Tag Archive for: espionage

Iranian hackers exposed in a highly targeted espionage campaign

/in


iran

Threat analysts have spotted a novel attack attributed to the Iranian hacking group known as APT34 group or Oilrig, who targeted a Jordanian diplomat with custom-crafted tools.

The attack involved advanced anti-detection and anti-analysis techniques and had some characteristics that indicate lengthy and careful preparation.

Security researchers at Fortinet have gathered evidence and artifacts from the attack in May 2022 and compiled a technical report to highlight APT34’s latest techniques and methods.

Targeting diplomats

The spear-phishing email seen by Fortinet targeted a Jordanian diplomat, pretending to be from a colleague in the government, with the email address spoofed accordingly.

The email carried a malicious Excel attachment that contained VBA macro code that executes to create three files, a malicious executable, a configuration file, and a signed and clean DLL.

The macro also creates persistence for the malicious executable (update.exe) by adding a scheduled task that repeats every four hours.

“Since Excel is a signed binary, maintaining persistence in this way may be missed by some behavioral detection engines,” comment Fortinet’s analysts.

Another unusual finding concerns two anti-analysis mechanisms implemented in the macro: the toggling of sheet visibility in the spreadsheet and the other a check for the existence of a mouse, which may not be present on malware analysis sandbox services.

The payload

The malicious executable is a .NET binary that checks program states and puts itself to sleep for eight hours after launching. The analysts believe the hackers probably set this delay on the assumption that the diplomat would open the email in the morning and leave after eight hours so that the computer would be unattended.

When active, the malware communicates with C2 subdomains using a domain generation algorithm (DGA) tool. DGA is a widely-used technique that makes malware operations more resilient to domain takedowns and block-listing.

Domain generation algorithm system
Domain generation algorithm system (Fortinet)

It then sets up a DNS tunnel to communicate with the provided IP address. This is a rarely seen technique that helps threat actors encrypt the data exchanged in the context of…

Source…

A Beginner’s Guide to Cyber War, Cyber Terrorism and Cyber Espionage

/in


Photo by Rafael Rex Felisilda on Unsplash

Tune in to just about any cable talk show or Sunday morning news program and you are likely to hear the terms “cyber war,” “cyber terrorism,” and “cyber espionage” bandied about in tones of grave solemnity, depicting some obscure but imminent danger that threatens our nation, our corporate enterprises, or even our own personal liberties. Stroll through the halls of a vendor expo at a security conference, and you will hear the same terms in the same tones, only here they are used to frighten you into believing your information is unsafe without the numerous products or services available for purchase.

The industry lacks a rubric of clear and standardized definitions of what constitutes cyber war, cyber terrorism, cyber espionage and cyber vandalism. Because of this, it’s becoming increasingly difficult for those of us in the profession to cut through the noise and truly understand risk. For example, on one hand, we have politicians and pundits declaring that the US is at cyber war with North Korea, and on the other hand President Obama declared the unprecedented Sony hack was vandalism. Who’s right?

The issue is exacerbated by the fact that such terms are often used interchangeably and without much regard to their real-world equivalents.

The objective of this article is to find and provide a common language to help security managers wade through the politicking and marketing hype and get to what really matters.

The state of the world always has been and always will be one of constant conflict, and technological progress has extended this contention from the physical realm into the network of interconnected telecommunications equipment known as cyberspace. If one thinks of private-sector firms, government institutions, the military, criminals, terrorists, vandals, and spies as actors, cyberspace is their theater of operations. Each of these actors may have varying goals, but they are all interwoven, operating within the same medium. What separates these actors and accounts for the different definitions in the “cyber” terms are their ideologies, objectives, and methods.

The best way to forge an understanding of the…

Source…

North Korean Lazarus Hacking Group Leverages Supply Chain Attacks To Distribute Malware for Cyber Espionage

/in


North Korean threat actor Lazarus group has resorted to supply chain attacks similar to SolarWinds and Kaseya to compromise the regime’s targets, according to cybersecurity firm Kaspersky.

Kaspersky’s Q3 2021 APT Trends report says that “Lazarus developed an infection chain that stemmed from legitimate South Korean security software deploying a malicious payload.”

The APT group compromised a South Korean think tank using two remote access trojan (RAT) variants BLINDINGCAN and COPPERHEDGE. The DHS Cybersecurity & Infrastructure Security Agency (CISA) had issued security alerts AR20-232A and AR20-133A over these trojans.

According to the researchers, Lazarus’ recent activity is part of a broader international campaign leveraging supply chain attacks.

Identified by US-CERT and the FBI as HIDDEN COBRA, the group was suspected to be responsible for the WannaCry ransomware and the Sony Picture Entertainment hacking that escalated tensions between the US and North Korea.

Lazarus’ supply chain attacks target atypical victims

Experts believe that Lazarus is expanding its victim base beyond that of Asian government agencies and policy think tanks.

Kaspersky researchers discovered that the hacking group had targeted a Latvian tech firm developing asset monitoring solutions, an atypical victim for Lazarus.

During the attack, the North Korean APT deployed a compromised downloader “Racket” signed with a stolen digital certificate. The hacking group had stolen the digital certificate from a US-based South Korean security company.

According to Kaspersky, the APT compromised multiple servers and uploaded several malicious scripts in the process. The group used the malicious scripts to control the trojans installed on downstream victims.

“North Korea once again figures prominently in an attack, although it doesn’t appear to be the government this time, at least not directly,” said Saryu Nayyar, CEO at Gurucul.

“Government-sponsored attacks continue to be a major issue for other governments and enterprises. Both types of organizations need to be cognizant of the potential for high-powered attacks and respond appropriately. Early…

Source…

Developing countries sign Huawei deals despite US espionage warnings

/in


US warnings of espionage by Huawei are failing to dissuade governments in Africa, Asia and Latin America from hiring the Chinese tech group for cloud infrastructure and e-government services, a study has found.

The report by the Washington-based think-tank CSIS seen by the Financial Times identified 70 deals in 41 countries between Huawei and governments or state-owned enterprises for these services from 2006 to April this year.

Cloud infrastructure usually refers to the installation of data centres, while e-government mainly involves automating administrative functions such as licensing, healthcare, legal records and other government processes.

“Huawei’s cloud infrastructure and e-government services are handling sensitive data on citizens’ health, taxes, and legal records,” according to the study.

“As Huawei carves out a niche as a provider to governments and state-owned enterprises, it is building a strategic position that could provide Chinese authorities with valuable intelligence and even coercive leverage,” added the study.

Most of the countries involved in such deals with Huawei were in sub-Saharan Africa, Asia and Latin America, and 77 per cent of them fell into the categories of “not free” or “partly free”, as rated by Freedom House, a US government-funded democracy watchdog group.

“With a surge in deals announced since 2018, including several announcements during 2020, it is clear that warnings against Huawei’s security risks are not persuading decision makers in developing countries,” the CSIS report, authored by Jonathan Hillman and Maesea McCalpin, said.

“As a cloud infrastructure and service provider, Huawei doesn’t own or control any customer data,” Huawei said in a statement.

“All customer data is owned and fully controlled by our customers.”

“Cyber security and user privacy protection remain Huawei’s top priorities,” the company added. 

The US has repeatedly accused Huawei of spying for the Chinese government, sometimes by exploiting telecoms “back doors” in its equipment. Washington has also placed Huawei and many of its affiliates on an “entity list”, restricting the sale of critical technologies such…

Source…