Tag Archive for: military

Chinese Hacking Group Exploits Barracuda Zero-Day to Target Government, Military, and Telecom

/in


Barracuda Zero-Day

A suspected Chinese-nexus hacking group exploited a recently disclosed zero-day flaw in Barracuda Networks Email Security Gateway (ESG) appliances to breach government, military, defense and aerospace, high-tech industry, and telecom sectors as part of a global espionage campaign.

Mandiant, which is tracking the activity under the name UNC4841, described the threat actor as “highly responsive to defensive efforts” and capable of actively tweaking their modus operandi to maintain persistent access to targets.

“UNC4841 deployed new and novel malware designed to maintain presence at a small subset of high priority targets that it compromised either before the patch was released, or shortly following Barracuda’s remediation guidance,” the Google-owned threat intelligence firm said in a new technical report published today.

Almost a third of the identified affected organizations are government agencies. Interestingly enough, some of the earliest compromises appear to have taken place on a small number of devices geolocated to mainland China.

The attacks entail the exploitation of CVE-2023-2868 to deploy malware and conduct post-exploitation activities. In select cases, the intrusions have led to the deployment of additional malware, such as SUBMARINE (aka DEPTHCHARGE), to maintain persistence in response to remediation endeavors.

Further analysis of the campaign has revealed a “distinct fall off in activity from approximately January 20 to January 22, 2023,” coinciding with the beginning of the Chinese New Year, followed by two surges, one after Barracuda’s public notification on May 23, 2023, and a second one in early June 2023.

Cybersecurity

The latter is said to have involved the attacker “attempting to maintain access to compromised environments via the deployment of the new malware families SKIPJACK, DEPTHCHARGE, and FOXTROT / FOXGLOVE.”

While SKIPJACK is a passive implant that registers a listener for specific incoming email headers and subjects before decoding and running their content, DEPTHCHARGE is pre-loaded into the Barracuda SMTP (BSMTP) daemon using the LD_PRELOAD environment variable, and retrieves encrypted commands for execution.

Barracuda Zero-Day

The earliest use of DEPTHCHARGE dates back to May…

Source…

Russian State-Backed ‘Infamous Chisel’ Android Malware Targets Ukrainian Military

/in


Russian Hackers

Cybersecurity and intelligence agencies from Australia, Canada, New Zealand, the U.K., and the U.S. on Thursday disclosed details of a mobile malware strain targeting Android devices used by the Ukrainian military.

The malicious software, dubbed Infamous Chisel and attributed to a Russian state-sponsored actor called Sandworm, has capabilities to “enable unauthorized access to compromised devices, scan files, monitor traffic, and periodically steal sensitive information.”

Some aspects of the malware were uncovered by the Security Service of Ukraine (SBU) earlier in August, highlighting unsuccessful attempts on part of adversaries to penetrate Ukrainian military networks and gather valuable intelligence.

Sandworm, also known by the names FROZENBARENTS, Iron Viking, Seashell Blizzard, and Voodoo Bear, refers to the Russian Main Intelligence Directorate’s (GRU) Main Centre for Special Technologies (GTsST).

Active since at least 2014, the hacking crew is best known for its string of disruptive and destructive cyber campaigns using malware such as Industroyer, BlackEnergy, and NotPetya.

In July 2023, Google-owned Mandiant said that the malicious cyber operations of GRU adhere to a playbook that offers tactical and strategic benefits, enabling the threat actors to adapt swiftly to a “fast-paced and highly contested operating environment” and at the same time maximize the speed, scale, and intensity without getting detected.

Cybersecurity

Infamous Chisel is described as a collection of multiple components that’s designed with the intent to enable remote access and exfiltrate information from Android phones.

Besides scanning the devices for information and files matching a predefined set of file extensions, the malware also contains functionality to periodically scan the local network and offer SSH access.

“Infamous Chisel also provides remote access by configuring and executing TOR with a hidden service which forwards to a modified Dropbear binary providing a SSH connection,” the Five Eyes (FVEY) intelligence alliance said.

A brief description of each of the modules is as follows –

  • netd – Collate and exfiltrate information from the compromised device at set intervals, including from app-specific…

Source…

Inside Russia’s attempts to hack Ukrainian military operations : NPR

/in


In this photo illustration, the 502 Bad Gateway message is seen on Ministry of Defence of Ukraine official webpage displayed on a smartphone screen and flag of Ukraine in the background.

SOPA Images/LightRocket via Getty Images


hide caption

toggle caption

SOPA Images/LightRocket via Getty Images

In this photo illustration, the 502 Bad Gateway message is seen on Ministry of Defence of Ukraine official webpage displayed on a smartphone screen and flag of Ukraine in the background.

SOPA Images/LightRocket via Getty Images

KYIV, Ukraine — Ukrainian intelligence officials have revealed details to NPR about an attempt by Russian state hackers to penetrate Ukrainian military planning operations systems.

The hackers from Russian military intelligence captured Android tablet devices used by Ukrainian officers on the front lines in an attempt to spy, according to a report published by the Security Service of Ukraine’s Cyber Security Situation Center.

“We saw that there were attempts to penetrate these systems,” said Illia Vitiuk, the head of the Cybersecurity Department of Ukraine’s Security Services, also known as the SBU. Vitiuk spoke to NPR in an exclusive interview in Kyiv on Wednesday.

“Our enemy is extremely focused on getting insight into these systems,” he continued.

The Ukrainian military uses multiple tools for situational awareness to track Russian troop positions and gather other intelligence from the land, air and sea. Those include Delta, a military platform developed by the Defense Technology Innovation and Development Center within Ukraine’s Ministry of Defense, and Kropvya, a defense mapping software made by Ukrainian NGO Army SOS. Developers working on these systems in Kyiv are becoming increasingly aware of Russia’s focus on them, and are declining to openly discuss the platforms and how they work to…

Source…

China-Backed Hackers Threaten Texas Military Sites, Utilities

/in


(TNS) — A Chinese government-backed hacker group’s apparent plan to upend utilities and communication systems that power U.S. military bases poses a major threat to Joint Base San Antonio — and potentially to the region’s water and electricity customers.

U.S. officials say the group, called Volt Typhoon, has inserted malware — computer code intended to damage or disrupt networks or to covertly collect information — deep in the systems of numerous water and electric utilities that serve military installations in the United States and abroad.

The aim could be to delay a U.S. military response if China’s People’s Liberation Army invades Taiwan. President Joe Biden has said the U.S. military would intervene if China invaded the island nation.


“I would be most concerned about U.S. assets in the Pacific Rim — in South Korea and Japan,” said John Dickson, a San Antonio-based cybersecurity consultant and former Air Force intelligence officer. “But we are Military City, USA, and a sophisticated reader doesn’t have to do too much to connect the dots.”

San Antonio is flush with military personnel and missions. It’s home to Fort Sam Houston, the largest military medical training installation in the U.S., as well as to JBSA-Randolph and JBSA-Lackland Air Force bases.

Lackland trains the service’s incoming airmen and conducts cyber warfare and intelligence-gathering operations at its Security Hill facility.

The National Security Agency’s Texas Cryptologic Center occupies a sprawling campus on San Antonio’s West Side. The center conducts worldwide signals intelligence and cybersecurity operations. Signals intelligence involves collecting, decoding and interpreting electronic communications.

It’s unclear if the networks of the San Antonio Water System or CPS Energy, both owned by the city of San Antonio, are infected with Volt Typhoon’s malware.

CPS, the largest municipally owned utility in the U.S., has 930,000 electric and 381,000 gas customers. SAWS serves 511,000 water and 456,000 wastewater customers. The two utilities’ service areas encompass Bexar County and small swaths of neighboring counties.

“We will continue to…

Source…