cyber espionage | Breaking Cybersecurity News | The Hacker News

The Russian nation-state actor tracked as Secret Blizzard has been observed leveraging malware associated with other threat actors to deploy a known backdoor called Kazuar on target devices located in Ukraine. The new findings come from the Microsoft threat intelligence team, which said it observed the adversary leveraging the Amadey bot malware to download custom malware onto "specifically selected" systems associated with the Ukrainian military between March and April 2024. The activity is assessed to be the second time since 2022 that Secret Blizzard, also known as Turla, has latched onto a cybercrime campaign to propagate its own tools in Ukraine. "Commandeering other threat actors' access highlights Secret Blizzard's approach to diversifying its attack vectors," the company said in a report shared with The Hacker News. Some of the other known methods employed by the hacking crew include adversary-in-the-middle ( AitM ) campaigns, strategic web compro...

A suspected China-based threat actor has been linked to a series of cyber attacks targeting high-profile organizations in Southeast Asia since at least October 2023. The espionage campaign targeted organizations in various sectors spanning government ministries in two different countries, an air traffic control organization, a telecoms company, and a media outlet, the Symantec Threat Hunter Team said in a new report shared with The Hacker News. The attacks, which leveraged tools previously identified as linked to China-based advanced persistent threat (APT) groups, are characterized by the use of both open-source and living-off-the-land (LotL) techniques. This includes the use of reverse proxy programs such as Rakshasa and Stowaway , as well as asset discovery and identification tools, keyloggers, and password stealers. Also deployed during the course of the attacks is PlugX (aka Korplug), a remote access trojan put to use by several Chinese hacking groups. "The threat ac...

CrowdStrike is named a Leader in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms for the fifth consecutive time, positioned highest on Ability to Execute and furthest to the right on Completeness of Vision.

A suspected China-nexus cyber espionage group has been attributed to an attacks targeting large business-to-business IT service providers in Southern Europe as part of a campaign codenamed Operation Digital Eye . The intrusions took place from late June to mid-July 2024, cybersecurity companies SentinelOne SentinelLabs and Tinexta Cyber said in a joint report shared with The Hacker News, adding the activities were detected and neutralized before they could progress to the data exfiltration phase. "The intrusions could have enabled the adversaries to establish strategic footholds and compromise downstream entities," security researchers Aleksandar Milenkoski and Luigi Martire said . "The threat actors abused Visual Studio Code and Microsoft Azure infrastructure for C2 [command-and-control] purposes, attempting to evade detection by making malicious activities appear legitimate." It's currently not known which China-linked hacking group is behind the attacks,...

A suspected Chinese threat actor targeted a large U.S. organization earlier this year as part of a four-month-long intrusion. According to Broadcom-owned Symantec, the first evidence of the malicious activity was detected on April 11, 2024 and continued until August. However, the company doesn't rule out the possibility that the intrusion may have occurred earlier. "The attackers moved laterally across the organization's network, compromising multiple computers," the Symantec Threat Hunter Team said in a report shared with The Hacker News. "Some of the machines targeted were Exchange Servers, suggesting the attackers were gathering intelligence by harvesting emails. Exfiltration tools were also deployed, suggesting that targeted data was taken from the organizations." The name of the organization that was impacted by the persistent attack campaign was not disclosed, but noted that the victim has a significant presence in China. The links to China as ...

The China-linked threat actor known as MirrorFace has been attributed to a new spear-phishing campaign mainly targeting individuals and organizations in Japan since June 2024. The aim of the campaign is to deliver backdoors known as NOOPDOOR (aka HiddenFace) and ANEL (aka UPPERCUT), Trend Micro said in a technical analysis. "An interesting aspect of this campaign is the comeback of a backdoor dubbed ANEL, which was used in campaigns targeting Japan by APT10 until around 2018 and had not been observed since then," security researcher Hara Hiroaki said . It's worth noting that MirrorFace's use of ANEL was also documented by ESET last month as part of a cyber attack targeting a diplomatic organization in the European Union using lures related to the World Expo. MirrorFace, also known as Earth Kasha, is the name given to a Chinese threat actor that's known for its persistent targeting of Japanese entities. It's assessed to be a sub-cluster within APT10. ...

The U.K. National Crime Agency (NCA) on Wednesday announced that it led an international investigation to disrupt Russian money laundering networks that were found to facilitate serious and organized crime across the U.K., the Middle East, Russia, and South America. The effort, codenamed Operation Destabilise , has resulted in the arrest of 84 suspects linked to two Russian-speaking networks Smart and TGR. In addition, £20 million ($25.4 million) in cash and cryptocurrency has been seized. Both the businesses are based in Moscow's Federation Tower, per The Telegraph , which is known to act as a hub for money laundering firms . Concurrent with the takedown and arrests, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has sanctioned five individuals and four entities associated with the TGR Group. "Through the TGR Group, Russian elites sought to exploit digital assets – in particular U.S. dollar-backed stablecoins – to evade U.S. and in...

The Russia-linked advanced persistent threat (APT) group known as Turla has been linked to a previously undocumented campaign that involved infiltrating the command-and-control (C2) servers of a Pakistan-based hacking group named Storm-0156 to conduct its own operations since 2022. The activity, first observed in December 2022, is the latest instance of the nation-state adversary "embedding themselves" in another group's malicious operations to further their own objectives and cloud attribution efforts, Lumen Technologies Black Lotus Labs said. "In December 2022, Secret Blizzard initially gained access to a Storm-0156 C2 server and by mid-2023 had expanded their control to a number of C2s associated with the Storm-0156 actor," the company said in a report shared with The Hacker News. By leveraging their access to these servers, Turla has been found to take advantage of the intrusions already orchestrated by Storm-0156 to deploy custom malware families refe...

A joint advisory issued by Australia, Canada, New Zealand, and the U.S. has warned of a broad cyber espionage campaign undertaken by People's Republic of China (PRC)-affiliated threat actors targeting telecommunications providers. "Identified exploitations or compromises associated with these threat actors' activity align with existing weaknesses associated with victim infrastructure; no novel activity has been observed," government agencies said . U.S. officials told Tuesday that the threat actors are still lurking inside U.S. telecommunications networks about six months after an investigation into the intrusions commenced. The attacks have been attributed to a nation-state group from China referred to as Salt Typhoon, which overlaps with activities tracked as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286. The group is known to be active since at least 2020, with some of the artifacts developed as early as 2019. Last week, T-Mobile acknowledged that...

A Moscow-based company sanctioned by the U.S. earlier this year has been linked to yet another influence operation designed to turn public opinion against Ukraine and erode Western support since at least December 2023. The covert campaign undertaken by Social Design Agency (SDA) leverages videos enhanced using artificial intelligence (AI) and bogus websites impersonating reputable news sources to target audiences across Ukraine, Europe, and the U.S. It has been dubbed Operation Undercut by Recorded Future's Insikt Group. "This operation, running in tandem with other campaigns like Doppelganger , is designed to discredit Ukraine's leadership, question the effectiveness of Western aid, and stir socio-political tensions," the cybersecurity company said . "The campaign also seeks to shape narratives around the 2024 U.S. elections and geopolitical conflicts, such as the Israel-Gaza situation, to deepen divisions." Social Design Agency has been previously a...

A 59-year-old U.S. citizen who immigrated from the People's Republic of China (PRC) has been sentenced to four years in prison for conspiring to act as a spy for the country and sharing sensitive information about his employer with China's principal civilian intelligence agency. Ping Li, 59, of Wesley Chapel, Florida, is said to have served as a cooperative contact for the Ministry of State Security (MSS) as early as August 2012, working at their behest to obtain information that's of interest to the Chinese government. Li was employed at telecom giant Verizon and later at information technology service company Infosys. In addition to four years of jail time, Li has been handed a $250,000 fine and three years of supervised release. He was charged with acting as an agent of the PRC without notification to the Attorney General in late July 2024. Li subsequently pleaded guilty to the charges a month later. "The MSS often uses 'cooperative contacts' located...

U.S. telecom service provider T-Mobile said it recently detected attempts made by bad actors to infiltrate its systems in recent weeks but noted that no sensitive data was accessed. These intrusion attempts "originated from a wireline provider's network that was connected to ours," Jeff Simon, chief security officer at T-Mobile, said in a statement. "We see no instances of prior attempts like this." The company further said its security defenses prevented the threat actors from disrupting its services or obtaining customer information. It has since confirmed that it cut off connectivity to the unnamed provider's network. It did not explicitly attribute the activity to any known threat actor or group, but noted that it has shared its findings with the U.S. government. Speaking to Bloomberg, Simon said the company observed the attackers running discovery-related commands on routers to probe the topography of the network, adding the attacks were containe...

The threat actor known as APT-C-60 has been linked to a cyber attack targeting an unnamed organization in Japan that used a job application-themed lure to deliver the SpyGlace backdoor. That's according to findings from JPCERT/CC, which said the intrusion leveraged legitimate services like Google Drive, Bitbucket, and StatCounter. The attack was carried out around August 2024. "In this attack, an email purporting to be from a prospective employee was sent to the organization's recruiting contact, infecting the contact with malware," the agency said . APT-C-60 is the moniker assigned to a South Korea-aligned cyber espionage group that's known to target East Asian countries. In August 2024, it was observed exploiting a remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262) to drop a custom backdoor called SpyGlace. The attack chain discovered by JPCERT/CC involves the use of a phishing email that contains a link to a file hosted on Goo...

The Russia-aligned threat actor known as RomCom has been linked to the zero-day exploitation of two security flaws, one in Mozilla Firefox and the other in Microsoft Windows, as part of attacks designed to deliver the eponymous backdoor on victim systems. "In a successful attack, if a victim browses a web page containing the exploit, an adversary can run arbitrary code – without any user interaction required (zero click) – which in this case led to the installation of RomCom's backdoor on the victim's computer," ESET said in a report shared with The Hacker News. The vulnerabilities in question are listed below - CVE-2024-9680 (CVSS score: 9.8) - A use-after-free vulnerability in Firefox's Animation component (Patched by Mozilla in October 2024)  CVE-2024-49039 (CVSS score: 8.8) - A privilege escalation vulnerability in Windows Task Scheduler (Patched by Microsoft in November 2024) RomCom , also known as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and...

The China-linked threat actor known as Earth Estries has been observed using a previously undocumented backdoor called GHOSTSPIDER as part of its attacks targeting Southeast Asian telecommunications companies.  Trend Micro, which described the hacking group as an aggressive advanced persistent threat (APT), said the intrusions also involved the use of another cross-platform backdoor dubbed MASOL RAT (aka Backdr-NQ) on Linux systems belonging to Southeast Asian government networks. In all, Earth Estries is estimated to have successfully compromised more than 20 entities spanning telecommunications, technology, consulting, chemical, and transportation industries, government agencies, and non-profit organization (NGO) sectors. Victims have been identified across over a dozen countries, including Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, the U.S., and Vietnam. Earth Estries shares overlap with clusters t...

We hear terms like "state-sponsored attacks" and "critical vulnerabilities" all the time, but what's really going on behind those words? This week's cybersecurity news isn't just about hackers and headlines—it's about how digital risks shape our lives in ways we might not even realize. For instance, telecom networks being breached isn't just about stolen data—it's about power. Hackers are positioning themselves to control the networks we rely on for everything, from making calls to running businesses. And those techy-sounding CVEs? They're not just random numbers; they're like ticking time bombs in the software you use every day, from your phone to your work tools. These stories aren't just for the experts—they're for all of us. They show how easily the digital world we trust can be turned against us. But they also show us the power of staying informed and prepared. Dive into this week's recap, and let's uncover the risks, the solutions, and the small steps we can all take to stay a...