Tag Archive for: linked

Chinese Threat Group APT41 Linked To Android Malware Attacks

/in


APT41 Used WyrmSpy and DragonEgg Surveillance Malware to Target Android Users

Jayant Chakravarti (@JayJay_Tech) •
July 20, 2023    

Chinese Threat Group APT41 Linked To Android Malware Attacks
Image: Shutterstock

Security researchers say a Chinese state-sponsored espionage group is using WyrmSpy and DragonEgg surveillance malware to target Android mobile devices.

See Also: Strengthening Critical Infrastructure Security

Researchers at cybersecurity company Lookout said APT41, also tracked as BARIUM, Earth Baku and Winnti, primarily relies on web application attacks and software vulnerabilities and uses WyrmSpy and DragonEgg to target organizations globally.

The company said APT41 recently switched tactics to develop malware specific to the Android operating system, relying on existing command-and-control infrastructure, IP addresses and domains to communicate with and issue commands to the two malware variants.

APT41 historically exploited specific web applications and software vulnerabilities to carry out surveillance on pre-defined target organizations. According to Mandiant, the group in May 2021 exploited a zero-day vulnerability in the USAHerds application and several vulnerable Internet-facing web applications to successfully compromise at least six U.S. state government networks.

Research by Recorded Future’s Insikt Group also revealed that the cyberespionage group, along with the Tonto Team, targeted four regional despatch centers responsible for operating India’s power grid shortly after India and China engaged in border clashes, which resulted in combat-related casualties for the first time in 45 years.

Android Malware Historically Not On APT41’s Playbook

According to Lookout, APT41 likely used social engineering to distribute WyrmSpy and DragonEgg surveillance malware to Android devices, often by disguising the former as a default Android system application and the latter as third-party Android keyboards and messaging applications such as Telegram.

It is unclear whether the two malware types were distributed via Google Play…

Source…

VPN vulnerability linked to ransomware attack in Singapore

/in


A VPN vulnerability has been identified as the key behind a ransomware attack against the Law Society of Singapore.

The attack occurred on January 27, 2021 and endangered the personal data of over 16,000 members, using a bug in the VPN service to gain access credentials if left unpatched.

Source…

Threat actors linked to nation-states exploited zero-days the most in 2022

/in


Threat groups with ties to nation-states were the driving force behind exploiting zero-day vulnerabilities last year, according to a new report by cybersecurity firm Mandiant.

Cyberespionage groups linked to China were responsible for over 50% of the exploits in 2022 that the firm said it could confidently track to 13 advanced persistent threat groups (APTs), followed by Russia and North Korea. Overall, groups with links to nation-states accounted for 80% of the zero-day exploits.

Groups with ties to China led the pack with seven known vulnerabilities exploited last year, with Russia and North Korea tied with two each. Four zero-days were tied to financially motivated actors, with 75% likely performed by ransomware groups.

The total number of 55 zero-day vulnerabilities exploited last year is down 26 from the record 81 Mandiant tracked in 2021, but that figure is still triple the 2020 total.

Mandiant considers a zero-day to be a vulnerability if it was exploited in the wild before a patch was made publicly available. The report examined zero-day events identified by Mandiant, combined with reporting from open sources.

Mandiant researchers highlighted three Chinese-linked APT campaigns exploiting the Follina vulnerability (CVE-2022-30190), as well as FortiOS vulnerabilities (CVE-2022-42475 and CVE-2022-41328) for their focus on enterprise networking and security devices.

Because of their ubiquity, zero-days in Microsoft, Google and Apple products were used the most to gain elevated privileges or perform remote code executions (RCEs). Microsoft vulnerabilities led the pack with 18, followed by Google (10 vulnerabilities) and Apple (9 vulnerabilities).

Operating systems (OS) were the most exploited products at 19; followed by browsers (11); security, IT and network management products (10); and mobile OS (6).

Devices running Windows were by far the most exploited OS with 15 vulnerabilities, followed by Apple’s macOS with four. Google’s Chrome browser was the most exploited with nine of the 11 browser vulnerabilities. 

Source…

GoAnywhere MFT Zero-Day Exploitation Linked to Ransomware Attacks

/in


The recent exploitation of a zero-day vulnerability in the GoAnywhere managed file transfer (MFT) software has been linked by a cybersecurity firm to a known cybercrime group that has likely attempted to exploit the flaw in a ransomware attack. 

On February 1, Fortra alerted GoAnywhere MFT users about a zero-day remote code injection exploit. The vendor immediately provided indicators of compromise (IoCs) and mitigations, but released a patch only a week later. 

Users, particularly those who are running an admin portal that is exposed to the internet, have been instructed to urgently install the patch. 

There appear to be more than 1,000 internet-exposed instances of GoAnywhere. However, according to the vendor, exploitation requires access to the application’s admin console, and at least some of the exposed instances are associated with the product’s web client interface, which is not impacted. 

No information was made available about the attacks exploiting the vulnerability, but managed endpoint detection and response firm Huntress reported this week that these attacks may have been conducted by a known cybercrime group. The company reached the conclusion after analyzing an attack detected in a customer environment on February 2.

Huntress has linked the attack to a malware family named Truebot, which was previously associated with a Russian-speaking threat actor named Silence. This group has also been linked to TA505, a threat group known for distributing the notorious Cl0p ransomware

“Based on observed actions and previous reporting, we can conclude with moderate confidence that the activity Huntress observed was intended to deploy ransomware, with potentially additional opportunistic exploitation of GoAnywhere MFT taking place for the same purpose,” Huntress said in a blog post.

Cybersecurity firm Rapid7 has analyzed the vulnerability and assigned it the CVE identifier CVE-2023-0669. While the product does not belong to Rapid7, the company is a CVE Numbering Authority and it can assign CVEs to flaws found in the products of other vendors. 

Related: Patch Tuesday: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks

Related: Decade-Old Adobe ColdFusion…

Source…