So says Check Point, piecing together Telegram-busting malware clues Infosec outfit Check Point says it has uncovered a six-year Iranian cyber-spying campaign directed at expats and dissidents worldwide.…
Financially motivated threat activity continues to pose a high-frequency and high-impact threat to healthcare organisations globally as cybercriminals seek to monetise personally identifiable information, protected health information and give access to biomedical devices.Luke McNamara, principal analyst at FireEye’s Strategic Analysis team, said that healthcare sector is consistently retargeted industries by threat groups and the bad part is that a large number of healthcare-associated data are for sale online for as little as $300 and up to $2,000.On February 21, 2019, actor NetFlow has put 4.31GB of data associated with a US-based healthcare institution that contains patient data, including driver’s licenses, health insurance and ZIP Codes for $2,000.Healthcare sector is consistently retargeted industries by threat groups and the bad part is that a large number of healthcare-associated data are for sale online for as little as $300 and up to $2,000In comparison to cyber-crime activity, McNamara said that cyber-espionage campaigns pose a lower frequency but still noteworthy impact risk to healthcare organisations, particularly those in some subsets of the industry.Actors observed targeting the healthcare sector include China-nexus APT10 (Menupass) and APT41; Russia-nexus APT28 (Tsar) and APT29 (Monkey); and Vietnam-nexus APT32 (OceanLotus).
Fujifilm X-T30 mirrorless bets on nostalgia to challenge Sony and CanonGrammys 2019: Start time, livestream, nominees, performances and moreFacebook used in Iranian cyber-spying operation, US indictment saysAudi teases its Q4 E-Tron concept ahead of its Geneva debutApex Legends: How to find the best weapons, armor and loot
A former US Air Force intelligence officer allegedly worked with Iranian hackers who used Facebook and e-mail to try to trick her former colleagues into downloading malware that would track their computer activity.Monica Witt was charged with espionage after she provided national defense information to the Iranian government, the US Department of Justice said Wednesday.Witt, a US citizen, defected to Iran in 2013 and is still at large.An indictment made public on Wednesday detailed how Witt and Iranian hackers used fake Facebook accounts to target US counterintelligence officials after she re-entered Iran.The world's largest social network has been under pressure to do more to combat misinformation and continues to pull down fake accounts this year, including 783 pages, groups and accounts tied to Iran.From December 2014 to May 2015, at least four Iranian nationals created fake Facebook accounts to target Witt's former co-workers, the US alleges.
(Reuters) — China has been violating an agreement with the United States aimed at stopping cyber espionage through the hacking of government and corporate data, a senior U.S. intelligence official said on Thursday.When asked if China was violating the 2015 agreement between then President Barack Obama and Chinese President Xi Jinping, National Security Agency official Rob Joyce said: “We think they are.”But he added that the quantity and number of attacks had dropped “dramatically” since the agreement.“While it’s not black and white, (China) met the agreement or they didn’t meet the agreement, it’s clear that they are well beyond the bounds today of the agreement that was forged between our countries,” Joyce said.Speaking in Beijing on Friday, Chinese Foreign Ministry spokeswoman Hua Chunying rejected the U.S. allegations.“The U.S. accusations lack factual basis.
Researchers have claimed the infamous APT28 Kremlin-linked hacking group was behind a new cyber-espionage campaign they believe was targeted at the Italian military.Security researchers from the Z-Lab at CSE Cybsec spent the weekend unpicking a new malware-base cyber-espionage campaign allegedly conducted by APT28 (AKA Fancy Bear).The multi-stage campaign features an initial dropper malware, written in Delphi, and a new version of the X-agent backdoor, a strain of malicious code previously linked to APT28.One malicious library (dll) file associated with the campaign phones home to a command-and-control server with the name “”.This is a reference to the Italian Military corp, Marina Militare, according to the researchers."The dll that connect[s] to '' might be the last stage-malware that is triggered only when particular conditions occur, for example when the malware infects a system with an IP address belonging to specific ranges," claimed to the researchers.
The US Justice Department has charged three Chinese citizens with hacking at least three US firms - Siemens, Moody's Analytics and Trimble – between 2011 and 2017.According to US authorities, the three men were employed at a Chinese security firm called Boyusec, which acted as a front for the activities of an elite Chinese cyberespionage group called APT3.The US Justice Department charged Wu Yingzhuo with hacking Trimble, Dong Hao with hacking Siemens and Xia Lei with hacking Moody's Analytics.According to a recently unsealed eight-count indictment, Both Wu and Dong are founding members and shareholders of Boyusec, while Xia was an employee.The three have been accused of stealing confidential, intellectual property data from US firms, as well as sensitive employee credentials like usernames and passwords.APT3 – an elite cyberespionage group
The FBI reportedly failed to inform "scores" of US government officials that Russian hackers were attempting to infiltrate their personal emails despite having evidence of the hacking campaign for at least a year.According to an investigation by The Associated Press, just two out of nearly 80 American officials interviewed said that they learned of the hacking attempts from the bureau.Over a span of two months, the AP reached out to people targeted by Fancy Bear, a Russian government-linked cyberespionage group, as per a list provided by cybersecurity firm SecureWorks.The media outlet identified more than 500 US-based people or groups that were targeted and reached out to more than 190 of them.While many targeted individuals were long-retired, about a quarter still held government positions and had security clearances.In some cases, a few senior policymakers only found out that they were targeted after the AP told them.
Fancy Bear hackers are known to target high-profile journalists, dissidents, think tanks and political activists, among others, as part of their various cyberespionage campaigns.The Russian hackers' latest attack targeted the citizen journalism organisation Bellingcat in a new stealth phishing campaign.Bellingcat journalists have previously conducted various open-source investigations on Russia-related issues.The campaign was designed to trick Bellingcat journalists into divulging their Gmail credentials."Fancy Bear employed a new tactic we hadn't previously seen: using Blogspot-hosted URLs in their spear-phishing email messages.The Blogspot page contained a javascript window location that redirected the visitor to a second URL hosted on a dedicated server," ThreatConnect researchers said in a blog.
No longer just a spy gameMalware that is signed with compromised certificates creates a means for hackers to bypass system protection mechanisms based on code signing.The tactic extends far beyond high profile cyber-spying ops, such as the Stuxnet attack against Iranian nuclear processing facilities or the recent CCleaner-tainted downloads infection.Security researchers at the University of Maryland found 72 compromised certificates after analysing field data collected by Symantec on 11 million hosts worldwide."Most of these cases were not previously known, and two thirds of the malware samples signed with these 72 certificates are still valid, the signature check does not produce any errors," Tudor Dumitras, one of the researchers, told El Reg."Certificate compromise appears to have been common in the wild before Stuxnet, and not restricted to advanced threats developed by nation-states.
When you're a nation mostly barred from exporting your most valuable assets — gold, copper, silver, coal, and even seafood — getting hold of hard currency is a tricky problem.North Korea, facing a wide range of UN sanctions on exports and trade, has turned to another asset class to try and keep the money flowing: cryptocurrencies.According to a report by security researchers FireEye, North Korean hackers have shown increasing interest in carrying out bitcoin attacks.Cryptocurrency attacks linked to North Korea first started in 2016, and "marked a departure from previously observed activity of North Korean actors employing cyber espionage for traditional nation state activities."In other words, North Korea's hackers had swapped their usual cyber-spying for theft.Specifically, the hackers began targeting South Korean cryptocurrency exchanges.
A new cyberespionage tool, suspected to have been developed and used by Chinese hackers, has been spotted by security researchers.The mobile spy malware, dubbed xRAT, is known to target political groups and comes with a wide range of data collection, espionage and security-evading features, making it an effective tool for cyberespionage hacker groups.Since April, over 60 unique samples of xRAT have been found by security researchers at cybersecurity firm LookOut.The xRAT malware shares similarities with the high-profile Xsser/mRAT malware, which was previously used against pro-democracy Hong Kong activists in 2014.In the past few months, researchers have also found new Android variants of the mRAT malware, indicating that the malware family is being constantly developed and used actively in various campaigns."These many similarities strongly suggest that mRAT and xRAT have been developed by the same threat actor.
Although the identity and motive of the hackers remain a mystery the malware poses a risk to South Asian governments and militaries, Reuters reported, citing security researchers at Symantec that identified the campaign.Security experts say that the data-stealing spy malware came laced with the Ehdoor backdoor.The hackers reportedly lured victims by using decoy documents that contained reports relating to security issues, as well as news reports from Reuters, the Hindu and Zee News, that pertained to Kashmir, military issues and an Indian secessionist movement.Symantec said that the spy malware has expensive surveillance features such as keylogging and can steal personal and location data, take screenshots and be used to target Android devices.However, it is still unclear whether the campaign is related to border tensions, especially given that the campaign dates back to last year, experts say.Symantec told IBTimes UK that it does not "comment publicly on the malware analysis, investigation and incident response services we provide exclusively for our customers".
A hyper active and "well-funded"cyberespionage group has been going after Asian targets, aimed at stealing businesses' technology and trade secrets.Security experts have linked BlackTech to three different cyberespionage campaigns, dubbed PLEAD, Shrowded Crossbow and Waterbear.The cyberespionage group is reportedly taking advantage of security flaws in outdated software, particularly in older Windows OS versions, as well as using leaked Hacking Team tools in active campaigns.BlackTech hackers have been spotted using new and different hacking techniques that include unique backdoor implants and exfiltration techniques against various organisations.According to Trend Micro researchers, the three campaigns saw hackers use the same C (command and control) servers, similar tools and techniques, which indicate that the campaigns were "operated by the same group".The group is involved in campaigns targeting organisations primarily in Taiwan as well as Japan and Hong Kong.
p Security experts unmask strategies used by OceanLotus Group by unveiling an attack that targeted a major Asian firm.The inner workings of a proliferate cyberespionage group known as the OceanLotus Group or APT 32, known to target major private firms and international governments, has been laid bare by security experts.OceanLotus Group attempted to steal proprietary data from an unspecified major Asian firm, but was caught in the act by security researchers, who then tracked and studied the group's entire attack life-cycle to understand how such an advanced hacking unit works "under the hood".Security researchers uncovered the OceanLotus Group targeting the top management of the Asian firm in a campaign titled "Operation Cobalt Kitty."The group hacked into 40 computers and servers belonging to the company over the course of a year, before the attacks were detected."The threat actor targeted the company's top-level management by using sophisticated spear-phishing attacks as the initial penetration vector, ultimately compromising the computers of vice presidents, senior directors and other key personnel in the operational departments," Cybereason researchers said in a report.
In our eagerness to learn hidden truths it is also imperative that we ask ourselves whether we can trust the accuracy of information offered up by unknown actors whose intentions are obscured.The latest report from Citizen Lab, Tainted Leaks: Disinformation and Phishing With a Russian Nexus, indicates that perhaps we’re a little too credulous when reviewing “leaks.” The report details major cyber espionage campaigns rife with falsified information, seemingly intended to discredit those on the front lines of wars against government corruption.The targets, spread over 39 countries, include government and industry leaders, military officers, diplomats, and notable members of civil society, including journalists, activists, academics, as well as other high-profile individuals.Citizen Lab refers to this propaganda technique as “tainted leaks.”Patient zero is David Satter, an American journalist exiled from Russia, who in October 2016 fell victim to a targeted phishing campaign.Satter, perhaps best known for implicating Russian intelligence services in the September 1999 apartment bombings in Buynaksk, Moscow, and Volgodonsk, which killed 293 people, had mistakenly entered his password into a credential harvesting site.
p (Reuters) — A group that took credit for leaking NSA cyber spying tools — including ones used in the WannaCry global ransomware attack — has said it plans to sell code that can be used to hack into the world’s most used computers, software and phones./p p Using trademark garbled English, the Shadow Brokers group said in an online statement that, from June, it will begin releasing software to anyone willing to pay for access to some of the tech world’s biggest commercial secrets./p p In the blog post, the group said it was setting up a “monthly data dump” and that it could offer tools to break into web browsers, network routers, phone handsets, plus newer exploits for Windows 10 and data stolen from central banks./p p It said it was set to sell access to previously undisclosed vulnerabilities, known as zero-days, that could be used to attack Microsoft Corp’s latest software system, Windows 10.The post did not identify other products by name./p p It also threatened to dump data from banks using the SWIFT international money transfer network and from Russian, Chinese, Iranian or North Korean nuclear and missile programs, without providing further details.
p A group of hackers that previously leaked alleged U.S. National Security Agency exploits claims to have even more attack tools in its possession and plans to release them in a new subscription-based service.The group also has intelligence gathered by the NSA on foreign banks and ballistic missile programs, it said.The Shadow Brokers was responsible for leaking EternalBlue, the Windows SMB exploit that was used by attackers in recent days to infect hundreds of thousands of computers around the world with the WannaCry ransomware program.The group first appeared online in August and claimed that it had access to the arsenal of a cyberespionage group known in the security industry as the Equation, widely believed to be a hacking division of the NSA.On Tuesday, following the WannaCry attacks, the Shadow Brokers posted a new message online in which they claim to have many more Equation exploits that haven’t been leaked yet.The group wants to make them available as part of a new subscription-based service that it plans to launch in June.
As this rapidly spreading threat evolves, more cybercriminals are likely to attempt to profit from this and similar vulnerabilities.As a ransomware program, WannaCry itself is not that special or sophisticated.The difference between the earlier WannaCry attacks and the latest one is a worm-like component that infects other computers by exploiting a critical remote code execution vulnerability in the Windows implementation of the Server Message Block 1.0 (SMBv1) protocol.The WannaCry attackers didn't put in a lot of work to build the SMB-based infection component either, as they simply adapted an existing exploit leaked in April by a group called the Shadow Brokers.Since then researchers have discovered a couple more versions: one that tries to contact a different domain name, which researchers have also managed to register, and one that has no apparent kill switch.However, the latter version is non-functional and seems to have been a test by someone who manually patched the binary to remove the kill switch, rather than recompiling it from its original source code.
p Kaspersky Lab has fired back at the US government.The security software company denied allegations that it helped the Russian government with its cyberespionage efforts.Kaspersky CEO Eugene Kaspersky, during a Reddit AMA, said he would be happy to testify in front of the US Senate."I'm very sorry these gentlemen can't use the best software on the market because of political reasons," he said.The comments come after National Security Agency Director Mike Rogers told a Senate committee that he was looking into government use of software from Russia-based Kaspersky Lab, according to Reuters.Cybersecurity has become a hot topic in Washington as concerns have mounted over email leaks during the 2016 presidential election campaign and reports of Russian online meddling, as well as breaches at government agencies and in the business world.