May 11 2025

Google‘s AI-Powered Countermeasures Against Cyber Scams

Category: AI,Cyber Attack,Cyber crime,Cyber Espionage,Cyber Threatsdisc7 @ 10:50 am

Google recently announced a significant advancement in its fight against online scams, leveraging the power of artificial intelligence. This initiative involves deploying AI-driven countermeasures across its major platforms: Chrome, Search, and Android. The aim is to proactively identify and neutralize scam attempts before they reach users.

Key Features of Google‘s AI-Powered Defense:

  • Enhanced Scam Detection: The AI algorithms analyze various data points, including website content, email headers, and user behavior patterns, to identify potential scams with greater accuracy. This goes beyond simple keyword matching, delving into the nuances of deceptive tactics.
  • Proactive Warnings: Users are alerted to potentially harmful websites or emails before they interact with them. These warnings are context-aware, providing clear and concise explanations of why a particular site or message is flagged as suspicious.
  • Improved Phishing Protection: AI helps refine phishing detection by identifying subtle patterns and linguistic cues often used by scammers to trick users into revealing sensitive information.
  • Cross-Platform Integration: The AI-powered security measures are seamlessly integrated across Google‘s ecosystem, providing a unified defense against scams regardless of the platform being used.

Significance of this Development:

This initiative signifies a crucial step in the ongoing battle against cybercrime. AI-powered scams are becoming increasingly sophisticated, making traditional methods of detection less effective. Google‘s proactive approach using AI is a promising development that could significantly reduce the success rate of these attacks and protect users from financial and personal harm. The cross-platform integration ensures a holistic approach, maximizing the effectiveness of the countermeasures.

Looking Ahead:

While Google‘s initiative is a significant step forward, the fight against AI-powered scams is an ongoing arms race. Cybercriminals constantly adapt their techniques, requiring continuous innovation and improvement in security measures. The future likely involves further refinements of AI algorithms and potentially the integration of other advanced technologies to stay ahead of evolving threats.

This news highlights the evolving landscape of cybersecurity and the crucial role of AI in both perpetrating and preventing cyber threats.

ISO/IEC 42001:2023, First Edition: Information technology – Artificial intelligence – Management system

ISO 42001 Artificial Intelligence Management Systems (AIMS) Implementation Guide: AIMS Framework | AI Security Standards

Businesses leveraging AI should prepare now for a future of increasing regulation.

DISC InfoSec’s earlier posts on the AI topic

NIST: AI/ML Security Still Falls Short

Trust Me – ISO 42001 AI Management System

AI Management System Certification According to the ISO/IEC 42001 Standard

 Adversarial AI Attacks, Mitigations, and Defense Strategies: A cybersecurity professional’s guide to AI attacks, threat modeling, and securing AI with MLSecOps

What You Are Not Told About ChatGPT: Key Insights into the Inner Workings of ChatGPT & How to Get the Most Out of It

Digital Ethics in the Age of AI – Navigating the ethical frontier today and beyond

Artificial intelligence – Ethical, social, and security impacts for the present and the future

“AI Regulation: Global Challenges and Opportunities”

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Cyber Scams


Mar 24 2025

State-Sponsored Hackers Exploit Link Files for Espionage

Category: Cyber Espionage,Hacking,Information Securitydisc7 @ 10:42 am

Critical Vulnerability in Microsoft Windows Exposed: State-Sponsored Hackers Exploit Link Files for Espionage

A critical vulnerability has been discovered in Microsoft Windows, actively exploited by state-sponsored hackers from North Korea, Russia, Iran, and China. These cyber attackers are leveraging a flaw in Windows’ handling of shortcut (LNK) files to conduct espionage operations.

The exploitation involves crafting malicious LNK files that, when opened, execute arbitrary code without the user’s knowledge. This method allows hackers to infiltrate systems, access sensitive information, and maintain persistent control over compromised networks.

Microsoft has acknowledged the vulnerability and is working on a security patch to address the issue. In the meantime, users and organizations are advised to exercise caution when handling LNK files, especially those received from untrusted sources.

To mitigate potential risks, it is recommended to disable the display of icons for shortcut files and enable the “Show file extensions” option to identify potentially malicious LNK files. Regularly updating antivirus software and conducting system scans can also help detect and prevent exploitation attempts.

This incident underscores the importance of maintaining robust cybersecurity practices and staying informed about emerging threats. Organizations should prioritize timely software updates and employee training to recognize and avoid potential security risks.

As cyber threats continue to evolve, collaboration between software vendors, security researchers, and users is crucial in identifying and addressing vulnerabilities promptly. Proactive measures and vigilance are essential to safeguard against sophisticated cyber espionage activities.

To mitigate this risk, users and organizations are advised to exercise caution with LNK files from untrusted sources, disable icon displays for shortcut files, enable the “Show file extensions” option to identify potentially malicious LNK files, and regularly update antivirus software.

This incident highlights the importance of robust cybersecurity practices and staying informed about emerging threats. Collaboration between software vendors, security researchers, and users is crucial to promptly identify and address vulnerabilities.

For further details, access the article here

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics 

Cyber Mercenaries: The State, Hackers, and Power

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: and Power, Cyber Mercenaries: The State, hackers, State-Sponsored Hackers, The Hacker and the State


Mar 13 2025

Covert Threat: China-Linked Espionage Group UNC3886 Exploits Juniper Routers

Category: Cyber Espionage,Cyber Threatsdisc7 @ 3:49 pm

In recent investigations, Mandiant, a leader in cybersecurity, identified a China-nexus espionage group known as UNC3886 targeting Juniper Networks’ routers. This group exploited vulnerabilities in Juniper’s Junos OS to deploy custom backdoors, aiming to establish persistent access within targeted networks.

UNC3886 is recognized for its sophisticated tactics, often focusing on network appliances that traditionally lack advanced detection mechanisms. By compromising these devices, the group can maintain long-term, covert access, making their malicious activities challenging to detect.

The attack methodology involved deploying malware that could survive device reboots and software upgrades, ensuring continuous access. This persistence is particularly concerning as it allows the threat actors to monitor and potentially manipulate network traffic over extended periods.

Mandiant’s analysis indicates that UNC3886’s operations are part of a broader strategy by China-nexus espionage actors to exploit network infrastructure devices. These devices often operate without the rigorous security monitoring applied to standard endpoints, providing an attractive target for sustained espionage activities.

The use of compromised routers and other network devices is not an isolated tactic. Other China-nexus groups have been observed employing similar strategies, utilizing compromised devices to create obfuscated relay networks, complicating attribution and detection efforts.

Organizations are advised to implement stringent security measures for all network appliances, including regular firmware updates, robust access controls, and continuous monitoring for unusual activities. Such proactive steps are essential to defend against these sophisticated threats targeting critical network infrastructure.

This incident underscores the evolving landscape of cyber espionage, highlighting the necessity for comprehensive security strategies that encompass all facets of network operations to mitigate risks associated with advanced persistent threats.

For a detailed breakdown of each control set, check out the full post

Industrial Espionage Explained


InfoSec services
 | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Espionage Group, Industrial Espionage, UNC3886


May 29 2024

Microsoft: ‘Moonstone Sleet’ APT Melds Espionage, Financial Goals

Category: APT,Cyber Espionage,TTP, Cyber-Espionagedisc7 @ 3:59 pm
https://www.darkreading.com/threat-intelligence/microsoft-moonlight-sleet-apt-melds-espionage-financial-goals

North Korea’s newest threat actor uses every trick in the nation-state APT playbook, and most of cybercrime’s tricks, too. It also developed a whole video game company to hide malware.

Researchers at Microsoft have identified a North Korean threat group carrying out espionage and financial cyberattacks concurrently, using a grab bag of different attack techniques against aerospace, education, and software organizations and developers.

In the beginning, Microsoft explained in a blog post, Moonstone Sleet heavily overlapped with the known DPRK advanced persistent threat (APT) Diamond Sleet. The former copped from the latter’s malware — like the Comebacker Trojan — as well as its infrastructure and preferred techniques — such as delivering Trojanized software via social media. Moonstone Sleet has since differentiated itself, though, moving to its own infrastructure and establishing for itself a unique, if rather erratic identity.

For one thing, where some of Kim Jong-Un’s threat groups focus on espionage and others focus on stealing money, Moonstone Sleet does both. Having its hands in every pie is reflected in its tactics, techniques, and procedures (TTPs), too, which in various cases have involved fake job offers, custom ransomware, and even a fully functional fake video game.

“Moonstone Sleet’s ability to blend traditional cybercriminal methodologies with those of nation-state actors is particularly alarming,” says Adam Gavish, co-founder and CEO at DoControl. “Their multifaceted strategies — ranging from setting up fake companies to deliver custom ransomware to using compromised tools for direct infiltration — showcase a versatility that complicates defensive measures.”

Moonstone Sleet’s Grab Bag of TTPs

To Gavish, “One tactic that stands out is their utilization of trusted platforms, like LinkedIn and Telegram, and developer freelancing websites to target victims. This exploits the inherent trust associated with these platforms, making it easier for them to trick victims into interacting with malicious content.”

To add to the realism, Moonstone Sleet uses the common North Korean strategy of engaging with victims from the perspective of a seemingly legitimate company.

From January to April of this year, for example, the group masqueraded as a software development company called “StarGlow Ventures.” With a sleek custom domain, made-up employees, and social media accounts to go along with it all, StarGlow Ventures targeted thousands of organizations in the software and education sectors. In phishing emails, the faux company complemented its victims and offered to collaborate on upcoming projects.

In other cases, the group used another fake company — C.C. Waterfall — to spread an especially creative ruse.

In emails from C.C. Waterfall since February, Moonstone Sleet has been reaching out to victims with a link to download a video game. “DeTankWar” — also called DeFiTankWar, DeTankZone, or TankWarsZone — is marketed as a community-driven, play-to-earn tank combat game. It has its own websites, and X accounts for fake personas used to promote it.

Remarkably, DeTankWar is a fully functional (if atavistic) video game. When users launch it, though, they also download malicious DLLs with a custom loader called “YouieLoad.” YouieLoad loads malicious payloads to memory, and creates services that probe victim machines and collect data, and allow its owners to perform extra hands-on command execution.

Whack-a-Mole Cyber Defense

Fake companies and fake video games are just some of Moonstone Sleet’s tricks. Its members also try to get hired for remote tech jobs with real companies. It spreads malicious npm packages on LinkedIn and freelancer websites. It has its own ransomware, FakePenny, which it uses in conjunction with a ransom note ripped from NotPetya to solicit millions of dollars worth of Bitcoin.

In the face of such varied TTPs and malicious tools, Gavish says, “The answer is fundamentally the same as for any other threat: Defenders must adopt a multi-layered security posture. This involves a combination of endpoint protection, network monitoring, and threat hunting to detect and respond to anomalous activities early.” Microsoft took a similarly broad stance in its blog, highlighting network and tamper protections, endpoint detection and response (EDR), and more steps organizations can take to layer their cyber defenses.

“Ultimately,” says Gavish, “the dynamic nature of threats like Moonstone Sleet requires a holistic and adaptive approach to cybersecurity — one that balances technical defenses with strategic intelligence and continuous vigilance.”

SOURCE: PJRROCKS VIA ALAMY STOCK PHOTO

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: APT, Cyber-Espionage, Moonstone Sleet


Feb 28 2024

Industrial Cyber Espionage France’s Top Threat Ahead of 2024 Paris Olympics

https://www.infosecurity-magazine.com/news/cyber-espionage-france-2024/

France’s National Cybersecurity Agency (ANSSI) observed a significant rise in cyber espionage campaigns targeting strategic organizations in 2023.

These operations are increasingly focused on individuals and non-governmental structures that create, host or transmit sensitive data, ANSSI observed in its 2023 Cyber Threat Landscape report, published on February 27, 2024.

Besides public administration, the primary targets of cyber espionage activity included organizations associated with the French government, such as technology and defense contractors, research institutes and think tanks.

Overall, cyber espionage remained the top cyber threat ANSSI’s teams dealt with in 2023.

ANSSI has also noted an increase in attacks against business and personal mobile phones aimed at targeted individuals.

There has also been an upsurge in attacks that have used methods publicly associated with the Russian government.

“These attacks are not limited to mainland French territory: in 2023, ANSSI dealt with the compromise of an IT network located in a French overseas territory using an attack modus operandi publicly associated with China,” reads the report.

30% Rise in Ransomware

Meanwhile, financially motivated attacks were also on the rise, with an observed 30% increase in ransomware attacks compared to 2022.

Monthly and yearly breakdown of ransomware attacks reported to ANSSI in 2022 (in blue) and in 2023 (in green). Source: ANSSI
Monthly and yearly breakdown of ransomware attacks reported to ANSSI in 2022 (in blue) and in 2023 (in green). Source: ANSSI

Small and medium enterprises (SMEs) and mid-sized businesses were the most targeted organizations, representing 34% of all cyber-attacks observed by ANSSI in 2023. Local administration came second, suffering 24% of all attacks in 2023.

In total in 2023, ANSSI recorded 3703 cyber events, 1112 of which were labeled as cyber incidents. In 2022, it recorded 3018 cyber events, including 832 cyber incidents.

The latest version of the LockBit ransomware, LockBit 3.0 (aka LockBit Black), was the most used malware in financially motivated cyber-attacks in 2023, taking over previous ransomware versions from the same threat group that dominated the ransomware landscape in 2022.

Top Ransomware versions detected by ANSSI in cyber-attacks targeting French organizations. Source: ANSSI
Top Ransomware versions detected by ANSSI in cyber-attacks targeting French organizations. Source: ANSSI

Read more: LockBit Takedown – What You Need to Know about Operation Cronos

Software Supply Chain Vulnerabilities Rule Supreme

Overall, 2023 has seen significant changes in the structure and methods of attackers. They are perfecting their techniques in order to avoid being detected, tracked, or even identified.

“Despite efforts to improve security in certain sectors, attackers continue to exploit the same technical weaknesses to gain access to networks. Exploiting ‘zero-day’ vulnerabilities remains a prime entry point for attackers, who all too often still take advantage of poor administration practices, delays in applying patches and the absence of encryption mechanisms,” reads the report, translated from French to English by Infosecurity.

The top five vulnerabilities exploited by threat actors to compromise French organizations’ IT systems in 2023 include flaws in VMWare, Cisco, Citrix, Atlassian and Progress Software products.

These include the Citrix Bleed and the MOVEit vulnerabilities.

Read more: MOVEit Exploitation Fallout Drives Record Ransomware Attacks

Pre-Positioning Activities on ANSSI’s Radar for 2024

Finally, in a tense geopolitical context, ANSSI noted new destabilization operations aimed mainly at promoting a political discourse, hindering access to online content or damaging an organization’s image.

“While distributed denial of service (DDoS) attacks by pro-Russian hacktivists, often with limited impact, were the most common, pre-positioning activities targeting several critical infrastructures in Europe, North America and Asia were also detected.

“These more discreet activities may nevertheless be aimed at larger-scale operations carried out by state actors waiting for the right moment to act,” the report explained.

Vincent Strubel, ANSSI’s director general, commented: “While financially motivated attacks and destabilization operations saw a clear upturn in 2023, it was once again the less noisy threat, which remains the most worrying, that of strategic and industrial espionage and pre-positioning for sabotage purposes, which mobilised the ANSSI teams the most.”

These geopolitically driven threats will particularly be on ANSSI’s radar in 2024, as Paris is prepares to host the 2024 Olympic and Paralympic Games.

Spy in your Pocket….

An Investigator’s Guide to Espionage, Ransomware, and Organized Cybercrime

Tags: 2024 Paris Olympics, Pegasus, Spy in Your Pocket


Feb 08 2024

China had “persistent” access to U.S. critical infrastructure

Category: Access Control,Cyber Espionagedisc7 @ 7:59 am
https://www.axios.com/2024/02/07/china-volt-typhoon-critical-cyberattacks

China-backed hackers have had access to some major U.S. critical infrastructure for “at least five years,” according to an intelligence advisory released Wednesday.

Why it matters: The hacking campaign laid out in the report marks a sharp escalation in China’s willingness to seize U.S. infrastructure — going beyond the typical effort to steal state secrets.

  • The advisory provides the fullest picture to-date of how a key China hacking group has gained and maintained access to some U.S. critical infrastructure.

Details: The U.S. Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Federal Bureau of Investigation released an advisory Wednesday to warn critical infrastructure operators about China’s ongoing hacking interests.

  • According to the advisory, China-backed hacking group Volt Typhoon has been exploiting vulnerabilities in routers, firewalls and VPNs to target water, transportation, energy and communications systems across the country.
  • The group has relied heavily on stolen administrator credentials to maintain access to the systems — and in some cases it has maintained access for “at least five years,” per the advisory.
  • Volt Typhoon has been seen controlling some victims’ surveillance camera systems, and its access could have allowed the group to disrupt critical energy and water controls.

Of note: Volt Typhoon uses so-called “living off the land” techniques that limit any trace of their activities on a network — making the actors more difficult to detect.

  • CNN first reported details from the advisory earlier today.

Between the lines: U.S. officials are increasingly worried China will launch destructive cyberattacks either during or in the lead up to a possible Chinese invasion of Taiwan.

  • Authorities in Canada, Australia and New Zealand contributed to today’s advisory, citing concerns that China is also targeting organizations in their countries.

Catch up quick: Intelligence officials have been ringing alarm bells about Volt Typhoon for nearly a year.

  • Last May, Microsoft and the U.S. government warned that Volt Typhoon had been positioning itself to launch attacks on infrastructure across the country, including water utilities and ports.
  • This month, officials said they had successfully thwarted Volt Typhoon’s access to these networks — but warned that the group had shown a willingness to keep looking for new ways in.

The big picture: U.S. critical infrastructure is riddled with security problems, including poor password management and a lack of procedures to install security updates.

  • Some critical infrastructure, including water systems, lack the funds to hire security personnel or upgrade equipment.
  • Government attempts to require basic cybersecurity audits have also hit legal hurdles.

Be smart: U.S. cyber defenders are urging infrastructure operators to apply available software updates to all internet-facing systems, implement multi-factor authentication and turn on activity logs to track for any suspicious user behavior.

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Advanced Persistent Threats


Nov 14 2023

Cyber-espionage operation on embassies linked to Russia’s Cozy Bear hackers

Category: Cyber Espionagedisc7 @ 1:51 pm
BAKU, THE CAPITAL OF AZERBAIJAN. IMAGE: ULADZISLAU PETRUSHKEVICH VIA UNSPLASH

https://therecord.media/cyber-espionage-campaign-embassies-apt29-cozy-bear

Russian state-sponsored hackers have targeted embassies and international organizations in a recent cyber-espionage campaign, Ukrainian government cybersecurity researchers have found.

The attacks were attributed to the infamous hacker group labeled APT29, also known as Cozy Bear or Blue Bravo. Analysts previously have linked it to Russia’s Foreign Intelligence Service (SVR), which gathers political and economic information from other countries.

The campaign, analyzed by Ukraine’s National Cyber Security Coordination Center (NCSCC), occurred in September of this year. The group used similar tools and tactics in its previous campaigns, particularly during an operation against embassies in Kyiv in April.

The most recent operation had “the primary goal of infiltrating embassy entities,” the NCSCC said, including targets in Azerbaijan, Greece, Romania and Italy. Another victim was the major Greek internet provider Otenet, the NCSCC said.

Diplomatic accounts, especially those associated with the foreign affairs ministries in Azerbaijan and Italy, suffered the most, according to researchers. One possible reason is that Russian intelligence was attempting to gather information regarding Azerbaijan’s strategic activities, especially leading up to the Azerbaijani invasion of the Nagorno-Karabakh region.

In total, APT29’s campaign targeted over 200 email addresses, but it’s not clear how many attacks were successful.

Tactics and techniques

APT29 exploited a recently discovered vulnerability in the Windows file archiver tool WinRAR. Identified as CVE-2023-3883, the bug was utilized by state-controlled hackers connected to Russia and China in early 2023 before being patched. Unpatched versions of the tool remain vulnerable.

According to NCSCC, this vulnerability still “poses a significant threat” as it allows attackers to execute arbitrary code through the exploitation of a specially crafted ZIP archive.

In the recent campaign, Cozy Bear sent victims phishing emails containing a link to a PDF document and a malicious ZIP file that exploits the vulnerability, potentially granting attackers access to the compromised systems.

To convince their targets to open malicious files, the hackers created emails claiming to have information about the sale of diplomatic BMW cars. The same lure was used during the group’s attack on the embassies in Kyiv this spring.

In this campaign, the attackers introduced a novel technique for communicating with the malicious server, researchers said. In particular, they used a legitimate tool called Ngrok that allows users to expose their local servers to the internet.

Ngrok is commonly used during web development and testing to provide temporary public URLs for local web servers but cybercriminals deployed it to obfuscate their activities and communicate with compromised systems while evading detection.

By exploiting Ngrok’s capabilities in this way, threat actors can further complicate cybersecurity analysis and remain under the radar, making defense and attribution more challenging, NCSCC said.

Cozy Bear’s previous attacks

During the war in Ukraine, APT29 has carried out cyberattacks against the Ukrainian military and its political parties, as well as diplomatic agencies, think tanks and nonprofit organizations.

In April, for example, the group launched a spying campaign targeting foreign ministries and diplomatic entities in NATO countries, the European Union and, “to a lesser extent,” Africa.

The hackers’ tactics were similar to those used in the September campaign. In particular, they sent phishing emails impersonating the embassies of European countries to specific personnel, usually including a malicious link either in the body of the message or an attached PDF inviting the target diplomat to access the ambassador’s calendar.

APT29 has been blamed for several high-profile incidents prior to the war, including the SolarWinds supply chain attack in 2020 that affected thousands of organizations globally and led to a series of data breaches.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cozy Bear


Oct 16 2023

GUARDIANS OF THE HACKERS GALAXY: UNLOCK THE TOOL OF TODDYCAT’S GROUP

Category: Cyber Espionage,Security Toolsdisc7 @ 9:36 am

COMPREHENSIVE ANALYSIS: TODDYCAT’S ADVANCED TOOLSET AND STEALTHY CYBER ESPIONAGE TACTICS

ToddyCat, an Advanced Persistent Threat (APT) group, has garnered attention for its clandestine cyber-espionage operations, utilizing a sophisticated toolset designed for data theft and exfiltration. The group employs a myriad of techniques to move laterally within networks and conduct espionage operations with a high degree of secrecy and efficiency. This article, incorporating insights from the article and other sources, aims to provide a detailed overview of ToddyCat’s toolset and operational tactics.

STEALTH AND SOPHISTICATION: TODDYCAT’S MODUS OPERANDI

ToddyCat employs disposable malware, ensuring no clear code overlaps with known toolsets, thereby enhancing its ability to remain undetected. The malware is designed to steal and exfiltrate data, while the group employs various techniques to move laterally within networks and conduct espionage operations.

EXPLOITATION TECHNIQUES AND MALWARE UTILIZATION

  • Disposable Malware: Utilized to enhance stealth and evasion capabilities.
  • Data Exfiltration: Malware designed to access and extract sensitive information.
  • Lateral Movement: Techniques employed to expand reach and access within compromised environments.

TOOLSET SUMMARY

  1. Dropbox Exfiltrator: A tool designed to exfiltrate data, ensuring that stolen information can be securely and covertly transferred to the attackers.
  2. LoFiSe: A tool that may be utilized for lateral movement and further exploitation within compromised networks.
  3. Pcexter: A tool that may be used to send specific files or data to external servers, facilitating data exfiltration.
  4. Dropper: A tool that may be utilized to deploy additional payloads or malware within compromised environments.

DETAILED INSIGHTS INTO THE TOOLSET

1. LOADERS

  • Standard Loaders: ToddyCat utilizes 64-bit libraries, invoked by rundll32.exe or side-loaded with legitimate executable files, to load the Ninja Trojan during the infection phase. Three variants of these loaders have been observed, each differing in aspects like the library loaded by, where the malicious code resides, the loaded file, and the next stage.
  • Tailored Loader: A variant of the standard loader, this is customized for specific systems, employing a unique decryption scheme and storing encrypted files in a different location and filename (%CommonApplicationData%\Local\user.key).

2. NINJA TROJAN

The Ninja Trojan, a sophisticated malware written in C++, is a potent tool in ToddyCat’s arsenal. It provides functionalities like:

  • Managing running processes
  • File system management
  • Managing multiple reverse shell sessions
  • Injecting code into arbitrary processes
  • Loading additional modules during runtime
  • Proxy functionality to forward TCP packets between the C2 and a remote host

3. LOFISE

LoFiSe is a component designed to find and collect files of interest on targeted systems. It tracks changes in the file system, filtering files based on size, location, and extension, and collects suitable files for further action.

4. DROPBOX UPLOADER

This generic uploader, not exclusive to ToddyCat, is used to exfiltrate stolen documents to DropBox, accepting a DropBox user access token as an argument and uploading files with specific extensions.

5. PCEXTER

Pcexter is another uploader used to exfiltrate archive files to Microsoft OneDrive. It is distributed as a DLL file and executed using the DLL side-loading technique.

POTENTIAL IMPACT AND THREAT LANDSCAPE

The emergence of ToddyCat’s new toolset and its sophisticated TTPs presents a significant threat to organizations, with potential impacts including data breaches, unauthorized access to sensitive information, and network compromise.

MITIGATION AND DEFENSE STRATEGIES

  • Enhanced Monitoring: Implementing monitoring solutions to detect anomalous activities.
  • User Education: Ensuring users are educated about potential threats and cybersecurity best practices.
  • Regular Patching: Keeping all systems regularly patched and updated.
  • Threat Intelligence: Leveraging intelligence to stay abreast of the latest TTPs employed by threat actors.

ToddyCat’s advanced toolset and stealthy operations underscore the evolving and sophisticated nature of cyber threats. Organizations and cybersecurity practitioners must remain vigilant and adopt advanced cybersecurity practices to defend against the sophisticated tools and tactics employed by threat actors like ToddyCat.

Spy Secrets That Can Save Your Life: A Former CIA Officer Reveals Safety and Survival Techniques to Keep You and Your Family Protected

100 Deadly Skills: The SEAL Operative’s Guide to Eluding Pursuers, Evading Capture, and Surviving Any Dangerous Situation

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: ToddyCat’s Group


Jul 27 2023

HOW YOU’RE BEING TRACKED ONLINE AND MEASURES TO PREVENT IT

Category: Cyber Espionage,Information Privacydisc7 @ 8:14 am

There’s just about no one that can say they’ve never been online or used online services. We spend a significant part of our daily lives online, which can bring various risks. It’s simple for apps, websites, and hackers to track and use your online activity for their own purposes. However, we look into useful tools like rotating residential proxies and more to help prevent others from tracking you.

HOW OTHERS TRACK YOU ONLINE?

People are often surprised to find out how much they’re being tracked online. With devices like your smartphone, tablet, and desktop, various apps, websites, and hackers can track your online activities. These activities could expose sensitive information like your physical location, personal information, financial information, and more.

Others can track you using the following methods:

  • Your IP address
  • Cross-tracking between your devices
  • Cursor tracking software/Tattleware
  • Email exchanges
  • Frequently visited accounts on devices
  • Location software like map apps
  • Your search history

WHY ARE YOU TRACKED ONLINE?

The benign reason that others track you online is to learn your shopping habits and provide more targeted marketing. While this can feel invasive and result in spam emails, it’s ultimately not harmful. However, cybercriminals and hackers can also track you using the above methods and learn more confidential information, like your social security number, home address, and habits.

Ultimately, if hackers and scammers have this information, they can also more easily scam you. Phishing attempts, false advertisements, and more are all ways you can be conned out of your money when your habits and information are known.

MEASURES TO PREVENT FROM BEING TRACKED

Whether it’s to avoid targeted marketing and prevent your personal information from being vulnerable or to stay safe from hackers, there are various methods you can use to protect yourself online.

MULTIPLE BROWSERS

Using multiple browsers to create accounts and browse the internet is a simple way of making it difficult to track you. That’s because you split your activity over various browsers that don’t share information. It also limits your exposure to web tracking, keeps your various activities separate, and you can delete information easier.

MIXING USER AGENTS WITH EXTENSIONS

A user agent is the software that tells the website which browser you’re using, your rendering engine, and your operating systems. This information is shared to ensure the version of the website you see is optimized for your browser and device. You can change the user agent to confuse any trackers on these websites.

A user-agent switcher is a tool you can use to switch the type of user agent you have, making it look like you’re using a different browser and device. You also have access to various privacy extensions which work with this user-agent switcher to protect against tracking.

STAY PRIVATE IN PUBLIC

Don’t use public networks to browse the internet when you’re in public. While free Wi-Fi seems beneficial, these open networks can leave a gap in your device’s defenses for hackers to sneak through. Instead, stay on your private network, and ensure you don’t give strangers access to that network or your device.

ADJUST PRIVACY SETTINGS

It’s best to adjust your privacy settings on your devices and browsers to avoid online websites and hackers tracking you. Enable “Do Not Track” on your browsers and devices to keep the device from tracking you. While it won’t stop a determined hacker, it helps lessen the tracking cookies on your browsers. 

Also, ensure that mobile apps don’t have permission to track your location, as this is another avenue that reveals your activities to others. Only use apps that require your location when using a proxy that helps block malicious websites, connections, and more.

DON’T SAVE COOKIES

While we’re on the subject of cookies, another good step is not to accept website cookies. These cookies track your activity on the website, leaving a digital footprint behind. It can also reveal your habits, likes, IP addresses, and more.

USE ROTATING PROXIES

Using rotating residential proxies is an easy way to keep yourself from being tracked. Residential proxy servers contact the website on your behalf, so you’re never directly contacting it. The IP addresses it uses are from actual home devices, making you look like a natural person and enabling you to browse the web safely. 

Rotating residential servers use a new IP address each time you make a new connection. These rotating IP addresses make it extremely difficult to track you, as the proxy takes care of the cookies and leaves no digital footprint behind to exploit.

RATHER STAY SAFE THAN BEING TRACKED

While there are various ways to try and avoid being tracked, there’s no way to ensure it won’t happen as long as you use the internet. Rotating residential proxies is an excellent preventative and protective measure, but we advise you never to log into your Google, Apple, Facebook, or other essential accounts while browsing unprotected. You can never be truly certain how you’re being tracked, as such you should implement as many different measures as you can to protect your privacy.

How to Disappear: Erase Your Digital Footprint, Leave False Trails, And Vanish Without A Trace

InfoSec books | InfoSec tools | InfoSec services

Tags: How to Disappear, TRACKED ONLINE


Feb 23 2023

HOW CHINESE APT HACKERS STOLE LOCKHEED MARTIN F-35 FIGHTER PLANE TO DEVELOP ITS OWN J-20 STEALTH FIGHTER AIRCRAFT

Category: Cyber EspionageDISC @ 3:19 pm

According to a recent security report, Chinese government has decided to resort to hacking, cyberwarfare and corporate espionage tactics to boost its ambitious defense program, compromising the systems of firms like Lockheed Martin in order to access classified information useful for their own purposes.

Peter Suciu, a renowned researcher, says China is an actor that should be taken seriously, especially on military issues. This is not the first such report, as since 2019 the Pentagon had accused the Chinese military of resorting to what they defined as “cyber theft” and other methods to achieve great improvements in military terms.

It all went back to 2007, when the firm Lockheed Martin discovered that a Chinese hacking group had been stealing technical documents related to the F-35 program, while a similar theft occurred when cybercriminals working for Beijing managed to compromise a network of an Australian subcontractor to the F-35.

These reports lead experts to believe that the Chinese have acquired a wealth of crucial information and data for these programs, including the development of the Chinese J-20 fighter jet, also known as “Mighty Dragon.” Suciu himself claims that the creation of these aircraft would have been impossible without the information stolen from Lockheed Martin.

In connection with these reports, Business Insider published a report detailing the clear similarities in appearance and engineering between American aircraft and those created by the Chinese government. In addition, the report not only emphasizes the similarity of these aircraft, but also states that the sensor systems used by the Chinese government are virtually identical to the electro-optical guidance employed by Lockheed Martin in the Lightning II model, further evidence of espionage against the company.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

In 2007, Chinese Advanced Persistent Threat (APT) hackers targeted the computer networks of defense contractor Lockheed Martin, which was working on the development of the F-35 Lightning II fighter jet. The APT hackers gained access to the networks by using spear-phishing attacks to trick employees into downloading malware or providing their login credentials. Once inside the network, the hackers used various techniques to move laterally and gain access to sensitive data.

The hackers were able to steal large amounts of data related to the F-35 program, including design plans, testing results, and software source code. The stolen data allowed China to gain a significant advantage in its own stealth fighter program, the J-20.

The J-20 first flew in 2011, and it bears striking similarities to the F-35. Both aircraft are designed to be stealthy, with angular shapes and features that minimize their radar signature. The J-20 also features advanced avionics and sensor systems, which are similar to those used in the F-35.

The theft of the F-35 data was part of a larger campaign by Chinese APT hackers to steal sensitive information from Western companies and governments. The campaign, which has been ongoing for many years, is believed to be part of China’s broader efforts to modernize its military and develop advanced technologies.

The theft of the F-35 data was a significant blow to U.S. national security, as it gave China valuable insights into one of the most advanced fighter jets in the world. It also highlighted the need for stronger cybersecurity measures and better protection of sensitive data.

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: cyber espionage


Jan 02 2023

Google Home Vulnerability: Eavesdropping on Conversations

Category: Cyber Espionage,Cyber surveillanceDISC @ 11:01 am

Matt Kunze, an ethical hacker, reported wiretapping bugs in Google Home Smart Speakers, for which he received a bug bounty worth $107,500.

Google Assistant is currently more popular among smart homeowners than Amazon Alexa and Apple Siri, given its superior intuitiveness and capability to conduct lengthy conversations. However, according to the latest research, a vulnerability in Google Home Smart speakers could allow attackers to control the smart device and eavesdrop on user conversations indoors

Findings Details

The vulnerability was identified by Matt Kunze, a security researcher using the moniker DownrightNifty Matt. The researchers revealed that if exploited, the vulnerability could allow the installation of backdoors and convert Google Home Smart speakers into wiretapping devices. Moreover, Google fixed the issue in April 2021 following responsible disclosure on 8 January 2021 and developing a Proof-of-Concept for the company.

Possible Dangers

The vulnerability could let an adversary present within the device’s wireless proximity install a backdoor account on the device and start sending remote commands, access the microphone feed, and initiate arbitrary HTTP requests. All of this could be possible if the attacker is within the user’s LAN range because making malicious requests exposes the Wi-Fi password of the device and provides the attacker direct access to all devices connected to the network.

What Caused the Issue?

Matt discovered that the problem was caused by the software architecture used in Google Home devices as it let an adversary add a rogue Google user account to their target’s smart home devices.

A threat actor would trick the individual into installing a malicious Android application to make the attack work. It will detect a Google Home automation device connected to the network and stealthily start issuing HTTP requests to link the threat actor’s account to the victim’s device.

In addition, the attacker could stage a Wi-Fi de-authentication attack to disconnect the Google Home device from the network and force the appliance to initiate a setup mode and create an open Wi-Fi network. Subsequently, the attacker can connect to this network and request additional details such as device name, certificate, and cloud_device_id. They could use the information and connect their account to the victim’s device.

According to Matt’s blog post, the attacker could perform a range of functions, such as turning the speaker’s volume down to zero and making calls to any phone number apart from spying on the victim via the microphone. The victim won’t suspect anything because just the device’s LED turns blue when the exploitation happens, and the user would think the firmware is being updated.

Matt successfully connected an unknown user account to a Google Home speaker. He created a backdoor account on the targeted device and obtained unprecedented privileges that let him send remote commands to the Home mini smart speaker, access its microphone feed, etc. Watch the demo shared by the researcher:

It is worth noting that there’s no evidence this security loophole was misused since its detection in 2021. Being an ethical hacker, the researcher notified Google about the issue, and it was patched. Matt received a bug bounty worth $107,500 for detecting this security flaw.

Wiretapping Bugs Discovered in Google Home Smart Speakers

Tags: Eavesdropping on Conversations


Nov 15 2022

Avast details Worok espionage group’s compromise chain

Category: Backdoor,Cyber EspionageDISC @ 12:10 pm

Cyber espionage group Worok abuses Dropbox API to exfiltrate data via using a backdoor hidden in apparently innocuous image files.

Researchers from cybersecurity firm Avast observed the recently discovered espionage group Worok abusing Dropbox API to exfiltrate data via using a backdoor hidden in apparently innocuous image files.

The experts started their investigation from the analysis published by ESET on attacks against organizations and local governments in Asia and Africa. Avast experts were able to capture several PNG files embedding a data-stealing payload. They pointed out that data collection from victims’ machines using DropBox repository, and attackers use DropBox API for communication with the final stage.

Avast experts shed the light on the compromise chain detailing how attackers initially deployed the first-stage malware., tracked as CLRLoader, which loads the next-state payload PNGLoader.

“PNGLoader is a loader that extracts bytes from PNGs files and reconstructs them into an executable code. PNGLoader is a .NET DLL file obfuscated utilizing .NET Reactor; the file description provides information that mimics legitimate software such as Jscript Profiler or Transfer Service Proxy.” reads the report published by Avast. “The deobfuscated PNGLoader code includes the entry point (Setfilter) invoked by CLRLoader.”

The malicious code is supposedly deployed by threat actors by exploiting Proxyshell vulnerabilities. Then attackers used publicly available exploit tools to deploy their custom malicious tools.

Worok compromise-chains-3

The experts found two variants of PNGLoad, both used to decode the malicious code hidden in the image and run a PowerShell script or a .NET C#-based payload.

The PowerShell script has continued to be elusive, although the cybersecurity company noted it was able to flag a few PNG files belonging to the second category that dispensed a steganographically embedded C# malware.

“At first glance, the PNG pictures look innocent, like a fluffy cloud,” Avast said.

Avast extends the compromise chain detailed by ESET with the discovery of a .NET C# payload that they tracked as DropBoxControl, which represents a third stage.

Worok

DropboxControl is an information-stealing backdoor that communicates abuses the DropBox service for C2 communication.

“Noteworthy, the C&C server is a DropBox account, and whole communications, such as commands, uploads, and downloads, are performed using regular files in specific folders. Therefore, the backdoor commands are represented as files with a defined extension. DropBoxControl periodically checks the DropBox folder and executes commands based on the request files.” continues the report. “The response for each command is also uploaded to the DropBox folder as the result file.”

The backdoor can run arbitrary executables, download and upload data, delete and rename files, capture file information, sniff network communications, and exfiltrate metadata.

According to Avast, DropboxControl was not developed by the author of CLRLoad and PNGLoad due to important differences into the source code and its quality.

“The key finding of this research is the interception of the PNG files, as predicted by ESET. The stenographically embedded C# payload (DropBoxControl) confirms Worok as the cyberespionage group. They steal data via the DropBox account registered on active Google emails.” concludes AVAST. “The prevalence of Worok’s tools in the wild is low, so it can indicate that the toolset is an APT project focusing on high-profile entities in private and public sectors in Asia, Africa, and North America.”

Tags: Cyber espionage group Worok


Sep 14 2022

Cyber espionage campaign targets Asian countries since 2021

Category: Cyber Espionage,Information WarfareDISC @ 9:00 am

A cyber espionage group targets governments and state-owned organizations in multiple Asian countries since early 2021.

Threat actors are targeting government and state-owned organizations in multiple Asian countries as parts of a cyber espionage campaign that remained under the radar since early 2021.

“A distinct group of espionage attackers who were formerly associated with the ShadowPad remote access Trojan (RAT) has adopted a new, diverse toolset to mount an ongoing campaign against a range of government and state-owned organizations in a number of Asian countries.” reads an analysis published by Symantec Threat Hunter team, part of Broadcom Software. “The attacks, which have been underway since at least early 2021, appear to have intelligence gathering as their main goal.”

The attackers employed a broad range of legitimate tools to deliver malware in attacks aimed at government institutions related to finance, aerospace, and defense, as well as state-owned media, IT, and telecom firms.

The attackers used Dynamic-link library (DLL) side-loading to deliver the malicious code. The technique sees threat actors placing a malicious DLL in a directory where a legitimate DLL is expected to be found. Then the attacker runs a legitimate application that loads and executes the malicious payload.

The attackers target old and outdated versions of security solutions, graphics software, and web browsers that lack of mitigations for DLL side-loading attacks.

“Once a malicious DLL is loaded by the attackers, malicious code is executed, which in turn loads a .dat file. This file contains arbitrary shellcode that is used to execute a variety of payloads and associated commands in memory. In some cases, the arbitrary shellcode is encrypted.” continues the report.

The attackers also leverage these legitimate software packages to deploy additional tools (credential dumping tools, network scanning tools such as NBTScan, TCPing, FastReverseProxy, and FScan, and the Ladon penetration testing framework), which are used to perform lateral movement.

Once the attackers have established backdoor access they use Mimikatz and ProcDump to harvest credentials and obtain deeper access to the target network. In some instances, threat actors also dump credentials via the registry.

Experts also observed attackers using PsExec to run old versions of legitimate software to load off-the-shelf RATS.

The cyberspies also use a number of living-off-the-land tools such as Ntdsutil to mount snapshots of Active Directory servers in order to gain access to Active Directory databases and log files and the Dnscmd command line tool to enumerate network zone information. 

Experts also shared details about an attack against a government-owned organization in the education sector in Asia. The intrusion lasted from April to July 2022, during which the adversary accessed machines hosting databases and emails, before accessing the domain controller.

The attackers also use of an 11-year-old version of Bitdefender Crash Handler (“javac.exe”) to run a Mimikatz and the Golang penetration testing framework LadonGo.

The experts did not attribute the cyber espionage campaign to a specific threat actor, however, they noticed the use of the ShadowPad backdoor which is commonly used by China-linked APT groups.

“The use of legitimate applications to facilitate DLL side-loading appears to be a growing trend among espionage actors operating in the region. Although a well-known technique, it must be yielding some success for attackers given its current popularity. Organizations are encouraged to thoroughly audit software running on their networks and monitor for the presence of outliers, such as old, outdated software or packages that are not officially used by the organization.” concludes the report that includes Indicators of Compromise (IoCs).

Cyber Warfare in 2022: Attack Techniques and Espionage Tactics of Cyber Crime Groups and Nationstates

Tags: cyber espionage group


Jun 09 2022

China-linked threat actors have breached telcos and network service providers

Category: Cyber Espionage,Data BreachDISC @ 8:35 am

China-linked threat actors have breached telecommunications companies and network service providers to spy on the traffic and steal data.

US NSA, CISA, and the FBI published a joint cybersecurity advisory to warn that China-linked threat actors have breached telecommunications companies and network service providers.

The nation-state actors exploit publicly known vulnerabilities to compromise the target infrastructure. 

The attackers also targeted Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices to use them as additional access points to route command and control (C2) traffic and midpoints to carry out attacks on other entities.

Below is top network device CVEs exploited by PRC nation-state actors since 2020:

Chinese hackers employed open-source tools for reconnaissance and vulnerability scanning, according to the government experts, they have utilized open-source router specific software frameworks, RouterSploit and RouterScan [T1595.002], to identify vulnerable devices to target.

The RouterSploit Framework allows operators to scan for vulnerable embedded devices, while RouterScan allows for the scanning of IP addresses for vulnerabilities. Both tools could be used to target SOHO and other routers manufactured by major industry providers, including Cisco, Fortinet, and MikroTik.

“Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting. After identifying a critical Remote Authentication Dial-In User Service (RADIUS) server, the cyber actors gained credentials to access the underlying Structured Query Language (SQL) database [T1078] and utilized SQL commands to dump the credentials [T1555], which contained both cleartext and hashed passwords for user and administrative accounts.” reads the advisory published by the US agencies. “Having gained credentials from the RADIUS server, PRC state-sponsored cyber actors used those credentials with custom automated scripts to authenticate to a router via Secure Shell (SSH), execute router commands, and save the output [T1119].”

The agencies also provide a list of recommendations to mitigate and detect these attacks:

  • Keep systems and products updated and patched as soon as possible after patches are released [D3-SU] . Consider leveraging a centralized patch management system to automate and expedite the process.
  • Immediately remove or isolate suspected compromised devices from the network [D3-ITF] [D3-OTF].
  • Segment networks to limit or block lateral movement [D3-NI]. 
  • Disable unused or unnecessary network services, ports, protocols, and devices [D3-ACH] [D3-ITF] [D3-OTF]. 
  • Enforce multifactor authentication (MFA) for all users, without exception [D3-MFA]. 
  • Enforce MFA on all VPN connections [D3-MFA]. If MFA is unavailable, enforce password complexity requirements [D3-SPP]. 
  • Implement strict password requirements, enforcing password complexity, changing passwords at a defined frequency, and performing regular account reviews to ensure compliance [D3-SPP].
  • Perform regular data backup procedures and maintain up-to-date incident response and recovery procedures. 
  • Disable external management capabilities and set up an out-of-band management network [D3-NI].
  • Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network [D3-NI].
  • Enable robust logging of Internet-facing services and monitor the logs for signs of compromise [D3-NTA] [D3-PM].
  • Ensure that you have dedicated management systems [D3-PH] and accounts for system administrators. Protect these accounts with strict network policies [D3-UAP].
  • Enable robust logging and review of network infrastructure accesses, configuration changes, and critical infrastructure services performing authentication, authorization, and accounting functions [D3-PM]. 
  • Upon responding to a confirmed incident within any portion of a network, response teams should scrutinize network infrastructure accesses, evaluate potential lateral movement to network infrastructure and implement corrective actions commensurate with their findings.
dhs China-linked threat actors

Stealth War: How China Took Over While America’s Elite Slept


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: breached telcos, Stealth War


Apr 12 2022

NSO Group Spied on European Union—on French Orders?

Category: Cyber Espionage,Cyber Spy,SpywareDISC @ 10:46 am

An espionage attempt was made by an NSO Group customer to hack the phones of senior EU officials. Although there’s some suggestion that it might have been QuaDream—a similar Israeli spyware firm.

Commissioner for Justice Didier Reynders (pictured) seems to have been the main target, along with several of his staffers at the Directorate-General for Justice and Consumers. They were warned of the attack five months ago—by Apple.

But who ordered the hack? Might it have been the French government? In today’s SB Blogwatch, we’re shocked—SHOCKED—to discover un peu d’espionnage fratricide.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Shrimp can lobster.

What Did Didier Do?

What’s the craic? Raphael Satter and Christopher Bing claim this exclusive for Reuters—“Senior EU officials were targeted with Israeli spyware”:

“Remotely and invisibly take control of iPhones”
Among them was Didier Reynders, a senior Belgian statesman who has served as the European Justice Commissioner since 2019. 
 At least four other [Justice and Consumers] commission staffers were also targeted.


The commission became aware of the targeting following messages issued by Apple to thousands of iPhone owners in November telling them they were “targeted by state-sponsored attackers.” 
 The warnings triggered immediate concern at the commission. 
 A senior tech staffer sent a message to colleagues with background about Israeli hacking tools: 
 “Given the nature of your responsibilities, you are a potential target.”


Recipients of the warnings were targeted between February and September 2021 using ForcedEntry, an advanced piece of software that was used by Israeli cyber surveillance vendor NSO Group to help foreign spy agencies remotely and invisibly take control of iPhones. A smaller Israeli spyware vendor named QuaDream also sold a nearly identical tool.

So which was it? And why? Lucas Ropek shrugs—“Sophisticated Spyware Attack”:

“Comes at potentially the worst possible time”
It’s not totally clear why these officials were targeted or who used the malware against them. 
 NSO has denied that it had any involvement. 
 Reuters also reached out to QuaDream 
 but did not get any sort of comment or response.


The claims that EU officials were targeted with NSO Group software comes at potentially the worst possible time for the company as it continues to battle both legal and financial troubles, as well as multiple government investigations. 
 NSO is now appealing to the U.S. Supreme Court in a new effort to rid itself of a hefty lawsuit filed by 
 WhatsApp, [which] sued NSO in October of 2019 after the surveillance firm’s malware was allegedly discovered on some 1,400 users’ phones. 
 The company is also currently battling another lawsuit from Apple filed last November on similar grounds.

Government investigations? Malcolm Owen isn’t scared to say whodunnit—“EU officials’ iPhones were targets of NSO Group’s spyware”:

“Use of surveillance software”
The discovery of the misuse of NSO Group’s tools certainly doesn’t help the company’s profile following the Pegasus scandal, when it was found the tool was used by governments to spy on journalists, activists, and government opponents, instead of for fighting crime. The adoption of Pegasus and other tools by government agencies led to lawmakers in the U.S. asking Apple and the FBI about the latter’s acquisition of NSO Group tools.


Meanwhile, the European Parliament will be launching a committee on April 19 to investigate the use of surveillance software in European member states.

The European Union, huh? FOHEng thinks this should be a teachable moment:

Many of these same EU people think The App Store should be forced to open, increasing the vectors for 
 exploits to make it into devices. They’re as stupid as some US Senators, who aren’t allowed to sideload Apps on their devices over security concerns, yet want to force Apple to allow this. They are truly delusional.


Third party stores with Apps being vetted for security? An oxymoron if ever there was one. 
 You think iOS third party stores are going to somehow be secure and Apps checked?

Worthless politicians? zeiche seems to think so:

“No big deal until it happens to me.” This story has been unfolding slowly for years, yet these EU officials didn’t seem too bothered until Apple notified them about their phones being hacked. 
 Thanks for all the concern.

But what of Apple in all this? Heed the prognostications of Roderikus:

More fines for offering a platform that is basically compromised while being marketed as “safe.”

However, mikece is triggered by a certain word in the Reuter hed:

Throwing the adjective “Israeli” into the title is misleading as it suggest the state of Israel is somehow involved. 
 Blaming Israel for this is like blaming Japan for all of the Toyota Hiluxes converted into gun platforms around the world.

Yet we’ve still not dealt with the “who” question. For this, we turn to Justthefacts:

CitizenLab did some clever geographic fingerprinting, and have a list of which countries are doing this. 
 Out of these, the credible list is: France, Greece, Netherlands, Poland, UK, USA.

The target was the European Justice Minister from 2019 onwards. He doesn’t have military or external trade secrets. Neither the UK nor USA are impacted in any way by what goes on in his office. So it’s either France, Greece, Netherlands, Poland.

If you have a look at the heat-map produced by CitizenLab, it’s the French government snooping on the EU. What were you expecting?

Nor the “why”: What else do we know about the named victim? ffkom ffills us in: [You’re ffired—Ed.]

Didier Reynders is [one of] those politicians who have continuously undermined EU data protection laws by agreeing to sham contracts like “Safe Harbour” and “Privacy Shield,” 
 knowing those were contradicting EU law 
 and not worth the paper they were written on. He, personally, is also responsible for not enforcing 
 GDPR.


It serves Mr. Reynders right that his data is exposed, just as much as he has helped to expose EU citizen’s data.

Ultimate spyware' — How Pegasus is used for surveillance


Tags: European Union, NSO Group Spied


Mar 24 2022

China-linked GIMMICK implant now targets macOS

Category: APT,Cyber EspionageDISC @ 8:32 am

Gimmick is a newly discovered macOS implant developed by the China-linked APT Storm Cloud and used to target organizations across Asia.

In late 2021, Volexity researchers investigated an intrusion in an environment they were monitoring and discovered a MacBook Pro running macOS 11.6 (Big Sur) that was compromised with a previously unknown macOS malware tracked as GIMMICK. The researchers explained that they have discovered Windows versions of the same implant during the past investigations.

The experts attribute the intrusion to a China-linked APT group tracked as Storm Cloud, which is known to target organizations across Asia.

The macOS version of the implant is written primarily in Objective C, while the Windows ones are in both .NET and Delphi. The implant uses public cloud hosting services (such as Google Drive) for C2 to evade detection.

Volexity worked with Apple to implement protections for the GIMMICK implant, on March 17, 2022, Apple pushed new signatures to XProtect and MRT to remove the malware.

GIMMICK

GIMMICK should be launched directly by a user, rather than a daemon, then it installs itself as a launch agent by dropping a PLIST file with contents.

“On macOS, GIMMICK was found to support being launched as a daemon on the system or by a user. Should GIMMICK be launched directly by a user, rather than a daemon, it will install itself as a launch agent by dropping a PLIST file with contents, similar to that shown below, to /Users/<username>/Library/LaunchAgents.” reads the analysis published by Volexity. “The name of the binary, PLIST, and agent will vary per sample. In the case observed by Volexity, the implant was customized to imitate an application commonly launched by the targeted user.”

During the initialization, the implant analyzed by the experts decodes several pieces of data used by the implant for its operation using a rotating addition algorithm.

The implant also supports an uninstall function accessible by adding the argument “uninstall” on the command line. The command instructs the malicious code on removing itself and all associated files, and then kills the process.

“Storm Cloud is an advanced and versatile threat actor,  adapting its tool set to match different operating systems used by its targets.” concludes the analysis published by the experts. “The work involved in porting this malware and adapting its systems to a new operating system (macOS) is no light undertaking and suggests the threat actor behind it is well resourced, adept, and versatile.”

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

Tags: cyber espionage, GIMMICK implant, macos


Dec 20 2021

Pegasus: Google reveals how the sophisticated spyware hacked into iPhones without user’s knowledge

  • Pegasus spyware was allegedly used by governments to spy upon prominent journalists, politicians and activists.
  • A Google blog has revealed how the sophisticated software was used to attack iPhone users.
  • The software used a vulnerability in iMessages to hack into iPhones without the user’s knowledge.

The Pegasus spyware, developed by Israel’s NSO group, made headlines for being used by governments and regimes across the world including India to spy on journalists, activists, opposition leaders, ministers, lawyers and others. The spyware is accused of hacking into the phones of at least 180 journalists around the world, of which 40 are notable Indian personalities.

Now, a Google blog from the Project Zero team called the attacks technically sophisticated exploits and assessed the software to have capabilities rivalling spywares previously thought to be accessible to only a handful of nations.

The company has also faced multiple lawsuits including one in India where the Supreme Court (SC) set up a three-member panel headed by former SC judge RV Raveendran to probe whether the software was used by the government to spy on journalists and other dissidents.

Apart from India, Apple has also sued the Israeli firm after having patched its security exploit. The company was also banned in the United States after the details of the spyware were revealed. Let’s take a look at how this advanced snooping technology discretely worked on iPhones.

How Pegasus hacked iPhones

According to the Project Zero blog, a sample of the ForcedEntry exploit was worked upon by the team and Apple’s Security Engineering and Architecture (SEAR) group. Pegasus attacks on iPhones were possible due to the ForcedEntry exploit.

Best iPhone in 2021: Which model is right for you? | ZDNet

Pegasus is a spyware (Trojan/Script) that can be installed remotely on devices running on Apple ‘ s iOS & Google ‘ s Android operating systems. It is developed and marketed by the Israeli technology firm NSO Group. NSO Group sells Pegasus to ” vetted governments ” for ” lawful interception ” , which is understood to mean combating terrorism and organized crime, as the firm claims, but suspicions exist that it is availed for other purposes. Pegasus is a modular malware that can initiate total surveillance on the targeted device, as per a report by digital security company Kaspersky. It installs the necessary modules to read the user’s messages and mail, listen to calls, send back the browser history and more, which basically means taking control of nearly all aspects of your digital life. It can even listen in to encrypted audio and text files on your device that makes all the data on your device up for grabs.

Tags: A Privacy Killer, hacked iphone, NSO Group, Pegasus spyware


Sep 21 2021

Alaska’s Department of Health and Social Services Hack

Category: Cyber Espionage,Data Breach,Security BreachDISC @ 1:38 pm

Alaska Department of Health and Social Services

Alaskan health department still struggling to recover after ‘nation-state sponsored’ cyberattack

Tags: cyberespionage, Hacking, healthcare, leaks


Jul 20 2021

NSO Group Hacked

There’s a lot to read out there. Amnesty International has a report. Citizen Lab conducted an independent analysis. The Guardian has extensive coverage. More coverage.

Worldwide probe finds tech by Israel's NSO Group targeted media,  politicians | The Times of Israel

Most interesting is a list of over 50,000 phone numbers that were being spied on by NSO Group’s software. Why does NSO Group have that list? The obvious answer is that NSO Group provides spyware-as-a-service, and centralizes operations somehow. Nicholas Weaver postulates that “part of the reason that NSO keeps a master list of targeting
is they hand it off to Israeli intelligence.”

This isn’t the first time NSO Group has been in the news. Citizen Lab has been researching and reporting on its actions since 2016. It’s been linked to the Saudi murder of Jamal Khashoggi. It is extensively used by Mexico to spy on — among others — supporters of that country’s soda tax.

 here’s a tool that you can use to test if your iPhone or Android is infected with Pegasus. (Note: it’s not easy to use.)

7 Steps to Removing Spyware

7 Steps to Removing Spyware by Nick Laughter

Spyware and Adware

Spyware and Adware

Tags: Amnesty International, mobile spyware, NSO Group Hacked, rouge anti-spyware, Spyware, Spyware and Adware


Apr 24 2021

UK spy chief says warns West faces ‘moment of reckoning’ over tech

Category: Cyber Espionage,Cyber surveillanceDISC @ 11:10 pm

LONDON — Western countries risk losing control of technologies that are key to internet security and economic prosperity to nations like China and Russia if they don’t act to deal with the threat, one of the UK’s top spy chiefs warned Friday.

“Significant technology leadership is moving east” and causing a conflict of interests and values, Jeremy Fleming, director of government electronic surveillance agency GCHQ, said in a speech.

Singling out China as a particular threat, he said the country’s “size and technological weight means that it has the potential to control the global operating system.”

China is an early adopter of emerging technologies but it also has a “competing vision for the future of cyberspace,” and it’s playing an influential role in the debate around international rules and standards, he said.

He raised the possibility of countries with “illiberal values” like China building them into technical standards that the world ends up relying on, and using their state power to control and dominate technology markets, turning them into arenas of geopolitical competition.

Russian hacking and other nefarious online activity, meanwhile, poses the most acute threat to the UK but, like a smartphone app vulnerability, could be avoided.

China’s Foreign Ministry blasted the remarks, saying they were “totally groundless and unreasonable.”

“Western countries, such as the UK and US, are actually the true empires of hacking and tapping,” ministry spokesman Zhao Lijian said at a briefing in Beijing.

Left unchecked, foreign adversaries could threaten the design and freedom of the internet, Fleming said. He citied as examples the security for emerging technologies like “smart city” sensors used to manage services more efficiently or digital currencies, saying they could be hardwired for data collection or other intrusive capabilities that go against open and democratic societies.

Britain and other Western countries face “a moment of reckoning,” Fleming said.

“The rules are changing in ways not always controlled by government,” Fleming said in his speech at Imperial College London. “And without action it is increasingly clear that the key technologies on which we will rely for our future prosperity and security won’t be shaped and controlled by the West.”

Britain should not take its status as a cyber power for granted, and it should work on developing “sovereign technologies” such as high-speed quantum computing and cryptographic technology to protect sensitive information, Fleming said.

China’s focus on establishing information dominance as a key component of its military efforts.


Next Page »