Tag Archive for: Groups

Chinese Experts Uncover Details of Equation Group’s Bvp47 Covert Hacking Tool

/in


Bvp47 Covert Hacking Tool

Researchers from China’s Pangu Lab have disclosed details of a “top-tier” backdoor put to use by the Equation Group, an advanced persistent threat (APT) with alleged ties to the cyber-warfare intelligence-gathering unit of the U.S. National Security Agency (NSA).

Dubbed “Bvp47” owing to numerous references to the string “Bvp” and the numerical value “0x47” used in the encryption algorithm, the backdoor was extracted from Linux systems “during an in-depth forensic investigation of a host in a key domestic department” in 2013.

Pangu Lab codenamed the attacks involving the deployment of Bvp47 “Operation Telescreen,” with the implant featuring an “advanced covert channel behavior based on TCP SYN packets, code obfuscation, system hiding, and self-destruction design.”

The Shadow Broker leaks

Equation Group, dubbed the “crown creator of cyber espionage” by Russian security firm Kaspersky, is the name assigned to a sophisticated adversary that’s been active since at least 2001 and has used previously undisclosed zero-day exploits to “infect victims, retrieve data and hide activity in an outstandingly professional way,” some of which were later incorporated into Stuxnet.

Automatic GitHub Backups

The attacks have targeted a variety of sectors in no less than 42 countries, including governments, telecom, aerospace, energy, nuclear research, oil and gas, military, nanotechnology, Islamic activists and scholars, media, transportation, financial institutions, and companies developing encryption technologies.

The group is believed to be linked to the NSA’s Tailored Access Operations (TAO) unit, while intrusion activities pertaining to a second collective dubbed Longhorn (aka The Lamberts) have been attributed to the U.S. Central Intelligence Agency (CIA).

Equation Group’s malware toolset became public knowledge in 2016 when a group calling itself the Shadow Brokers leaked the entire tranche of exploits used by the elite hacking team, with Kaspersky uncovering code-level similarities between the stolen files and that of samples identified as used by the threat actor.

Bvp47 as a covert backdoor

The incident analyzed by Pangu Lab comprises two internally compromised servers, an email and an enterprise server named V1…

Source…

Russia's using ransomware groups as a bargaining chip, cyber experts warn – KCBY.com 11

/in



Russia’s using ransomware groups as a bargaining chip, cyber experts warn  KCBY.com 11

Source…

How NSO Group’s iPhone-Hacking Exploit Works

/in


Image for article titled How NSO Group's iPhone-Hacking Exploit Works

Photo: Amir Levy (Getty Images)

For years, the Israeli spyware vendor NSO Group has sparked fear and fascination throughout the international community via its hacking tools—the likes of which have been sold to authoritarian governments throughout the world and used against journalists, activists, politicians, and anybody else unfortunate enough to be targeted. The company, which has often been embroiled in scandal, has frequently seemed to operate as if by digital incantation—with commercial exploit attacks that require no phishing and malware that is all-seeing and can reach into the most private digital spaces.

But some of NSO’s dark secrets were very publicly revealed last week, when researchers managed to technically deconstruct just how one of the company’s notorious “zero-click” attacks work. Indeed, researchers with Google’s Project Zero published a detailed break-down that shows how an NSO exploit, dubbed “FORCEDENTRY,” can swiftly and silently take over a phone.

The exploit, which was designed to target Apple iPhones, is thought to have led to the hacking of devices in multiple countries—including those of several U.S. State Department officials working in Uganda. Initial details about it were captured by Citizen Lab, a research unit at the University of Toronto that has frequently published research related to NSO’s activities. Citizen Lab researchers managed to get ahold of phones that had been subjected to the company’s “zero-click” attacks and, in September, published initial research about how they worked. Around the same time, Apple announced it was suing NSO and also published security updates to patch the problems associated with the exploit.

Citizen Lab ultimately shared its findings with Google’s researchers who, as of last week, finally published their analysis of the attacks. As you might expect, it’s pretty incredible—and frightening—stuff.

“Based on our research and findings, we assess this to be one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states,” write…

Source…

U.S. Military Has Acted Against Ransomware Groups, General Acknowledges

/in


SIMI VALLEY, Calif. — The U.S. military has taken actions against ransomware groups as part of its surge against organizations launching attacks against American companies, the nation’s top cyberwarrior said on Saturday, the first public acknowledgment of offensive measures against such organizations.

Gen. Paul M. Nakasone, the head of U.S. Cyber Command and the director of the National Security Agency, said that nine months ago, the government saw ransomware attacks as the responsibility of law enforcement.

But the attacks on Colonial Pipeline and JBS beef plants demonstrated that the criminal organizations behind them have been “impacting our critical infrastructure,” General Nakasone said.

In response, the government is taking a more aggressive, better coordinated approach against this threat, abandoning its previous hands-off stance. Cyber Command, the N.S.A. and other agencies have poured resources into gathering intelligence on the ransomware groups and sharing that better understanding across the government and with international partners.

“The first thing we have to do is to understand the adversary and their insights better than we’ve ever understood them before,” General Nakasone said in an interview on the sidelines of the Reagan National Defense Forum, a gathering of national security officials.

General Nakasone would not describe the actions taken by his commands, nor what ransomware groups were targeted. But he said one of the goals was to “impose costs,” which is the term military officials use to describe punitive cyberoperations.

“Before, during and since, with a number of elements of our government, we have taken actions and we have imposed costs,” General Nakasone said. “That’s an important piece that we should always be mindful of.”

In September, Cyber Command diverted traffic around servers being used by the Russia-based REvil ransomware group, officials briefed on the operation have said. The operation came after government hackers from an allied country penetrated the servers, making it more difficult for the group to collect ransoms. After REvil detected the U.S. action, it shut down at least temporarily. That Cyber Command operation…

Source…