cyber espionage | Breaking Cybersecurity News | The Hacker News

The Iranian nation-state hacking group known as  OilRig  has continued to target government organizations in the Middle East as part of a cyber espionage campaign that leverages a new backdoor to exfiltrate data. "The campaign abuses legitimate but compromised email accounts to send stolen data to external mail accounts controlled by the attackers," Trend Micro researchers Mohamed Fahmy, Sherif Magdy, and Mahmoud Zohdy  said . While the technique in itself is not unheard of, the development marks the first time OilRig has adopted it in its playbook, indicating the continued evolution of its methods to bypass security protections. The advanced persistent threat (APT) group, also referred to as APT34, Cobalt Gypsy, Europium, and Helix Kitten, has been  documented  for its targeted phishing attacks in the Middle East since at least 2014. Linked to Iran's Ministry of Intelligence and Security (MOIS), the group is known to use a diverse toolset in its operations, with re

The State Cyber Protection Centre (SCPC) of Ukraine has called out the Russian state-sponsored threat actor known as  Gamaredon  for its targeted cyber attacks on public authorities and critical information infrastructure in the country. The advanced persistent threat, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and UAC-0010, has a  track record  of  striking   Ukrainian entities  dating as far back as 2013. "UAC-0010 group's ongoing activity is characterized by a multi-step download approach and executing payloads of the spyware used to maintain control over infected hosts," the SCPC  said . "For now, the UAC-0010 group uses  GammaLoad and GammaSteel  spyware in their campaigns." GammaLoad is a VBScript dropper malware engineered to download next-stage VBScript from a remote server. GammaSteel is a PowerShell script that's capable of conducting reconnaissance and executing additional commands. The goal of t

A former Twitter employee who was found guilty of spying on behalf of Saudi Arabia by sharing data pertaining to specific individuals has been sentenced to three-and-a-half years in prison. Ahmad Abouammo, 45, was convicted  earlier this August  on various criminal counts, including money laundering, fraud, falsifying records, and being an illegal agent of a foreign government. Abouammo was arrested on November 5, 2019, after being accused of abusing his access to Twitter's internal systems to gather information about Saudi Arabia's critics on the social media platform. He was employed at Twitter from 2013 to 2015. "Mr. Abouammo violated the trust placed on him to protect the privacy of individuals by giving their personal information to a foreign power for profit,"  said  Assistant Attorney General Matthew G. Olsen of the Justice Department's National Security Division. "His conduct was made all the more egregious by the fact that the information was i

A threat actor with a suspected China nexus has been linked to a set of espionage attacks in the Philippines that primarily relies on USB devices as an initial infection vector. Mandiant, which is part of Google Cloud, is tracking the cluster under its uncategorized moniker  UNC4191 . An analysis of the artifacts used in the intrusions indicates that the campaign dates as far back as September 2021. "UNC4191 operations have affected a range of public and private sector entities primarily in Southeast Asia and extending to the U.S., Europe, and APJ," researchers Ryan Tomcik, John Wolfram, Tommy Dacanay, and Geoff Ackerman  said . "However, even when targeted organizations were based in other locations, the specific systems targeted by UNC4191 were also found to be physically located in the Philippines." The reliance on infected USB drives to propagate the malware is unusual if  not new . The  Raspberry Robin  worm, which has  evolved  into an initial access ser

The cyber espionage group known as Bahamut has been attributed as behind a highly targeted campaign that infects users of Android devices with malicious apps designed to extract sensitive information. The activity, which has been active since January 2022, entails distributing rogue VPN apps through a fake SecureVPN website set up for this purpose, Slovak cybersecurity firm ESET  said  in a new report shared with The Hacker News. At least eight different variants of the spyware apps have been discovered to date, with them being trojanized versions of legitimate VPN apps like SoftVPN and OpenVPN . None of these apps are available on Google Play Store. The tampered apps and their updates are pushed to users through the fraudulent website. It's also suspected that the targets are carefully selected, since launching the app requires the victim to enter an activation key to enable the features. This implies the use of an undetermined distribution vector, although past evidence s

A recently discovered cyber espionage group dubbed  Worok  has been found hiding malware in seemingly innocuous image files, corroborating a crucial link in the threat actor's infection chain. Czech cybersecurity firm Avast said the purpose of the PNG files is to conceal a payload that's used to facilitate information theft. "What is noteworthy is data collection from victims' machines using Dropbox repository, as well as attackers using Dropbox API for communication with the final stage," the company  said . The development comes a little over two months after ESET disclosed details of attacks carried out by  Worok  against high-profile companies and local governments located in Asia and Africa. Worok is believed to share tactical overlaps with a Chinese threat actor tracked as  TA428 . The Slovak cybersecurity company also documented Worok's compromise sequence, which makes use of a C++-based loader called CLRLoad to pave the way for an unknown PowerS

A threat actor tracked under the moniker Webworm is taking advantage of bespoke variants of already existing Windows-based remote access trojans to fly under the radar, some of which are said to be in pre-deployment or testing phases. "The group has developed customized versions of three older remote access trojans (RATs), including  Trochilus RAT ,  Gh0st RAT , and  9002 RAT ," the Symantec Threat Hunter team, part of Broadcom Software,  said  in a report shared with The Hacker News. The cybersecurity firm said at least one of the indicators of compromise (IOCs) was used in an attack against an IT service provider operating in multiple Asian countries. It's worth pointing out that all the three backdoors are primarily associated with Chinese threat actors such as Stone Panda (APT10), Aurora Panda (APT17), Emissary Panda (APT27), and Judgement Panda (APT31), among others, although they have been put to use by other hacking groups. Symantec said the Webworm threat ac

Hackers tied to the Iranian government have been targeting individuals specializing in Middle Eastern affairs, nuclear security, and genome research as part of a new social engineering campaign designed to hunt for sensitive information. Enterprise security firm Proofpoint attributed the targeted attacks to a threat actor named  TA453 , which broadly overlaps with cyber activities monitored under the monikers APT42, Charming Kitten, and Phosphorus. It all starts with a phishing email impersonating legitimate individuals at Western foreign policy research organizations that's ultimately designed to gather intelligence on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC). The sock puppet accounts include people from Pew Research Center, the Foreign Policy Research Institute (FRPI), the U.K.'s Chatham House, and the scientific journal Nature. The technique is said to have been deployed in mid-June 2022. However, what differentiates this from other phishing attacks

A months-long cyber espionage campaign undertaken by a Chinese nation-state group targeted several entities with reconnaissance malware so as to glean information about its victims and meet its strategic goals. "The targets of this recent campaign spanned Australia, Malaysia, and Europe, as well as entities that operate in the South China Sea," enterprise security firm Proofpoint  said  in a published in partnership with PwC. Targets encompass local and federal Australian Governmental agencies, Australian news media companies, and global heavy industry manufacturers which conduct maintenance of fleets of wind turbines in the South China Sea. Proofpoint and PwC attributed the intrusions with moderate confidence to a threat actor tracked by the two companies under the names TA423 and Red Ladon respectively, which is also known as APT40 and Leviathan. APT40 is the name designated to a China-based, espionage-motivated threat actor that's known to be active since 2013 and

Russian state-sponsored actors are continuing to strike Ukrainian entities with information-stealing malware as part of what's suspected to be an espionage operation. Symantec, a division of Broadcom Software,  attributed  the malicious campaign to a threat actor tracked  Shuckworm , also known as  Actinium ,  Armageddon , Gamaredon, Primitive Bear, and Trident Ursa. The findings have been  corroborated  by the Computer Emergency Response Team of Ukraine (CERT-UA). The threat actor, active since at least 2013, is known for explicitly singling out public and private entities in Ukraine. The attacks have since ratcheted up in the wake of Russia's military invasion in late 2022. The latest set of attacks are said to have commenced on July 15, 2022, and ongoing as recently as August 8, with the infection chains leveraging phishing emails disguised as newsletters and combat orders, ultimately leading to the deployment of a PowerShell stealer malware dubbed  GammaLoad.PS1_v2 .

The first ever incident possibly involving the ransomware family known as Maui occurred on April 15, 2021, aimed at an unnamed Japanese housing company. The disclosure from Kaspersky arrives a month after U.S. cybersecurity and intelligence agencies issued an  advisory  about the use of the ransomware strain by North Korean government-backed hackers to target the healthcare sector since at least May 2021. Much of the data about its modus operandi came from incident response activities and industry analysis of a Maui sample that revealed a lack of "several key features" typically associated with ransomware-as-a-service (RaaS) operations. Not only is Maui designed to be manually executed by a remote actor via a command-line interface, it's also notable for not including a ransom note to provide recovery instructions. Subsequently, the Justice Department  announced  the seizure of $500,000 worth of Bitcoin that were extorted from several organizations, including two he

Facebook parent company Meta disclosed that it took action against two espionage operations in South Asia that leveraged its social media platforms to distribute malware to potential targets. The first set of activities is what the company described as "persistent and well-resourced" and undertaken by a hacking group tracked under the moniker Bitter APT (aka APT-C-08 or T-APT-17) targeting individuals in New Zealand, India, Pakistan, and the U.K. "Bitter used various malicious tactics to target people online with social engineering and infect their devices with malware," Meta  said  in its Quarterly Adversarial Threat Report. "They used a mix of link-shortening services, malicious domains, compromised websites, and third-party hosting providers to distribute their malware." The attacks involved the threat actor creating fictitious personas on the platform, masquerading as attractive young women in a bid to build trust with targets and lure them into cl

A Chinese advanced persistent threat (APT) known as Gallium has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa. Called  PingPull , the "difficult-to-detect" backdoor is notable for its use of the Internet Control Message Protocol ( ICMP ) for command-and-control (C2) communications, according to new research published by Palo Alto Networks Unit 42 today. Gallium is notorious for its attacks primarily aimed at telecom companies dating as far back as 2012. Also tracked under the name  Soft Cell  by Cybereason, the state-sponsored actor has been  connected  to a broader set of attacks targeting five major telecom companies located in Southeast Asian countries since 2017. Over the past year, however, the group is said to have expanded its victimology footprint to include financial institutions and government entities located in Afghanistan, Australia, Belgium, Cam

At least two research institutes located in Russia and a third likely target in Belarus have been at the receiving end of an espionage attack by a Chinese nation-state advanced persistent threat (APT). The attacks, codenamed " Twisted Panda ," come in the backdrop of Russia's military invasion of Ukraine, prompting a  wide range  of  threat actors  to swiftly adapt their campaigns on the ongoing conflict to distribute malware and stage opportunistic attacks. They have materialized in the form of social engineering schemes with topical war and sanctions-themed baits orchestrated to trick potential victims into clicking malicious links or opening weaponized documents. Israeli cybersecurity firm Check Point, which  disclosed  details of the latest intelligence-gathering operation, attributed it a Chinese threat actor, with connections to that of  Stone Panda  (aka  APT 10 , Cicada, or Potassium) and  Mustang Panda  (aka Bronze President, HoneyMyte, or RedDelta). Callin

A Chinese-aligned cyberespionage group has been observed striking the telecommunication sector in Central Asia with versions of malware such as ShadowPad and PlugX. Cybersecurity firm SentinelOne tied the intrusions to an actor it tracks under the name "Moshen Dragon," with tactical overlaps between the collective and another threat group referred to as Nomad Panda (aka  RedFoxtrot ). "PlugX and ShadowPad have a well-established history of use among Chinese-speaking threat actors primarily for espionage activity," SentinelOne's Joey Chen  said . "Those tools have flexible, modular functionality and are compiled via shellcode to easily bypass traditional endpoint protection products." ShadowPad , labeled a "masterpiece of privately sold malware in Chinese espionage," emerged as a successor to PlugX in 2015, even as variants of the latter have continually popped up as part of different campaigns associated with Chinese threat actors. Alth

A newly discovered suspected espionage threat actor has been targeting employees focusing on mergers and acquisitions as well as large corporate transactions to facilitate bulk email collection from victim environments. Mandiant is tracking the activity cluster under the uncategorized moniker UNC3524, citing a lack of evidence linking it to an existing group. However, some of the intrusions are said to mirror techniques used by different Russia-based hacking crews like  APT28  and  APT29 .  "The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasize the 'advanced' in Advanced Persistent Threat," the threat intelligence firm  said  in a Monday report. The initial access route is unknown but upon gaining a foothold, attack chains involving UNC3524 culminate in the deployment of a novel backdoor called QUIETEXIT for persistent remote access for as long as

A Chinese state-sponsored espionage group known as Override Panda has resurfaced in recent weeks with a new phishing attack with the goal of stealing sensitive information. "The Chinese APT used a spear-phishing email to deliver a beacon of a Red Team framework known as 'Viper,'" Cluster25  said  in a report published last week. "The target of this attack is currently unknown but with high probability, given the previous history of the attack perpetrated by the group, it might be a government institution from a South Asian country." Override Panda, also called  Naikon , Hellsing, and Bronze Geneva, is known to operate on behalf of Chinese interests since at least 2005 to conduct intelligence-gathering operations targeting  ASEAN countries . Attack chains unleashed by the threat actor have involved the use of decoy documents attached to spear-phishing emails that are designed to entice the intended victims to open and compromise themselves with malware

A previously undocumented espionage tool has been deployed against selected governments and other critical infrastructure targets as part of a long-running espionage campaign orchestrated by China-linked threat actors since at least 2013. Broadcom's Symantec Threat Hunter team characterized the backdoor, named  Daxin , as a technologically advanced malware, allowing the attackers to carry out a variety of communications and information-gathering operations aimed at entities in the telecom, transportation, and manufacturing sectors that are of strategic interest to China. "Daxin malware is a highly sophisticated rootkit backdoor with complex, stealthy command-and-control (C2) functionality that enables remote actors to communicate with secured devices not connected directly to the internet," the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  said  in an independent advisory. The implant takes the form of a Windows kernel driver that implements an elabor