Tag Archive for: Campaign

Hiring? New scam campaign means ‘resume’ downloads may contain malware

/in


A cybercrime gang is targeting hiring managers and recruiters in a new campaign to spread the “more_eggs” backdoor malware.

Emails from supposed job seekers are luring victims to malicious “resume” downloads using sophisticated social engineering and infrastructure, Proofpoint said in a security briefing Tuesday.

The briefing outlines the evolving tactics of the threat actor tracked as TA4557, which Proofpoint researchers have been monitoring since 2018.

Spear phishing strategy convinces recruiters to stray from safety

Secure email gateways are one of the most common endpoint security measures used by organizations; new methods by TA4557 seek to bypass these measures and lure job recruiters to attacker-controlled websites.

“The social engineering is very compelling leading up to the download of the file from the resume website,” Proofpoint Senior Threat Analyst Selena Larson told SC Media.

The attacks, which Proofpoint first detected in October 2023, begin with an email inquiring about an open position. With no links or attachments, the seemingly benign email gets the foot in the door to start building trust.

If the victim responds, the attack chain continues with the supposed job candidate inviting the hiring manager or recruiter to download a resume from their “personal website.”

Unlike classic jobs scams targeting job seekers themselves, there is no need to impersonate an established business through methods like typosquatting. Additionally, researchers began seeing in early November that attackers avoided sending links altogether by directing their victims to “refer to the domain name of my email address to access my portfolio.”

Requiring the victim to copy and paste the malicious domain name increases the likelihood the emails will make it past secure email gateways. Plus, with unassuming domain names like “wlynch[.]com” for a candidate named William Lynch and “annetterawlings[.]com” for a candidate named Annette Rawlings, the emails are less likely to raise alarm bells than those from free email providers like Gmail or Yahoo.

The attacker-controlled “candidate” websites were found to apply filters based on details like the victim’s IP address to…

Source…

UK and allies expose Russian intelligence services for cyber campaign of attempted political interference – National Cyber Security Centre

/in



UK and allies expose Russian intelligence services for cyber campaign of attempted political interference  National Cyber Security Centre

Source…

Russian hackers targeted US intel officers in ‘sophisticated spear phishing campaign,’ DOJ says

/in


Hackers acting on behalf of the Russian government targeted U.S. intelligence officers in a “sophisticated spear phishing campaign” designed to influence elections in the United Kingdom, the Justice Department (DOJ) alleged Thursday.

The operation successfully hacked into computer networks in the U.S., the U.K., Ukraine and other NATO member countries and “stole information used in foreign malign influence operations designed to influence the U.K.’s 2019 elections,” the DOJ said.

The DOJ unsealed a federal indictment Thursday against two individuals connected to the plot, after a federal grand jury in San Francisco returned an indictment Tuesday.

The two individuals charged are Ruslan Aleksandrovich Peretyatko, an officer in Russia’s Federal Security Service (FSB), the DOJ claimed, and Andrey Stanislavovich Korinets. They are each charged with one count of conspiracy to commit an offense against the United States and one count of conspiracy to commit wire fraud.

Along with other unindicted co-conspirators, the defendants were part of the so-called “Callisto Group,” the DOJ said.

The indictment alleges that the hacking campaign took place between at least October 2016 and October 2022 and targeted current and former employees of the U.S. Intelligence Community, Department of Defense, Department of State, defense contractors, and Department of Energy facilities.

The spear phishing campaign often was carried out by sending “sophisticated looking emails” that tricked the targets into providing their log-in credentials, thereby allowing the hackers to access the victims’ email accounts whenever they wanted to, the DOJ said.

Some of the emails were sent from “spoofed” accounts designed to look like other personal and work-related emails the victims would receive, the DOJ said. Sometimes, the emails claimed the users had violated terms of service on an account and had to log in via a provided link. When the users thought they were signing into their accounts, they were actually providing the account credentials to hackers, the DOJ said.

U.S. officials pointed to the indictments as evidence that Russia still is trying to target democratic elections, and they pledged to…

Source…

Pro-Russian Hackers Exploiting Recent WinRAR Vulnerability in New Campaign

/in


Oct 16, 2023NewsroomVulnerability / Hacking

WinRAR Vulnerability

Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems.

“The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as CVE-2023-38831,” Cluster25 said in a report published last week.

The archive contains a booby-trapped PDF file that, when clicked, causes a Windows Batch script to be executed, which launches PowerShell commands to open a reverse shell that gives the attacker remote access to the targeted host.

Also deployed is a PowerShell script that steals data, including login credentials, from the Google Chrome and Microsoft Edge browsers. The captured information is exfiltrated via a legitimate web service webhook[.]site.

Cybersecurity

CVE-2023-38831 refers to a high-severity flaw in WinRAR that allows attackers to execute arbitrary code upon attempting to view a benign file within a ZIP archive. Findings from Group-IB in August 2023 disclosed that the bug had been weaponized as a zero-day since April 2023 in attacks targeting traders.

The development comes as Google-owned Mandiant charted Russian nation-state actor APT29’s “rapidly evolving” phishing operations targeting diplomatic entities amid an uptick in tempo and an emphasis on Ukraine in the first half of 2023.

The substantial changes in APT29’s tooling and tradecraft are “likely designed to support the increased frequency and scope of operations and hinder forensic analysis,” the company said, and that it has “used various infection chains simultaneously across different operations.”

Some of the notable changes include the use of compromised WordPress sites to host first-stage payloads as well as additional obfuscation and anti-analysis components.

AT29, which has also been linked to cloud-focused exploitation, is one of the many activity clusters originating from Russia that have singled out Ukraine following the onset of the war early last year.

In July 2023, the Computer Emergency Response Team of Ukraine…

Source…