Tag Archive for: Operations

macOS Backdoor RustDoor likely linked to Alphv/BlackCat ransomware operations

/in


macOS Backdoor RustDoor likely linked to Alphv/BlackCat ransomware operations

Pierluigi Paganini
February 10, 2024

Bitdefender Researchers linked a new macOS backdoor, named RustDoor, to the Black Basta and Alphv/BlackCat ransomware operations.

Researchers from Bitdefender discovered a new macOS backdoor, dubbed RustDoor, which appears to be linked to ransomware operations Black Basta and Alphv/BlackCat.

RustDoor is written in Rust language and supports multiple features. The malware impersonates a Visual Studio update and was designed to support Intel and Arm architectures.

The malware has been active since at least November 2023, but it was fist spotted on February 2nd 2024.

Researchers identified multiple RustDoor variants, and most of the samples share the same core functionalities with minor variations. The experts grouped these variants into Variant 1, 2 and Zero.

All the variants support commands that allow operators to gather and upload files, and gather information about the machine.

The first variant of the backdoor that was detected in November 2023 was likely a test version that did not support a persistence mechanism. The researchers noticed that the backdoor contained a plist file named ‘test’.

The second variant was spotted at the end of November, it contained a complex JSON configuration as well as an embedded Apple script used for exfiltration.

“We identified multiple variants of the embedded Apple script, but all of them are meant for data exfiltration.” reads the report published by Bitdefender. “The script is used to exfiltrate documents with specific extensions and sizes from Documents and Desktop folders, as well as the notes of the user, stored in SQLITE format”

RustDoor
RustDoor

The configuration files included a list of applications for impersonation, the backdoor used this trick to spoof the administrator password presenting dialog.

“Some configurations also include specific instructions about what data to collect, such as the maximum size and maximum number of files, as well as lists of targeted extensions and directories, or directories to  exclude” Bitdefender continues.

The “Variant Zero,” first spotted on 02.11.2023, is less…

Source…

Chinese hacking operations have entered a far more dangerous phase, US warns

/in


China’s cyber activity is moving beyond the last decade’s spying and data theft toward direct attacks on U.S. critical infrastructure, the directors of the FBA, NSA, and the Cybersecurity and Infrastructure Security Agency, or CISA, told lawmakers on Wednesday. 

The Volt Typhoon hacking group is planting malware on network routers and other internet-connected devices that, if triggered, could disrupt water, power, and rail services, possibly causing widespread chaos or even injuring and killing Americans, they said. 

While Russia is known for cyber attacks that cause real-world harm—for example, targeting U.S. political campaigns and Ukrainian power plants—China is viewed as far more risk-averse. It’s best known for cyber theft, of intellectual property or government information, such as the Office of Personnel Management hack uncovered in 2015. But Volt Typhoon, which Microsoft revealed last May, represents something far more threatening. 

At a meeting with reporters last week, a senior NSA official put the issue in starker terms. 

“They’re in places that they are not there for intelligence purposes. They are not there for financial gain. Those are two hallmarks of Chinese intrusions in other sets and other lanes,” the official said. 

China is still undertaking those activities, “but this is unique in that it’s prepositioning on critical infrastructure, on military networks, to be able to deliver effects at the time and place of their choosing so that they can disrupt our ability to support military activities or to distract us, to get us to focus on, you know, a domestic incident at a time when something’s flaring up in a different part of the world and they don’t want us facing the foreign aspects of that,” the official said.

FBI Director Christopher Wray underscored the seriousness to lawmakers on the House Select Committee on the CCP on Wednesday. 

“There has been far too little public focus on the fact that PRC hackers are targeting our critical infrastructure, our water treatment plants, our electrical grid, our oil and natural gas pipelines, our transportation systems, and the risk that poses to every American requires our attention. Now, China’s…

Source…

Critically Analyzing ‘Evolving Cyber Operations’ And Implications For Pakistan – OpEd – Eurasia Review

/in


A recent report by RAND Cooperation titled “Evolving Cyber Operations” provides a comprehensive analysis of cyber operations and capabilities, particularly focusing on the lessons from the Ukraine conflict. It presents a critical look at the evolving nature of cyber warfare, the role of cyber proxies, and the shift from traditional cyber defense strategies to a resilience-focused approach.

It emphasizes cyber resilience over deterrence. The report emphasizes a shift from deterrence to resilience in cyber defense strategies. It argues that democracies cannot rely solely on deterring cyberattacks but must focus on minimizing disruption to critical data and services. The report also highlighted the role of cyber proxies. The conflict in Ukraine highlighted the significant role of cyber proxies. These proxies, whether aligned with Russia or Ukraine, have demonstrated their capacity to influence conflicts beyond direct cyberattacks, particularly in shaping political narratives and international opinions

Political and Social Resilience: Political and social resilience is identified as crucial in cyber defense. The Ukrainian experience shows the importance of maintaining political will and leveraging a diverse range of actors, including civil society and the private sector, in building a robust defense. International Collaboration remains one of the most important: The report underscores the importance of international partnerships in cyber defense. Sharing intelligence, technology, and tactics among allies can significantly enhance a nation’s cyber capabilities The use of proxies in cyber warfare has evolved, with groups like Killnet and the IT Army of Ukraine playing significant roles. These groups have blurred the lines between traditional state-aligned proxies and transnational political actors

Implications for Pakistan’s National Security

Enhancing Cyber Resilience: Pakistan should prioritize building a resilient cyber infrastructure that can withstand and quickly recover from cyberattacks. This involves not just technological solutions but also a comprehensive strategy encompassing political, social, and economic dimensions.

Diverse Cyber Defense Strategy:…

Source…

Russian influence and cyber operations adapt for long haul and exploit war fatigue

/in


Since July 2023, Russia-aligned influence actors have tricked celebrities into providing video messages that were then used in pro-Russian propaganda. These videos were then manipulated to falsely paint Ukrainian President Volodymyr Zelensky as a drug addict. This is one of the insights in the latest biannual report on Russian digital threats from the Microsoft Threat Analysis Center: “Russian Threat Actors Dig In, Prepare to Seize on War Fatigue”

As described in more detail in the report, this campaign aligns with the Russian government’s broader strategic efforts during the period from March to October 2023, across cyber and influence operations (IO), to stall Ukrainian military advances and diminish support for Kyiv.

Video messages from American celebrities are used in Russian propaganda

Unwitting American actors and others appear to have been asked, likely via video message platforms such as Cameo, to send a message to someone called “Vladimir”, pleading with him to seek help for substance abuse. The videos were then modified to include emojis, links and sometimes the logos of media outlets and circulated through social media channels to advance longstanding false Russian claims that the Ukrainian leader struggles with substance abuse. The Microsoft Threat Analysis Center has observed seven such videos since late July 2023, featuring personalities such as Priscilla Presley, musician Shavo Odadjian and actors Elijah Wood, Dean Norris, Kate Flannery, and John McGinley.

a gallery of celebrity videos used in Russian propaganda

Samples of the videos promoting pro-Russian propaganda aiming to malign Ukrainian President Volodymyr Zelensky that feature different celebrities

Prigozhin’s death has not slowed Russia’s influence operations

The August 2023 death of Russian businessman Yevgeny Prigozhin, who owned the Wagner Group and the infamous Internet Research Agency troll farm, led many to question the future of Russia’s influence and propaganda capabilities. However, since then, Microsoft has observed widespread influence operations by Russian actors that are not linked to Prigozhin, indicating that Russia has the capacity to continue prolific and sophisticated malign influence operations without him.

Russia’s…

Source…