Tag Archive for: campaigns

Embassy of China in Canada Issues a Statement on U.S Cyber Espionage Campaigns Against Japan

/in


I just came across to a statement issued by the Embassy of China in Canada on the U.S cyber espionage campaigns launched against Japan.

What’s so special about this statement? First it does quite Wikileaks which is a bit of an outdated approach including the actual source to shed more light into a bigger problem and issue for China that the press statement on the Web site of the Chinese Embassy in Canada mentions. In this specific case the statement implies the use of the so called “hunt-forward” missions which could really mean big trouble for China if the U.S somehow manages to secure a deal with a neighbouring country next to China which could really mean big trouble for China as the U.S will then attempt to establish the foundation for a successful cyber attacks and possibly information operations interception campaigns used managed and operated by China including its partners and allies where to ultimate goal would be to measure their true capabilities and set the foundation for a successful cyber situational awareness campaign in terms of cyber attacks and the true state of China’s true cyberspace operations and cyber attack capabilities including the capabilities of some of its neighbouring countries.

The so called Hunt Forward Operations also known as (HFOs) are an early warning system for cyber situational awareness that could improve the true state of the visibility of the actual country that’s doing these missions in this specific case the U.S could really learn a lot about new tactics and techniques courtesy of the attackers based in the specific country where it’s hosting its mission which could be really bad news for China in terms of having the U.S deploy hunt forward missions in its neighbouring countries where the U.S could really get a better picture of China’s understanding and actual applicability of basic cyber warfare principles and concepts in action including the “know-how” of its neighbouring countries.

Despite the fact that the U.S is willing to share its knowledge and understanding of cyber attacks “know-how” with the host country of a hunt forward mission it could also learn a lot about the cyber attacks that originate from the…

Source…

Microsoft details DDoS attacks against healthcare, recent campaigns from KillNet

/in


Microsoft on Friday shared details about the distributed denial-of-service (DDoS) attack landscape against healthcare applications hosted in Azure whilst highlighting the recent attack campaigns launched by KillNet or its affiliated hacktivist groups.

Killnet is a pro-Russia hacktivist group known for its DDoS campaigns against western countries, targeting governments and companies with a focus on the healthcare sector. According to Microsoft’s security researchers, the group attempted to evade DDoS mitigation strategies by changing their attack vectors, such as utilizing different layer 4 and layer 7 attack techniques and increasing the number of sources participating in the campaign.

Microsoft measured the number of daily DDoS attacks on healthcare organizations in Azure between November 18, 2022, and February 17, 2023, and observed a significant increase in the frequency of attacks, with the number of daily attacks rising from 10-20 in November to 40-60 in February.

Among the various types of healthcare organizations, pharmaceutical and life sciences organizations were attacked the most, accounting for 31% of all attacks. Hospitals were the second most targeted with 26%, followed by healthcare insurance with 16% and health services and care organizations with 16% of all attacks.

The Microsoft Azure Network Security Team also observed a combination of multi-vector layer 3, layer 4, and layer 7 DDoS attacks. These attacks primarily focused on web applications and utilized a combination of TCP and UDP vectors. The researchers observed layer 7 DDoS attacks consuming many TCP connections and keeping them alive long enough trying to deplete memory state resources to render the application unavailable – a repeated pattern noticed in several cases for attacks attributed to KillNet.

Here’s the distribution of DDoS attack types targeting healthcare:

  • UDP floods – 53.16%
  • TCP – 44.42%
  • IP flood – 1.78%
  • Packet anomaly – 0.36%
  • UDP amplification – 0.28%

As for the campaigns launched by KillNet and affiliate hacktivist groups, the attack targeted a healthcare provider. The attack lasted less than 12 hours and included TCP SYN, TCP ACK, and packet anomalies. The attack throughput wasn’t very…

Source…

Pro-Russia hack campaigns are running rampant in Ukraine

/in


Pro-Russia hack campaigns are running rampant in Ukraine

Getty Images

Pro-Russian threat actors are continuing their unrelenting pursuit of Ukrainian targets, with an array of campaigns that include fake Android apps, hack attacks exploiting critical vulnerabilities, and email phishing attacks that attempt to harvest login credentials, researchers from Google said.

One of the more recent campaigns came from Turla, a Russian-speaking advanced persistent threat actor that’s been active since at least 1997 and is among the most technically sophisticated in the world. According to Google, the group targeted pro-Ukrainian volunteers with Android apps that posed as launchpads for performing denial-of-service attacks against Russian websites.

Google

“All you need to do to launch the process is install the app, open it and press start,” the fake website promoting the app claimed. “The app immediately begins sending requests to the Russian websites to overwhelm their resources and cause the denial of service.”

In fact, a researcher with Google’s threat analysis group said, the app sends a single GET request to a target website. Behind the scenes, a different Google researcher told Vice that the app was designed to map out the user’s Internet infrastructure and “work out where the people that are potentially doing these sorts of attacks are.”

The apps, hosted on a domain spoofing the Ukrainian Azov Regiment, mimicked another Android app Google first saw in March that also claimed to perform DoS attacks against Russian sites. Unlike the Turla apps, stopwar.apk, as the latter app was named, sent a continuous stream of requests until the user stopped them.

Google

“Based on our analysis, we believe that the StopWar app was developed by pro-Ukrainian developers and was the inspiration for what Turla actors based their fake CyberAzov DoS app off of,” Google researcher Billy Leonard wrote.

Other hacking groups sponsored by the Kremlin have also targeted Ukrainian groups. Campaigns included the exploitation of Follina, the name given to a critical vulnerability in all supported versions of Windows that was actively targeted in the wild

Source…

Kaspersky finds evidence of continued Russian hacking campaigns in Ukraine

/in


APT group Armageddon was identified as acting against Ukraine late last year, and Symantec’s own data backs up that presented by The Security Service of Ukraine.

apt.jpg
Image: Profit_Image/Shutterstock

Security researchers at Symantec have presented what they said is further evidence that the Russian advanced persistent threat hacking team known as Shuckworm has been actively waging a cyber espionage campaign against organizations in Ukraine.

According to a report from The Security Service of Ukraine released in November 2021, Shuckworm, also known by Armageddon, Gamaredon, Primitive Bear and other monikers, is relatively new to the APT world. The SSU believes Shuckworm was founded in 2013 or 2014 and initially operated with a very low profile. Despite its relative newness to the scene, the SSU said “the group is able to turn into a cyberthreat with consequences, the scale of which will exceed the negative effect of the activities of [known Russian APTs APT28, SNAKE and APT29].”

Symantec said its findings are consistent with the SSU’s report, which said Shuckworm has become more sophisticated since 2017, the end result of which is a group with custom-built malware to infiltrate and legitimate tools to keep itself connected.

Anatomy of a cyber espionage attack

There are a variety of methods that APTs use to establish a permanent presence in victim networks. In the particular case study Symantec included in its report, Shuckworm likely used a tried-and-true ingress method: Phishing.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

The attack began July 14, 2021, and continued for over a month, Symantec said, and it all began with a malicious Word document. “Just five minutes after the document is opened, a suspicious command is also executed to launch a malicious VBS file,” Symantec said. That file, in turn, installed the Pterodo backdoor software that was previously linked to Shuckworm.

The creation of Pterodo is what the SSU said divides Shuckworm’s early days from its more dangerous later years. Prior to the creation of Pterodo, Shuckworm relied on legitimate remote access tools like RMS and UltraVNC. Now, through the…

Source…