Cyber Attack | Breaking Cybersecurity News | The Hacker News

A highly targeted cyber attack against an East Asian IT company involved the deployment of a custom malware written in Golang called  RDStealer . "The operation was active for more than a year with the end goal of compromising credentials and data exfiltration," Bitdefender security researcher Victor Vrabie  said  in a technical report shared with The Hacker News. Evidence gathered by the Romanian cybersecurity firm shows that the campaign – dubbed RedClouds – started in early 2022. The targeting aligns with the interest of China-based threat actors. In the early phases, the operation relied on readily available remote access and post-exploitation tools like AsyncRAT and Cobalt Strike, before transitioning to bespoke malware in late 2021 or early 2022 in a bid to thwart detection. A primary evasion tactic concerns the use of Microsoft Windows folders that are likely to be excluded from scanning by security software (e.g., System32 and Program Files) to store the backdoor

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have published a joint advisory regarding the active exploitation of a  recently disclosed critical flaw  in Progress Software's MOVEit Transfer application to drop ransomware. "The Cl0p Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection vulnerability in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer," the agencies  said . "Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases." The prolific cybercrime gang has since  issued an ultimatum  to several impacted businesses, urging them to get in touch by June 14, 2023, or risk getting all their stolen data published. Microsoft is tracking the activity under the moniker  Lace Tempest  (aka Storm-0950),

Threat actors associated with the  Cyclops ransomware  have been observed offering an information stealer malware that's designed to capture sensitive data from infected hosts. "The threat actor behind this [ransomware-as-a-service] promotes its offering on forums," Uptycs  said  in a new report. "There it requests a share of profits from those engaging in malicious activities using its malware." Cyclops ransomware is notable for targeting all major desktop operating systems, including Windows, macOS, and Linux. It's also designed to terminate any potential processes that could interfere with encryption. The macOS and Linux versions of Cyclops ransomware are written in Golang. The ransomware further employs a complex encryption scheme that's a mix of asymmetric and symmetric encryption. The Go-based stealer, for its part, is designed to target Windows and Linux systems, capturing details such as operating system information, computer name, number o

The threat actor known as  Dark Pink  has been linked to five new attacks aimed at various entities in Belgium, Brunei, Indonesia, Thailand, and Vietnam between February 2022 and April 2023. This includes educational institutions, government agencies, military bodies, and non-profit organizations, indicating the adversarial crew's continued focus on high-value targets. Dark Pink, also called Saaiwc Group, is an advanced persistent threat (APT) actor believed to be of Asia-Pacific origin, with  attacks   targeting  entities primarily located in East Asia and, to a lesser extent, in Europe. The group employs a set of custom malware tools such as TelePowerBot and KamiKakaBot that provide various functions to exfiltrate sensitive data from compromised hosts. "The group uses a range of sophisticated custom tools, deploys multiple kill chains relying on spear-phishing emails," Group-IB security researcher Andrey Polovinkin  said  in a technical report shared with The Hacker News. "Onc

A new phishing technique called "file archiver in the browser" can be leveraged to "emulate" a file archiver software in a web browser when a victim visits a .ZIP domain. "With this phishing attack, you simulate a file archiver software (e.g., WinRAR) in the browser and use a .zip domain to make it appear more legitimate," security researcher mr.d0x  disclosed  last week. Threat actors, in a nutshell, could create a realistic-looking  phishing landing page  using HTML and CSS that mimics legitimate file archive software, and host it on a .zip domain, thus elevating  social engineering campaigns . In a potential attack scenario, a miscreant could resort to such trickery to redirect users to a credential harvesting page when a file "contained" within the fake ZIP archive is clicked. "Another interesting use case is listing a non-executable file and when the user clicks to initiate a download, it downloads an executable file," mr.d0x

The  rising   geopolitical tensions  between China and Taiwan in recent months have sparked a noticeable uptick in cyber attacks on the East Asian island country. "From malicious emails and URLs to malware, the strain between China's claim of Taiwan as part of its territory and Taiwan's maintained independence has evolved into a worrying surge in attacks," the Trellix Advanced Research Center  said  in a new report. The attacks, which have targeted a variety of sectors in the region, are mainly designed to deliver malware and steal sensitive information, the cybersecurity firm said, adding it detected a four-fold jump in the volume of malicious emails between April 7 and April 10, 2023. Some of the most impacted industry verticals during the four-day time period were networking, manufacturing, and logistics. What's more, the spike in malicious emails targeting Taiwan was followed by a 15x increase in PlugX detections between April 10 and April 12, 2023, indi

The Chinese nation-state actor known as  Mustang Panda  has been linked to a new set of sophisticated and targeted attacks aimed at European foreign affairs entities since January 2023. An analysis of these intrusions, per Check Point researchers Itay Cohen and Radoslaw Madej, has revealed a custom firmware implant designed explicitly for TP-Link routers. "The implant features several malicious components, including a custom backdoor named 'Horse Shell' that enables the attackers to maintain persistent access, build anonymous infrastructure, and enable lateral movement into compromised networks," the company said . "Due to its firmware-agnostic design, the implant's components can be integrated into various firmware by different vendors." The Israeli cybersecurity firm is tracking the threat group under the mythical creature name Camaro Dragon,  which  is  also known as  BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich. The

Government, aviation, education, and telecom sectors located in South and Southeast Asia have come under the radar of a new hacking group as part of a highly-targeted campaign that commenced in mid-2022 and continued into the first quarter of 2023. Symantec, by Broadcom Software, is tracking the activity under its insect-themed moniker  Lancefly , with the attacks making use of a "powerful" backdoor called Merdoor. Evidence gathered so far points to the custom implant being utilized as far back as 2018. The ultimate goal of the campaign, based on the tools and the victimology pattern, is assessed to be intelligence gathering. "The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted," Symantec  said  in an analysis shared with The Hacker News. "The attackers in this campaign also have access to an updated version of the ZXShell rootkit."

Government organizations in Central Asia are the target of a sophisticated espionage campaign that leverages a previously undocumented strain of malware dubbed  DownEx . Bitdefender, in a  report  shared with The Hacker News, said the activity remains active, with evidence likely pointing to the involvement of Russia-based threat actors. The Romanian cybersecurity firm said it first detected the malware in a highly targeted attack aimed at foreign government institutions in Kazakhstan in late 2022. Subsequently, another attack was observed in Afghanistan. The use of a diplomat-themed lure document and the campaign's focus on data exfiltration suggests the involvement of a state-sponsored group, although the exact identity of the hacking outfit remains indeterminate at this stage. The initial intrusion vector for the campaign is suspected to be a spear-phishing email bearing a booby-trapped payload, which is a loader executable that masquerades as a Microsoft Word file. Openi

The U.S. government on Tuesday announced the court-authorized disruption of a global network compromised by an advanced malware strain known as  Snake  wielded by Russia's Federal Security Service (FSB). Snake, dubbed the "most sophisticated cyber espionage tool," is the handiwork of a Russian state-sponsored group called  Turla  (aka Iron Hunter, Secret Blizzard, SUMMIT, Uroburos, Venomous Bear, and Waterbug), which the U.S. government attributes to a unit within Center 16 of the FSB. The threat actor has a  track record  of heavily focusing on entities in Europe, the Commonwealth of Independent States (CIS), and countries affiliated with NATO, with recent activity expanding its footprint to incorporate Middle Eastern nations deemed a threat to countries supported by Russia in the region. "For nearly 20 years, this unit [...] has used versions of the Snake malware to steal sensitive documents from hundreds of computer systems in at least 50 countries, which have

Three different threat actors leveraged hundreds of elaborate fictitious personas on Facebook and Instagram to target individuals located in South Asia as part of disparate attacks. "Each of these APTs relied heavily on social engineering to trick people into clicking on malicious links, downloading malware or sharing personal information across the internet," Guy Rosen, chief information security officer at Meta,  said . "This investment in social engineering meant that these threat actors did not have to invest as much on the malware side." The fake accounts, in addition to using traditional lures like women looking for a romantic connection, masqueraded as recruiters, journalists, or military personnel. At least two of the  cyber espionage efforts  entailed the use of low-sophistication malware with reduced capabilities, likely in an attempt to get past  app verification checks  established by Apple and Google.  One of the groups that came under Meta's r

South Korean education, construction, diplomatic, and political institutions are at the receiving end of new attacks perpetrated by a China-aligned threat actor known as the  Tonto Team . "Recent cases have revealed that the group is using a file related to anti-malware products to ultimately execute their malicious attacks," the AhnLab Security Emergency Response Center (ASEC)  said  in a report published this week. Tonto Team, active since at least 2009, has a track record of targeting various sectors across Asia and Eastern Europe. Earlier this year, the group was  attributed  to an unsuccessful phishing attack on cybersecurity company Group-IB. The attack sequence discovered by ASEC starts with a Microsoft Compiled HTML Help (.CHM) file that executes a binary file to side-load a malicious DLL file (slc.dll) and launch  ReVBShell , an open source VBScript backdoor also put to use by another Chinese threat actor called  Tick . ReVBShell is subsequently leveraged to do

A little-known Russian-speaking cyber-espionage group has been linked to a new politically-motivated surveillance campaign targeting high-ranking government officials, telecom services, and public service infrastructures in Tajikistan. The intrusion set, dubbed  Paperbug  by Swiss cybersecurity company PRODAFT, has been attributed to a threat actor known as  Nomadic Octopus  (aka DustSquad). "The types of compromised machines range from individuals' computers to [operational technology] devices," PRODAFT said in a deep dive technical report shared with The Hacker News. "These targets make operation 'Paperbug' intelligence-driven." The ultimate motive behind the attacks is unclear at this stage, but the cybersecurity firm has raised the possibility that it could be the work of opposition forces within the country or, alternatively, an intelligence-gathering mission carried out by Russia or China. Nomadic Octopus first came to light in October 2018 w

A large-scale attack campaign discovered in the wild has been exploiting Kubernetes (K8s) Role-Based Access Control ( RBAC ) to create backdoors and run cryptocurrency miners. "The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack," cloud security firm Aqua said in a report shared with The Hacker News. The Israeli company, which dubbed the attack  RBAC Buster , said it found 60 exposed K8s clusters that have been exploited by the threat actor behind this campaign. The attack chain commenced with the attacker gaining initial access via a misconfigured API server, followed by checking for evidence of competing miner malware on the compromised server, and then using RBAC to set up persistence. "The attacker created a new ClusterRole with near admin-level privileges," the company said. "Next, the attacker created a 'ServiceAccount', 'kube-controller' in the 'kube-system' namespace. Las

The Pakistan-based advanced persistent threat (APT) actor known as  Transparent Tribe  used a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon. "Poseidon is a second-stage payload malware associated with Transparent Tribe," Uptycs security researcher Tejaswini Sandapolla said in a technical report published this week. "It is a general-purpose backdoor that provides attackers with a wide range of capabilities to hijack an infected host. Its functionalities include logging keystrokes, taking screen captures, uploading and downloading files, and remotely administering the system in various ways." Transparent Tribe  is also tracked as APT36, Operation C-Major, PROJECTM, and Mythic Leopard, and has a track record of targeting Indian government organizations, military personnel, defense contractors, and educational entities. It has also repeatedly leveraged trojanized versions of Kavac

U.K. and U.S. cybersecurity and intelligence agencies have  warned  of Russian nation-state actors exploiting now-patched flaws in networking equipment from Cisco to conduct reconnaissance and deploy malware against select targets. The  intrusions , per the authorities, took place in 2021 and targeted a small number of entities in Europe, U.S. government institutions, and about 250 Ukrainian victims. The activity has been attributed to a threat actor tracked as  APT28 , which is also known as Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, and Sofacy, and is affiliated with the Russian General Staff Main Intelligence Directorate (GRU). "APT28 has been known to access vulnerable routers by using default and weak SNMP community strings, and by exploiting CVE-2017-6742," the National Cyber Security Centre (NCSC) said. CVE-2017-6742  (CVSS score: 8.8) is part of a set of remote code execution flaws that stem from a  buffer overflow condition  in the Simple Ne

An Iranian government-backed actor known as  Mint Sandstorm  has been linked to attacks aimed at critical infrastructure in the U.S. between late 2021 to mid-2022. "This Mint Sandstorm subgroup is technically and operationally mature, capable of developing bespoke tooling and quickly weaponizing N-day vulnerabilities, and has demonstrated agility in its operational focus, which appears to align with Iran's national priorities," the Microsoft Threat Intelligence team  said  in an analysis. Targeted entities consist of seaports, energy companies, transit systems, and a major U.S. utility and gas company. The activity is suspected to be retaliatory and in response to attacks targeting its maritime,  railway , and  gas station payment systems  that took place between May 2020 and late 2021. It's worth noting here that Iran subsequently  accused  Israel and the U.S. of masterminding the attacks on the gas stations in a bid to create unrest in the nation. Mint Sandsto