Tag: Caught | Page 2

OODA Loop – North Korean Hackers Caught Using Malware With Microphone Wiretapping Capabilities

June 23, 2023/in Computer Security

Read more: https://www.securityweek.com/north-korean-hackers-caught-malware-with-microphone-wiretapping-capabilities/Cybersecurity firm AhnLab has reported that a hacking group, identified as APT37 and linked to the North Korean government, has been using new wiretapping malware in recent surveillance attacks. The group employed a Go-based backdoor exploiting the Ably messaging platform, as well as an information stealer with microphone wiretapping capabilities. Spear phishing emails delivering a password-protected document and a disguised CHM payload were used to lure victims into executing the malicious script. The malware exfiltrates files, takes screenshots, steals data from removable devices, logs keystrokes, and conducts unauthorized wiretapping. APT37 has targeted North Korean defectors, human rights activists, journalists, and policymakers for surveillance purposes.

Source…

Russian APT Group Caught Hacking Roundcube Email Servers

June 21, 2023/in Computer Security

A prolific APT group linked to the Russian government has been caught exploiting security flaws in the open-source Roundcube webmail software to spy on organizations in Ukraine, including government institutions and military entities involved in aircraft infrastructure.

According to an advisory [PDF] from threat intelligence firm Recorded Future, the Roundcube server infections are being used to run reconnaissance and exfiltration scripts, redirecting incoming emails and gathering session cookies, user information, and address books.

Recorded Future teamed up with Ukraine’s Computer Emergency Response Team (CERT-UA) to document the activity, which is being attributed to Russia’s GRU military spy unit.

“The campaign leveraged news about Russia’s war against Ukraine to encourage recipients to open emails with attachments, which immediately compromised vulnerable Roundcube servers without engaging with the attachment,” Recorded Future explained.

The company said the attachment contained JavaScript code that executed additional JavaScript payloads from the hacking team’s infrastructure. “The campaign displayed a high level of preparedness, quickly weaponizing news content into lures to exploit recipients. The spear-phishing emails contained news themes related to Ukraine, with subject lines and content mirroring legitimate media sources,” Recorded Future said.

The GRU-linked group, which has been operational since at least November 2021, has been blamed for previous use of zero-day flaws in Microsoft’s flagship Outlook software. According to public documentation, the group is focused on digital spying on entities in Ukraine and across Europe, primarily among government and military/defense organizations.

Recorded Future released IOCs and technical artifacts from the latest discovery to help defenders and recommended that organizations configure intrusion detection systems (IDS), intrusion prevention systems (IPS) or network defense mechanisms to pinpoint malicious activity from malicious domains.

Advertisement. Scroll to continue reading.

The company is also recommending that organizations implement measures to disable HTML and/or JavaScript within email…

Source…

Iran-Based Hackers Caught Carrying Out Destructive Attacks Under Ransomware Guise

April 8, 2023/in Internet Security

Apr 08, 2023Ravie LakshmananCyber War / Cyber Threat

The Iranian nation-state group known as MuddyWater has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation.

That’s according to new findings from the Microsoft Threat Intelligence team, which discovered the threat actor targeting both on-premises and cloud infrastructures in partnership with another emerging activity cluster dubbed DEV-1084.

“While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation,” the tech giant revealed Friday.

MuddyWater is the name assigned to an Iran-based actor that the U.S. government has publicly connected to the country’s Ministry of Intelligence and Security (MOIS). It’s been known to be active since at least 2017.

It’s also tracked by the cybersecurity community under various names, including Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mercury, Seedworm, Static Kitten, TEMP.Zagros, and Yellow Nix.

Attacks mounted by the group have primarily singled out Middle Eastern nations, with intrusions observed over the past year leveraging the Log4Shell flaw to breach Israeli entities.

The latest findings from Microsoft reveal the threat actor probably worked together with DEV-1084 to pull off the attack, the latter of which conducted the destructive actions after MuddyWater successfully gained a foothold onto the target environment.

“Mercury likely exploited known vulnerabilities in unpatched applications for initial access before handing off access to DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage,” Microsoft said.

In the activity detected by Redmond, DEV-1084 subsequently abused highly privileged compromised credentials to perform encryption of on-premise devices and large-scale deletion of cloud resources, including server farms, virtual machines, storage accounts, and virtual networks.

Furthermore, the threat actors gained full access…

Source…

Free tax filing software caught spreading malware — have you been using it?

April 5, 2023/in Computer Security

Watch out! Tax-filing platform eFile.com got caught red-handed spreading malware to unsuspecting users, according to cybersecurity investigators (h/t Bleeping Computer).

Adding salt to injury, eFile.com is touted as a free, IRS-approved tax-filing service provider, giving users a false sense of security. As it turns out, researchers discovered that eFile.com hosted a malicious JavaScript file on its website for weeks.

Authenticating the researchers’ findings, Bleeping Computer said that it, too, spotted the aforementioned malicious JavaScript file across eFile.com’s webpages. The ill-intentioned file in question is called “popper.js.”

What did it do? Well, according to PCWorld, it loaded a legitimate-looking faux error page instructing users to install a browser update. But of course, it’s not a real browser update — it’s a trojan designed to deliver your PC a gnarly serving of malware (a Windows-based botnet attack, to be specific).

The issue was present on eFile.com since March 17, according to Johannes Ullrich, a security researcher from SANS Technology Institute. Ullrich added that only two malware scanners flagged the malware: Crowdstrike Falcon and Cynet.

It’s worth noting that eFile.com was reportedly hijacked two weeks ago, according to security research group MalwareHunterTeam (MHT). But that’s no excuse; MHT is still putting its foot on eFile.com’s neck for not sweeping out the mess.

“So, the website of (efile[.]com), ‘is an IRS authorized e-file provider’ got compromised at least around middle of March & still not cleaned,” MalwareHunterTeam tweeted on April 3.

As of this writing, eFile.com has not released a statement about the malware findings discovered on its website. The moral of the story? Stick to TurboTax and H&R Block.

Source…

Tag Archive for: Caught