CyberCrime - W/E - 9/27/19
Latest Sednit/Fancy Bear/Sofacy Activities Show Sophisticated New Components (09/24/2019)
A Sednit (also known as APT28, Fancy Bear, Sofacy, and STRONTIUM) campaign launched on August 20 to take aim at embassies and ministers of foreign affairs in Eastern European and Central Asian countries, ESET's scientists learned. The campaign, which has been previously illustrated by the security team at Telsy TRT, started with a phishing email containing a malicious attachment that delivered a long chain of downloaders, ending with a backdoor. ESET discovered that Sednit added the Nim language to its toolset for use in its downloader, updated its Golang download malware, and rewrote its backdoor from Delphi into Golang.
A Sednit (also known as APT28, Fancy Bear, Sofacy, and STRONTIUM) campaign launched on August 20 to take aim at embassies and ministers of foreign affairs in Eastern European and Central Asian countries, ESET's scientists learned. The campaign, which has been previously illustrated by the security team at Telsy TRT, started with a phishing email containing a malicious attachment that delivered a long chain of downloaders, ending with a backdoor. ESET discovered that Sednit added the Nim language to its toolset for use in its downloader, updated its Golang download malware, and rewrote its backdoor from Delphi into Golang.
Report: Airbus Targeted by Hackers for Commercial Secrets (09/26/2019)
Threat actors launched cyber attacks on the European aerospace company Airbus, unnamed sources told AFP. There have been four attacks which began in 2018 and continued into 2019. The sources said that Rolls-Royce, French technology consultancy Expleo, and two French contractors working for Airbus were the targets. Several of the unnamed individuals said that the attackers appeared to be looking for technical documentation that links to the certification process for Airbus aircraft components. The hackers also stole documents related to the turbo prop engines used in Airbus military planes and details on the propulsion systems and avionics systems for the Airbus A350 passenger plane. Although it is not clear which threat entity is behind these attacks, the sources pointed to Chinese hackers. Airbus did not respond to the report. Rolls-Royce would not comment on specifics of any attack and Expleo refused to confirm or deny the events.
Threat actors launched cyber attacks on the European aerospace company Airbus, unnamed sources told AFP. There have been four attacks which began in 2018 and continued into 2019. The sources said that Rolls-Royce, French technology consultancy Expleo, and two French contractors working for Airbus were the targets. Several of the unnamed individuals said that the attackers appeared to be looking for technical documentation that links to the certification process for Airbus aircraft components. The hackers also stole documents related to the turbo prop engines used in Airbus military planes and details on the propulsion systems and avionics systems for the Airbus A350 passenger plane. Although it is not clear which threat entity is behind these attacks, the sources pointed to Chinese hackers. Airbus did not respond to the report. Rolls-Royce would not comment on specifics of any attack and Expleo refused to confirm or deny the events.
Russian Hacker Pleads Guilty in JPMorgan Breach Case Involving 100 Million People (09/24/2019)
Andrei Tyurin, the Russian man responsible for infiltrating the data for more than 100 million individuals via a massive hacking campaign that hit JPMorgan Chase, has pled guilty to six counts, including computer hacking conspiracy and bank fraud, the Department of Justice (DOJ) announced. The scheme took place between 2012 and 2013 and compromised the data for over 100 million financial customers, including 83 million from JPMorgan Chase. Charges against three other individuals involved in this hack are pending.
Andrei Tyurin, the Russian man responsible for infiltrating the data for more than 100 million individuals via a massive hacking campaign that hit JPMorgan Chase, has pled guilty to six counts, including computer hacking conspiracy and bank fraud, the Department of Justice (DOJ) announced. The scheme took place between 2012 and 2013 and compromised the data for over 100 million financial customers, including 83 million from JPMorgan Chase. Charges against three other individuals involved in this hack are pending.
Scammers Use Voicemail Messages to Trick Corporate Microsoft User Accounts (09/26/2019)
Kaspersky has uncovered a widespread malicious email campaign aimed at stealing Microsoft user account credentials allowing attackers to access private, corporate information. Executed via an elaborate spam message, these attacks target employees working for large organizations that use business messengers with a function to exchange voice messages and receive voice message notifications through corporate emails. The attack is aimed specifically at corporate mail users and its purpose is to access important business correspondence and confidential commercial data.
Kaspersky has uncovered a widespread malicious email campaign aimed at stealing Microsoft user account credentials allowing attackers to access private, corporate information. Executed via an elaborate spam message, these attacks target employees working for large organizations that use business messengers with a function to exchange voice messages and receive voice message notifications through corporate emails. The attack is aimed specifically at corporate mail users and its purpose is to access important business correspondence and confidential commercial data.
Senior Members of Tibetan Groups Attacked by POISON CARP Threat Entity (09/25/2019)
A campaign known as POISON CARP is to blame for attacks on senior members of Tibetan groups. These individuals, as revealed by the Citizen Lab team, received malicious links in individually tailored WhatsApp text exchanges with operators posing as non-governmental organization workers, journalists, and other fake personas. The links led to code designed to exploit Web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. The attacks took place between November 2018 and May. POISON CARP employed a total of eight Android browser exploits, an Android spyware kit, one iOS exploit chain, and iOS spyware.
A campaign known as POISON CARP is to blame for attacks on senior members of Tibetan groups. These individuals, as revealed by the Citizen Lab team, received malicious links in individually tailored WhatsApp text exchanges with operators posing as non-governmental organization workers, journalists, and other fake personas. The links led to code designed to exploit Web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. The attacks took place between November 2018 and May. POISON CARP employed a total of eight Android browser exploits, an Android spyware kit, one iOS exploit chain, and iOS spyware.
Tortoiseshell Threat Actor Victimizes Job-Seeking US Veterans (09/25/2019)
US military veterans are being targeted by the Tortoiseshell threat actor via a fake Web site, Cisco has confirmed. The threat group deployed a Web site designed to help US military vets find job and the site looked close to a legitimate service offered by the Department of Commerce. The site prompted users to download an app, which was actually a malicious downloader, deploying spying tools and other malware, including a remote access Trojan called IvizTech.
US military veterans are being targeted by the Tortoiseshell threat actor via a fake Web site, Cisco has confirmed. The threat group deployed a Web site designed to help US military vets find job and the site looked close to a legitimate service offered by the Department of Commerce. The site prompted users to download an app, which was actually a malicious downloader, deploying spying tools and other malware, including a remote access Trojan called IvizTech.
Windows Users Exploited by PcShare Backdoor Attacks (09/25/2019)
A suspected Chinese advanced persistent threat group is conducting attacks against technology companies located in Southeast Asia. The threat actors deployed a modified version of the Chinese open-source backdoor called PcShare, which is designed to operate when side-loaded by a legitimate NVIDIA application. According to BlackBerry Cylance, the attackers also deploy a Trojanized screen reader application, replacing the built-in Narrator "Ease of Access" feature in Windows. This backdoor allows them to surreptitiously control systems via remote desktop logon screens without the need for credentials.
A suspected Chinese advanced persistent threat group is conducting attacks against technology companies located in Southeast Asia. The threat actors deployed a modified version of the Chinese open-source backdoor called PcShare, which is designed to operate when side-loaded by a legitimate NVIDIA application. According to BlackBerry Cylance, the attackers also deploy a Trojanized screen reader application, replacing the built-in Narrator "Ease of Access" feature in Windows. This backdoor allows them to surreptitiously control systems via remote desktop logon screens without the need for credentials.
xHunt Threat Activity Takes Aim at Kuwaiti Transportation Sector (09/24/2019)
Between May and June, Palo Alto Networks observed previously unknown malicious tools used in the targeting of transportation and shipping organizations based in Kuwait. The activity has been dubbed "xHunt" because the threat actor named the tools after character names from the anime series Hunter x Hunter. These tools use HTTP for their command and control (C2) channels and certain variants use DNS tunneling or emails to communicate with the C2 as well. It is likely that this campaign is related to a similar one documented by IBM in 2018.
Between May and June, Palo Alto Networks observed previously unknown malicious tools used in the targeting of transportation and shipping organizations based in Kuwait. The activity has been dubbed "xHunt" because the threat actor named the tools after character names from the anime series Hunter x Hunter. These tools use HTTP for their command and control (C2) channels and certain variants use DNS tunneling or emails to communicate with the C2 as well. It is likely that this campaign is related to a similar one documented by IBM in 2018.