Tag Archive for: targeting

North Korea continues targeting security researchers. Holiday Bear gained access to DHS emails. Charming Kitten is phishing for medical professionals.

/in


By the CyberWire staff

North Korea continues targeting security researchers.

Google’s Threat Analysis Group (TAG) has published an update on a North Korean cyberespionage campaign targeting security researchers. TAG warned in January that a threat actor was messaging researchers on various social media platforms asking to collaborate on vulnerability research. They also set up a watering hole site that posed as a phony research blog, using an Internet Explorer zero-day.

Now, Google says the actor is using a new website and social media profiles posing as a fake company called “SecuriElite.” TAG writes, “The attacker’s latest batch of social media profiles continue the trend of posing as fellow security researchers interested in exploitation and offensive security. On LinkedIn, we identified two accounts impersonating recruiters for antivirus and security companies. We have reported all identified social media profiles to the platforms to allow them to take appropriate action.” Google also believes the attackers are using more zero-days.

Holiday Bear gained access to DHS emails.

The Associated Press reports that the suspected Russian hackers behind the SolarWinds attack gained access to the emails of former acting Department of Homeland Security Secretary Chad Wolf and other DHS officials. So far it doesn’t appear that classified communications were compromised, but POLITICO says the number of emails stolen was in the thousands. A State Department spokesperson told POLITICO, “the Department takes seriously its responsibility to safeguard its information and continuously takes steps to ensure information is protected. For security reasons, we are not in a position to discuss the nature or scope of any alleged cybersecurity incidents at this time.”

5 Top ICS Cybersecurity Recommendations in the Year in Review

Find out about the major ICS cyber threats, vulnerabilities and lessons learned from our field work in the just released Year in Review report. You’ll discover 5 recommendations to secure your industrial environment and the 4 new threat activity groups we’re tracking.  Read the executive summary. 

Charming Kitten is phishing for medical professionals.

Proofpoint reports that…

Source…

Google: North Korean hackers are targeting researchers through fake offensive security firm

/in


A North Korean hacking group known to have targeted security researchers in the past has now upped its game through the creation of a fake offensive security firm. 

The threat actors, believed to be state-sponsored and backed by North Korea’s ruling party, were first documented by Google’s Threat Analysis Group (TAG) in January 2021. 

Google TAG, specialists in tracking advanced persistent threat (APT) groups, said at the time that the North Korean cyberattackers had established a web of fake profiles across social media, including Twitter, Keybase, and LinkedIn. 

“In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets,” Google said. “They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits, and for amplifying and retweeting posts from other accounts that they control.”

When members of the group reached out to their targets, they would ask if their intended victim wanted to collaborate on cybersecurity research — before sending them a malicious Visual Studio project containing a backdoor. Alternatively, they may ask researchers to visit a blog laden with malicious code including browser exploits. 

In an update posted on March 31, TAG’s Adam Weidemann said that the state-sponsored group has now changed tactics by creating a fake offensive security company, complete with new social media profiles and a branded website. 

The fake company, dubbed “SecuriElite,” was set up on March 17 as securielite[.]com. SecuriElite claims to be based in Turkey and offers penetration testing services, software security assessments, and exploits. 

screenshot-2021-04-01-at-06-56-25.png

A link to a PGP public key has been added to the website. While the inclusion of PGP is standard practice as an option for secure communication, the group has used these links in the past as a means to lure their targets into visiting a page where a browser-based exploit is waiting to deploy. 

In addition, the SecuriElite ‘team’ has been furnished with a fresh set of fake…

Source…

Facebook finds Chinese hacking operation targeting Uyghurs

/in


Facebook says hackers in China used fake accounts and impostor websites in a bid to break into the phones of Uyghur Muslims

March 24, 2021, 7:27 PM

2 min read

Hackers in China used fake Facebook accounts and impostor websites to try to break into the computers and smartphones of Uyghur Muslims, the social network said Wednesday.

The company said the sophisticated, covert operation targeted Uyghur activists, journalists and dissidents from China’s Xinjiang region, as well as individuals living in Turkey, Kazakhstan, the U.S., Syria, Australia, Canada and other nations.

The hackers attempted to gain access to the computers and phones by creating fake Facebook accounts for supposed journalists and activists, as well as fake websites and apps intended to appeal to a Uyghur audience. In some cases, the hackers created lookalike websites almost identical to legitimate news sites popular with Uyghurs.

The accounts and sites contained malicious links. If the target clicked on one, their computer or smartphone would be infected with software allowing the network to spy on the target’s device.

The software could obtain information including the victim’s location, keystrokes and contacts, according to FireEye, a cybersecurity firm that worked on the investigation.

In all, fewer than 500 people were targeted by the hackers in 2019 and 2020, Facebook said. The company said it uncovered the network during its routine security work, and has deactivated the fictitious accounts and notified individuals whose devices may have been compromised. Most of the hackers’ activities took place on non-Facebook sites and platforms.

“They tried to create these personas, build trust in the community, and use that as a way to trick people into clicking on these links to expose their devices,” said Nathaniel Gleicher, Facebook’s head of security policy.

Facebook’s investigation found links between the hackers and two technology firms based in China but no direct links to the Chinese government, which has been criticized for its harsh treatment of Uyghurs in Xinjiang. FireEye, however, said in a statement that “we believe this…

Source…

USU alerted of increased ransomware targeting

/in


Utah State University received an alert Tuesday from the Federal Bureau of Investigation warning of an increase of ransomware targeting higher education institutions. 

The FBI alert stated that the PYSA ransomware, also known as Mespinoza, is a malware capable of exfiltrating data and encrypting users’ files. The unidentified cyber attackers hold and encrypt the data for ransom payments.  

Eric Hawley, USU’s chief information officer, said students and faculty need to be “internet skeptics”

“Of course, the best defense is to avoid the exposure to the bug in the first place,” Hawley said. “We still wash hands, even if we have a great immune system. Don’t gain a false sense of confidence. Avoid the bad stuff, even if you have technological protections in place. Recognize and resist phishing and scam attempts.”

Hawley said USU has multiple measures in place to avoid malware. 

“USU now deploys a new form of anti-malware/anti-virus software on university computers that access sensitive information. It is next-generation anti-virus software that utilizes artificial intelligence to detect and block unusual activity, much like a well-functioning human immune system,” he said. 

Hawley said there’s a few things students and faculty can do to prevent ransomware at USU. Be cautious of email links, use multifactor authentication programs like Duo Mobile, never reuse passwords, keep software updated and back up data. 

“USU is a community — it takes all of us,” Hawley said. “Great ‘cybersecurity hygiene’ practiced widely, individually, creates community safety. We each have a responsibility.”

According to the alert, those who have information or have been affected by the attacks should contact the FBI immediately. The FBI does not recommend paying the ransom. 

“Payment does not guarantee files will be recovered,” the alert reads. “It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware and/or fund illicit activities.”

The FBI was first made aware of the PYSA attacks in March 2020. 

In August, the University of…

Source…