Tag Archive for: linked

Fidelity National Financial discloses cyberattack previously linked to ransomware gang

/in


Insurance and settlement service giant Fidelity National Financial Inc. has officially disclosed that they suffered from a “cybersecurity incident” that the infamous ransomware gang ALHPV/BlackCat claimed responsibility for in November.

The disclosure came via a Jan. 9 filing with the U.S. Securities and Exchange Commission, which states that Fidelity National became aware of a cybersecurity incident on Nov. 19 that impacted certain systems. The company then ticked off the standard response list: hiring third-party experts, notifying law enforcement and regulatory authorities and taking measures to block access to affected systems.

The incident is described as causing “varying levels of disruption” before being contained on Nov. 26 and systems restored. An investigation completed on Dec. 19 subsequently found that an unauthorized third party had accessed certain systems, deployed malware and exfiltrated certain data.

Fidelity National added that it has no evidence that any customer-owned system was directly impacted in the incident and no customer has reported that this has occurred. The last confirmed date of unauthorized third-party activity in the company’s network occurred Nov. 20.

Affected customers have been notified and offered credit monitoring, web monitoring and identity theft restoration services. Fidelity is also continuing to coordinate with law enforcement, its customers, regulators, advisers and other stakeholders.

What’s missing from the disclosure is any mention of ransomware. Companies describing attacks at cybersecurity incidents aren’t new, but usually, the notices don’t follow widespread media coverage of them being targeted by a ransomware gang. That ALPHV/BlackCat is behind the attack is also highly believable, as the ransomware gang was one of the most prolific through 2023.

Cybersecurity experts agree with Craig Jones, vice president of security operations at SecOps security company Ontinue Inc., telling SiliconANGLE that per the SEC filing, the attack involved data exfiltration,

“Fidelity National Financial appears to have experienced a ransomware attack attributed to the ALPHV/BlackCat ransomware group,” Jones said….

Source…

Experts spotted a new macOS Backdoor named SpectralBlur linked to North Korea

/in


Experts spotted a new macOS Backdoor named SpectralBlur linked to North Korea

Pierluigi Paganini
January 06, 2024

Researchers discovered a macOS backdoor, called SpectralBlur, which shows similarities with a North Korean APT’s malware family.

Security researcher Greg Lesnewich discovered a backdoor, called SpectralBlur, that targets Apple macOS. The backdoor shows similarities with the malware family KANDYKORN (aka SockRacket), which was attributed to the North Korea-linked Lazarus sub-group known as BlueNoroff (aka TA444).

KandyKorn is an advanced implant with a variety of capabilities to monitor, interact with, and avoid detection. It utilizes reflective loading, a direct-memory form of execution that may bypass detections,” notes Elastic Security, which identified and analyzed the threat.” reads the report published by Elastic.

SpectralBlur is not a sophisticated malware, it supports ordinary backdoor capabilities, including uploading/downloading files, running a shell, updating its configuration, deleting files, hibernating or sleeping, based on commands issued from the C2.

“TA444 keeps running fast and furious with these new MacOS malware families. Looking for similar strings lead us to link SpectralBlur and KandyKorn (which were further linked to TA444 after more samples turned up, and eventually, a phishing campaign hit our visibility that pulled down KandyKorn).” concludes Lesnewich. “So knowing your Macho stuff will help track emerging DPRK capability if that is your interest!”

The latest discovery confirms the great interest of North Korea-linked threat actors in developing macOS malware to employ in targeted attacks.

In November 2023, researchers from Jamf Threat Labs discovered a new macOS malware strain dubbed ObjCShellz and attributed it to North Korea-linked APT BlueNoroff.

The experts noticed that the ObjCShellz malware shares similarities with the RustBucket malware campaign associated with the BlueNoroff APT group.

In July 2023, researchers from the Elastic Security Labs spotted a new variant of the RustBucket Apple macOS malware. In April, the security firm Jamf observed the North Korea-linked BlueNoroff APT group using a…

Source…

Sophisticated KV-botnet linked to Volt Typhoon – SC Media

/in



Sophisticated KV-botnet linked to Volt Typhoon  SC Media

Source…

China-linked APT Volt Typhoon linked to KV-Botnet

/in


China-linked APT Volt Typhoon linked to KV-Botnet

Pierluigi Paganini
December 14, 2023

Researchers linked a sophisticated botnet, tracked as KV-Botnet, to the operation of the China-linked threat actor Volt Typhoon.

The Black Lotus Labs team at Lumen Technologies linked a small office/home office (SOHO) router botnet, tracked as KV-Botnet to the operations of China-linked threat actor Volt Typhoon. The botnet is comprised of two complementary activity clusters, the experts believe it has been active since at least February 2022. The threat actors target devices at the edge of networks.

The KV-Botnet is composed of end-of-life products used by SOHO devices. In early July and August of 2022, the researchers noticed several Cisco RV320sDrayTek Vigor routers, and NETGEAR ProSAFEs that were part of the botnet. Later, in November 2022, most of the devices composing the botnet were ProSAFE devices, and a smaller number of DrayTek routers. In November 2023, the experts noticed that the botnet started targeting Axis IP cameras, such as the M1045-LW, M1065-LW, and p1367-E.  

KV-Botnet botnet
The KV-botnet logical network map, December 2023

In May, Microsoft reported that the Volt Typhoon APT infiltrated critical infrastructure organizations in the U.S. and Guam without being detected. The group managed to maintain access without being detected for as long as possible.

According to Microsoft, the campaign aimed at building capabilities that could disrupt critical communications infrastructure between the United States and Asia region in the case of future crises.

The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

The APT group is using almost exclusively living-off-the-land techniques and hands-on-keyboard activity to evade detection.

Microsoft first noticed that to conceal malicious traffic, the threat actor routes it through compromised small office and home office (SOHO) network devices, including…

Source…