Tag Archive for: campaigns

North Korean Hackers Found Behind a Range of Credential Theft Campaigns

/in


A threat actor with ties to North Korea has been linked to a prolific wave of credential theft campaigns targeting research, education, government, media and other organizations, with two of the attacks also attempting to distribute malware that could be used for intelligence gathering.

Enterprise security firm Proofpoint attributed the infiltrations to a group it tracks as TA406, and by the wider threat intelligence community under the monikers Kimsuky (Kaspersky), Velvet Chollima (CrowdStrike), Thallium (Microsoft), Black Banshee (PwC), ITG16 (IBM), and the Konni Group (Cisco Talos).

Policy experts, journalists and nongovernmental organizations (NGOs) were targeted as part of weekly campaigns observed between from January through June 2021, Proofpoint researchers Darien Huss and Selena Larson disclosed in a technical report detailing the actor’s tactics, techniques, and procedures (TTPs), with the attacks spread across North America, Russia, China, and South Korea.

Known to be operational as early as 2012, Kimsuky has since emerged as one of the most active advanced persistent threat (APT) group known for setting its sights on cyber espionage but also for conducting attacks for financial gain, targeting government entities, think tanks, and individuals identified as experts in various fields as well as harvest sensitive information pertaining to foreign policy and national security issues.

Automatic GitHub Backups

“Like other APT groups that constitute a big umbrella, Kimsuky contains several clusters: BabyShark, AppleSeed, Flower Power, and Gold Dragon,” Kaspersky researchers noted in their Q2 2021 APT trends report published last month. The AppleSeed sub-group is also referred to as TA408.

The group is also known for reeling in targets with convincing social engineering schemes and watering hole attacks before sending them malware-infected payloads or tricking them into submitting sensitive credentials to phishing sites, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a public alert issued in October 2020.

Earlier this month, researchers from Cisco Talos disclosed an ongoing Kimsuky campaign since June 2021 that was found leveraging malicious blogs hosted on Google’s…

Source…

COVID-19 themed malware and credential theft campaigns make a resurgence as Delta variant spreads

/in


Proofpoint finds COVID-19 themed email threats make a resurgence as the Delta variant spreads.

Since late June 2021, Proofpoint has observed high volumes of COVID-19 themed threats distributing malware and credential theft campaigns, including a Microsoft credential theft campaign targeting thousands of organisations globally. Proofpoint researchers also identified an increase in business email compromise, with threat actors posing as human resource professionals to gain an individual’s trust.  

The new attacks follow a lull in COVID-19-themed threat campaigns through the Spring and early Summer of 2021. Now, multiple types of high-volume threats have pivoted back to using COVID-19 social engineering themes as global concern about the Delta variant rises. 

Proofpoint has been tracking ongoing threats using COVID-19 and related coronavirus themes since the beginning of the pandemic. TA452, known to distribute Emotet, first began using COVID-19 in email threats in January 2020. Although the virus has remained an ongoing theme, researchers have observed a significant increase in messages leveraging COVID-19 in recent months. 

Since late June 2021, Proofpoint has observed high a volume COVID-19 themed campaigns distributing RustyBuer, Formbook, and Ave Maria malware, in addition to multiple corporate phishing attempts to steal Microsoft and O365 credentials. The researchers also found an increase in business email compromise threats using COVID-19 themes during this timeframe.

“The increase in COVID-19 themes in our data aligns with public interest in the highly contagious COVID-19 Delta variant,” says Proofpoint.

“According to global Google Trend data, worldwide searches for “Delta variant” first peaked the last week in June 2021 and have continued through August 2021 so far. The increase in COVID-19 related threats is global. We observed tens of thousands of messages intended for customers in various industries worldwide.” 

Open-source data also supports a greater threat actor adoption of COVID-19 themes. South Korea, for example, recently raised its cyber threat warning level in response to an increase of threats related to its COVID-19 relief programs. 

Threat actors…

Source…

Night Terrors: Ransomware Campaigns Are Exploiting PrintNightmare

/in


PrintNightmare is being actively exploited to distribute ransomware, ZDNet reports, and security researchers have found evidence of multiple threat actors taking advantage of the vulnerability.

Microsoft acknowledged PrintNightmare on July 1. It released an emergency update to address the flaw less than a week later, but that patch was imperfect, and the company didn’t have an official fix until it changed the default behavior of Point and Print driver installation on Aug. 10.

Many people are slow to update their systems, however, and security researchers at CrowdStrike and Cisco Talos Incident Response independently shared their discovery that hacking groups were exploiting the PrintNightmare vulnerability in the days following Microsoft’s latest patch.

CrowdStrike said on Aug. 11 that it “identified Magniber ransomware attempting to use a known PrintNightmare vulnerability to compromise victims” in July. It successfully blocked those attacks, but systems that don’t rely on its protections could still be targeted by the ransomware.

“CrowdStrike estimates that the PrintNightmare vulnerability coupled with the deployment of ransomware will likely continue to be exploited by other threat actors,” the company said, and the researchers at Cisco Talos proved that estimate was correct with their own announcement.

Cisco Talos said on Aug. 12 that a ransomware campaign operator known as Vice Society, which has targeted “public school districts and other educational institutions” as well as other “small or midsize victims,” was actively exploiting PrintNightmare as part of its latest attacks as well.

“The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks,” Cisco Talos said. “Multiple distinct threat actors are now taking advantage of PrintNightmare, and this adoption will likely continue to increase as long as it is effective.”

Recommended by Our Editors

PrintNightmare is a compelling target in part because it affects every version of Windows. Defending against it also requires changing the operating system’s behavior by disabling the Print…

Source…

The Cybersecurity 202: White House weighs new cybersecurity proposals after two major hacking campaigns

/in


We still believe that public-private partnership is foundational in cybersecurity and we want to ensure we’re taking every opportunity to include key private-sector participants early and directly in our remediation efforts, a senior administration official said.

It’s a major step towards transparency for the Biden administration, which is stressing strengthening relations between the private and public sector in the fallout from the Russian SolarWinds hacking campaign that infiltrated at least nine government agencies and about 100 companies.

The more recent Microsoft hack has added urgency to fixing those relations. Microsoft announced earlier this month a group of hackers tied to China exploited a vulnerability in its Microsoft Exchange product. Other cybercriminals have since swooped in to take advantage of servers that have not yet been updated to fix the vulnerability. 

The situation escalated last week when Microsoft reported that hackers were targeting vulnerable servers with ransomware, a software loaded with a program allowing hackers to lock up computer systems and data for money.  Vulnerable Microsoft users include hundreds of banks, health-care and government servers, researchers at the cybersecurity firm RiskIQ found. Pulling off a successful ransomware attack against any one of them could create major chaos.

A White House team is examining how to address concerns from the private sector over information-sharing with the government, the official said. Congress also is slated to roll out proposals regarding cybersecurity incident sharing in the coming weeks.

The White House is also readying a slew of proposals to strengthen cybersecurity.

The Biden administration is weighing a number of potential solutions, including a ratings system for software, the official said. The grading system would be similar to that used by local health departments for restaurants. The idea of a cybersecurity rating has been pushed by Congress’s bipartisan Cyberspace Solarium Commission as well as some industry groups.

The administration also is mulling a law such as the one introduced in Singapore requiring home devices to come with security labels. 

Executive orders addressing the two…

Source…