interview with Bloomberg revealed that the version detected was a sort of beta version of the final weapon and that in the period between 2005 and 2009 the authors were testing its capabilities. " It looks like now the weapon tried a few things before it hit on what would actually work ,"' " It is clear that this has been a soph

Cross Platform Trojan builder distributed on underground forums

Cross Platform Trojan builder distributed on underground forums
Feb 14, 2013
A Cross platform back door ' Frutas ' remote access tool (RAT) is available for download on many forums from January 2013. This Trojan builder is completely written in Java. Recently, Symantec experts analyse that Frutas RAT allows attackers to create a connect-back client JAR file to run on a compromised computer. The back door builder provides some minor obfuscation, which allows the attacker to use a custom encryption key for some of the embedded back door functionality. Once a backdoor connection is established, the RAT server alerts the attacker and allows them to perform various back door functions on the compromised computer i.e Browse file systems, Download and execute arbitrary files, Perform denial of service attacks, Open a specified website in a browser. According to Symantec only 2 out of the 46 vendors from Virus Total are detecting it as a threat.

Bamital botnet servers seized by Microsoft and Symantec

Bamital botnet servers seized by Microsoft and Symantec
Feb 07, 2013
Microsoft teamed up with Symantec to take down a nasty malware affecting thousands upon thousands of PCs. Bamital botnet  hijacked people's search experiences and redirected victims to potentially dangerous sites that could leave them vulnerable to other online threats and steal their personal information. Experts from the organizations obtained a court order and shut down servers at a data center in New Jersey and convinced operators in Virginia to shut down a server they control in the Netherlands on Wednesday. The Bamital botnet threatened the US$12.7 billion online advertising industry by generating fraudulent clicks on Internet ads. Microsoft's research shows that Bamital hijacked more than 8 million computers over the past two years. Microsoft says that the botnet affected many major search engines and browsers including Bing, Yahoo, and Google offerings. Bamital's organizers also had the ability to take control of infected PCs, installing other types of com

Chinese Hackers hit New York Times and Wall Street Journal

Chinese Hackers hit New York Times and Wall Street Journal
Feb 01, 2013
The New York Times says Chinese hackers probably working for the military or Chinese government have carried out sustained attacks on its computer systems, breaking in and stealing the passwords of high-profile reporters and other staff members. For the last four months, Chinese hackers have persistently attacked The New York Times . On Thursday, The Wall Street Journal announced that it too had been hacked by Chinese hackers who were trying to monitor the company's coverage of China. It said hackers had broken into its network through computers in its Beijing bureau. " The hackers tried to cloak the source of the attacks on The Times by first penetrating computers at United States universities and routing the attacks through them " " Evidence shows that infiltration efforts target the monitoring of the Journal's coverage of China, and are not an attempt to gain commercial advantage or to misappropriate customer information, " the statement rea
Cybersecurity Resources