The main attack method, employed by this group between 2012 and 2015, involves Microsoft Office documents specially crafted for the exploitation of known vulnerabilities such as CVE-2012-0158 and CVE-2010-3333. This tactic was first detected in 2014, in a phishing campaign associated with the Advanced Persistent Threat (APT) operation known as Naikon.

SentinelLabs identified a second hacking method associated with Aoqin Dragon, based on hiding malicious executables in icons of fake antivirus products. After execution, a malware sample was delivered to the affected systems.

Starting in 2018, hackers left these tactics behind to resort to using a removable disk shortcut file; clicking this icon triggers a DLL hijack and loads an encrypted payload to deliver a backdoor. This malware runs under the name “Evernote Tray Application” and is executed at system startup; if any removable drives are detected, a copy of the payload will be created to expand the infection.

At least two backdoor variants used by this group have been identified. Known as Mongall, the first backdoor is a DLL injected into memory, protected with encryption and in constant maintenance since its launch in 2013.  This backdoor profiles the host and sends the details to the C&C using an encrypted channel.

Moreover, Heyoka is an open source exfiltration tool that uses spoofed DNS requests to create a two-way communication tunnel. Hackers employ Heyoka by copying files from compromised devices to prevent affected system administrators from detecting malicious activity in its early stages.

Aoqin Dragon is an unusual case, as it managed to go unnoticed for almost ten years. This has been possible due to the continuous evolution of its strategies and the periodic change of tactics, so it is highly likely that this cybercriminal group will change its behavior again in the near future.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Education and telecommunication organizations based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia were being spied on since 2013 appeared first on Information Security Newspaper | Hacking News.

After a lot of work of sample collection, analysis and follow-up, experts discovered some details about this RAT. While these phishing campaigns have not been attributed to a specific threat actor, all indications are that this operation is handled by a Chinese Advanced Persistent Threat (APT) group.

Simultaneous operations

As mentioned initially, hackers deployed four malicious email campaigns since the end of February, working simultaneously and using various lures to attract unsuspecting users.

Below, we’ll briefly review the features of each phishing attack based on evidence collected by Malwarebytes.

Interactive map

Hackers began distributing the RAT in a file identified as interactive_map_UA.exe, an alleged interactive map of Ukraine. The malware distribution started a few days after Russia invaded Ukraine, indicating that hackers tried to exploit the international conflict.

Update for Log4j

Another of the detected malicious campaigns uses a fake update to fix the Log4Shell vulnerability using a tar file identified as Patch_Log4j.tar.gz. Reports of these emails began in March and targeted at least 100 employees of RT TV, a media network funded by Russia’s government.

The messages appear to be sent by the Russian state defense conglomerate Rostec and include various images and PDFs to make it less suspicious.

The attached PDF, named О кибербезопасности 3.1.2022.pdf, contains instructions on how to run the fake patch, plus a bullet list with supposed safety tips.

Among these recommendations, hackers even added a link to VirusTotal announcing that the file has not been identified as malicious by any antivirus engine.

The message also includes links to the rostec.digital website, registered by threat actors and designed similarly to Rosec actual site. Interestingly, the fraudulent website was registered in mid-2021, months before the Russian invasion of Ukraine began.

Rostec

Hackers again use Rostec’s image in the third campaign, distributing a malicious file named build_rosteh4.exe.

Fake job offers

The latest detected campaign uses a Word document containing an alleged job offer at state oil company Saudi Aramco. The attack involves a self-extracting file using the Jitsi icon and creating a directory identified as Aramco in C:\ProgramData.

The document, written in English, includes a message in Russian asking the user to enable macros on their device.

A remote template injection then allows you to download a template embedded in a macro, which runs a macro to deliver a VBS script identified as HelpCenterUpdater.vbs to the %USER%\Documents\AdobeHelpCenter directory. The template also verifies the existence of %USER%\Documents\D5yrqBxW.txt; as long as it exists, the script will be delivered and executed.

The HelpCenterUpdater.vbs script delivers another obfuscated VBS file named UpdateRunner.vbs and downloads the primary payload, a DLL called GE40BRmRLP.dll, from your C&C server. Although they appear to share code, the script provides an EXE instead of a DLL in another related payload.  

The UpdateRunner.vbs script is responsible for running the DLL through rundll32.exe.

The malicious DLL contains the code that communicates with the C&C server and executes the received commands.

The campaign is still active and relatively prosperous, although many details remain unknown, and it is difficult to know what specific purposes the attackers are pursuing. Malwarebytes has committed to continue monitoring this campaign and the malware used by hackers.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post How hackers took control of 100 email accounts of employees of RT and other Russian organizations for cyber spying purposes? appeared first on Information Security Newspaper | Hacking News.

This group is known for using various malware strains and distributing them in complex attack chains. According to the Cybereason report, it all starts with the exploitation of multiple vulnerabilities in an enterprise resource planning tool. Hackers then search for a file identified as gthread-3.6.dll in the VMware Tools folder; this allows you to inject other payloads such as webshells and credential dump tools.

Threat actors also strive to hide their malicious activity; among the techniques used by APT41, the use of the Windows Server Common Log File System (CLFS) stands out, since it uses an undocumented file format that can be accessed through APIs but cannot be analyzed, allowing hackers to hide their malicious payloads, bypassing detection during years: “The attackers stole intellectual property such as confidential documents, blueprints, diagrams, formulas and proprietary data related to the manufacturing industry.”

Experts add that the attacks targeted technology and manufacturing companies, especially in East Asia, Western Europe and North America, all considered industrial hotspots globally.   

Industrial espionage is a practice commonly associated with hacking groups sponsored by China and its all-powerful Communist Party. In the past, the United States and other nation states have accused the Asian giant of facilitating cyberattack campaigns for the theft of confidential records, either by financing their activities or by simply turning a blind eye to these groups and operations.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How Chinese cyber army steals intellectual property from your company appeared first on Information Security Newspaper | Hacking News.

Experts mention that the group, also known as APT36 or Mythic Leopard, has undergone significant changes over the past year, adopting new attack mechanisms and multiple malware variants during its intrusions. Specifically hackers have used small, customizable downloaders, capable of adapting to various environments quickly and efficiently.

In the most recent campaign by Trasparent Tribe, multiple malware delivery methods were identified, including executables disguised as legitimate application installers or storage files. Indian users who encountered any of these malicious payloads could have been infected with one of the malware variants described below:

• CrimsonRAT, a remote access Trojan (RAT) variant frequently used by these hackers to deploy cyber spying operations targeting military organizations
• A lightweight .NET-based implant able to run arbitrary commands on infected systems
• A previously unknown Python-based stager that leads to the deployment of .NET-based reconnaissance tools and RATs

This operation also relies on the use of fake domains posing as legitimate government organizations to deliver malicious payloads. This is a tactic commonly linked with this group. Besides, although not their most common tactic, threat actors can also use phishing messages from the Indian government regarding the COVID-19 pandemic.

The researchers believe that tools like CrimsonRAT would allow threat actors to persist and long-term remote access to affected systems for espionage purposes, plus the attack vector remains functional for this and other groups of threat actors. While Transparent Tribe is not considered a sophisticated hacking group, its practices demonstrate great persistence and motivation to maintain an attack, so this threat should not be taken lightly especially considering their main goal seems to be cyber spying and remote access to critical systems.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.  

The post How this APT group is hacking Indian government officials to spy on their activities appeared first on Information Security Newspaper | Hacking News.

Launched in April 2021, this device allows iPhone users to track their devices through the Find My service. However, it has been reported on multiple occasions that malicious users can use them to track a person without permission, stealthily hiding them in a backpack, clothing or any other similar site.

Despite Apple’s efforts to counter malicious use of these devices, this remains a severe problem, especially when the tracked user does not have a tool to detect an Apple device from the abusive behavior patterns established by the company.

In 2021 Apple launched the Tracker Detect app for Android users, which would inform users that there is an AirTag enabled in a nearby location. However, the app only informs the user if it is being tracked, so it is not really a reliable tool.

The researchers decided to reverse engineer iOS tracking detection to better understand its inner workings and then design the AirGuard app, for automatic detection of any passive tracking activity and that works with all Find My accessories in addition to the AirTag.

The app was launched at the end of 2021 through the official Google Play Store platform and already has about 120,000 users. With this tool it will be possible to detect all the devices of the Find My family, including the AirTags modified for tracking and espionage purposes.

The app will also be able to detect any AirTag placed in a car, which can prove difficult even for other tools from Apple itself. Finally, the researchers acknowledge that the main weakness during their testing is the limited scanning opportunities on the Android operating system, so the scope of the search could be limited.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post AirGuard: Free Android app allows users to detect if they are being spied on using an Apple AirTag appeared first on Information Security Newspaper | Hacking News.

Infosec researcher Fabian Braunlein of Positive Security has been sharing his ideas on fairly obvious evasion methods for months, considering that everything can be put into practice in real scenarios.

The expert relied on the system on OpenHaystack, a framework for tracking Bluetooth devices using the Find My network, for the development of the clone. Using an ESP32 microcontroller with Bluetooth support, a power bank, and a cable, a clone of the AirTag device was created.

This computer uses a custom ESP32 firmware that constantly rotated the public keys, sending one periodically and repeating the list approximately every 17 hours. However, it is believed that a common seed and bypass algorithm used in the clone and a Mac application used to track it could create a key stream that is virtually never repeated.

Employing an irreversible bypass function and overwriting the seed with the result of the next round would make it impossible for law enforcement or Apple to obtain the previously transmitted AirTag public keys, regardless of whether they have physical access to the device. During their experiment, the Android Tracker Detect app did not show the cloned AirTag at all, although using other tools it was possible to track the cloned device.

The specialist considers that the main risk does not exist properly due to the existence of the AirTag, but exists due to the introduction of the Find My ecosystem that uses the client’s devices to provide this Apple service. Since the current iteration of the Find My network can’t be limited to just AirTags and hardware that officially has permission to use the network, the expert believes Apple should rethink the security of these features.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Researcher publishes way to bypass Apple AirTag anti-spying protection appeared first on Information Security Newspaper | Hacking News.

The defendant marketed all sorts of tools and software solutions, including WiFi blockers and interceptors, IMSI receivers, spyware and other tools to hack messaging services such as WhatsApp to sell to potential customers in Mexico and the United States. According to the DOJ, many of its clients were politically and financially motivated.

In addition to the sale of these solutions, the defendant himself used some of the tools he purchased to intercept phone calls and spy on the emails of a rival trade consortium from Baja California, Mexico, in a deal costing nearly $25,000 USD.

U.S. Attorney Randy Grossman said, “This guilty plea will help stop the proliferation of digital tools used to compromise the safety of U.S. and Mexican citizens.” The prosecutor also reiterated his commitment to the detection and interruption of any cybercriminal operation in collaboration with the rest of government agencies.

So far it is unknown which companies and government agencies bought the software sold by Guerrero and which are the companies that sold these tools to the defendant. More information could be revealed when the case is closed. Guerrero is still waiting to hear his sentence.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post This Mexican businessman was charged for selling phone interception tools and spyware to companies and government agencies in Latin America appeared first on Information Security Newspaper | Hacking News.

Of all the investigations active at the FBI, more than 2,000 relate to hacking tactics deployed by Chinese government agents, who are caught trying to spy on people of interest in the U.S., steal sensitive information, and even access software critical to North America.

Wray claims that the Chinese government has been able to steal an unprecedented volume of information, causing severe damage to all kinds of organizations at an alarming rate of 2 new incidents recorded daily.

In their quest to compromise targets in the West, Chinese hackers resort to all sorts of methods and tools. For example, the plan identified as “Made in China 2025”, lists 10 key points for the success of his republic over the next few years, demonstrating that it is vital for China to adopt a preponderant role globally in fields such as robotics, clean energy, aerospace and pharmaceutical research, even at the cost of intellectual property theft.

In addition to the obvious cyberwarfare tactics, the Chinese Communist Party turns to its most skilled intelligence agents in search of access to critical information that may affect its adversaries. As if that were not enough, the Chinese government also maintains significant investments to distribute its ideological influence and infer in key actors abroad.

Faced with this risk scenario, the FBI uses all its intelligence resources for the early identification and dismantling of hacking campaigns orchestrated by the Chinese Communist Party. In a recent operation, American agents managed to interrupt the execution of a backdoor on Microsoft Exchange servers that could have proved disastrous for thousands of public and private organizations.

U.S. agencies also try to share all of their findings with the independent research community and security firms, which will allow them to create an environment that is always up-to-date on the latest threats. In this way, the FBI shows its commitment to law enforcement agencies around the world and works to ensure that cybercrime cannot act freely against critical targets.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post China launches more cyber attacks than any other country: New FBI report appeared first on Information Security Newspaper | Hacking News.

The reported failures were described as a buffer overflow issue affecting Zoom clients and Zoom multimedia routers (MMR), and a central information leakage error for MMR servers.

The report also details the absence of Adress Space Layout Randomization (ASLR), a mechanism against memory corruption attacks: “This should be the most important security method to prevent certain types of attack; there are not enough reasons for it to be disabled,” adds the researcher.

About MMR, Silvanovich mentions that as these servers process video conferencing content, errors become more worrisome, with even the risk of cyberespionage. The specialist did not complete the attack chain, but suspects that a threat actor could do so with enough time.

The flaws were reported to Zoom at the end of 2021 and have already been corrected, plus ASLR has been enabled by default. The discovery of these flaws was possible thanks to the fact that the videoconferencing platform allows customers to configure their own servers; however, fixing these flaws can be tricky because Zoom doesn’t have open source components.

For Silvanovich, these access restrictions limit the amount of research and findings related to Zoom: “Closed-source software presents peculiar cybersecurity challenges; Zoom should be more accessible to researchers and experts in ethical hacking,” concludes the researcher.

In November, Zoom rolled out automatic updates for the software’s desktop clients on Windows and macOS, as well as mobile devices. This feature was previously only available to business users, so users are encouraged to stay on top of new ads.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Google Project Zero researcher finds two critical vulnerabilities in ZOOM appeared first on Information Security Newspaper | Hacking News.

Stringer said he does not know the real origin of the attack, although he believes that hackers could attack from Russia, Iran, China or North Korea, although authorities do not rule out that it is the work of a ransomware operation. Authorities acknowledge that the attack is devastating, and that the problems have not been fully addressed.

In this regard, Sky News assures that the academy’s networks did not store confidential information. Based in Oxfordshire, the academy has 28,000 military, diplomats and civil servants a year, and operated primarily online due to the pandemic.

The attack appears to have been detected by workers at a contractor firm, who reported the incident to authorities. It wasn’t long before the researchers concluded that the unusual activity was due to a cyberattack with high destructive potential.

However, the hackers were not completely successful during their intrusion, as the authorities thwarted their attempt to use this access as a kind of backdoor to the systems of the Ministry of Defense.

Stringer concludes by mentioning that this attack falls into what he identified as “a gray area” in terms of the damage generated by threat actors, which makes it clear that this incident was very close to being considered an act of cyberwarfare. Stringer is an authoritative voice on these issues, having served prior to his retirement as director general of development in the British Navy, as well as being known for his forward-looking ideas and approaches to military tasks and the technology of the future.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Hackers shut down the systems of the UK military defense academy appeared first on Information Security Newspaper | Hacking News.

The device in question is the Chatter Special Edition, which at first glance is just an accessory to add Bluetooth function and a speaker to Fisher Price’s classic toy phone, characterized by having eyes, mouth and wheels, an old favorite in homes around the world.

The launch of this device has been accompanied by an ambitious advertising campaign in which manufacturers enthusiastically announce that this phone is no longer implemented a toy and children will be able to receive phone calls through the speaker and Bluetooth connection.

The 2021 version of the device connects to a smartphone and can be used as a speaker or to make calls. To the surprise of many, the device’s rotating markup does work, unlike its predecessors. This all sounds great, although we must be careful with any technological device, including toys. According to the security firm PenTest Partners, Chatter has severe flaws that could turn it into a spying smartphone.

The researchers mention that Chatter uses a classic Bluetooth protocol without sufficient security measures, which means it accepts any pairing requests. In other words, any actor in the Chatter range could plug in a Bluetooth device and tune in to whatever is said within range of the Chatter’s microphone.

Other interesting findings from PenTest Partner include:

• A threat actor in a nearby location could use the phone to talk and listen to a child in their home
• If the phone’s headset is left off, the device automatically answers any calls to a connected smartphone
• The same attacker can also make Chatter’s phone ring, so a child is likely to respond without adult supervision

The Chatter is already sold out, although fortunately it was only sold in the United States. Another piece of good news is that the toy phone, with no technological capabilities, is available almost globally for less than $20 USD.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Don’t buy this Fisher Price phone for kids; anyone can use its Bluetooth to spy on your family appeared first on Information Security Newspaper | Hacking News.

In this way, the Communist Party of China once again shows its total rejection of the Western way of life, since users are even prohibited from publishing videos with fragments of television programs not broadcast on Chinese territory, mainly material produced in the United States.

Sex is another topic that has never escaped the scrutiny of the Chinese government, so various terms with sexual connotations, including diversity and same-sex marriage are also banned in these videos.

As for political issues, discussion of doctrines such as extreme nationalism or fascism is also prohibited, not to mention that criticism cannot be expressed against the Chinese socialist model and the forms of government of countries considered allies.

Another topic that has been constantly rejected by the ruling party in China is the use of cryptocurrency, so citizens will not be able to touch on issues such as mining, trade, speculation and investment.

Among the 100 topics of discussion and prohibited terms, the following also stand out:

• Sale and consumption of drugs
• Gambling machines
• Organized crime and gangs
• Apology for criminal behavior
• Violence or psychological abuse

The list concludes by banning what the Chinese government identifies as “Other violations of laws, public order and good customs,” which can cover all of the topics mentioned above.

Chinese citizens usually do not openly express their dissatisfaction with these kinds of measures, instead, many Internet users in China resort to the use of word games to evade some of these rules, going unnoticed by local government monitors.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post If you talk about some of these 100 topics, Chinese government will start spying on you appeared first on Information Security Newspaper | Hacking News.