Select Page
New “Earth Longzhi” APT Targets Ukraine and Asian Countries with Custom Cobalt Strike Loaders

New “Earth Longzhi” APT Targets Ukraine and Asian Countries with Custom Cobalt Strike Loaders

Entities located in East and Southeast Asia as well as Ukraine have been targeted at least since 2020 by a previously undocumented subgroup of APT41, a prolific Chinese advanced persistent threat (APT).

Cybersecurity firm Trend Micro, which christened the espionage crew Earth Longzhi, said the actor’s long-running campaign can be split into two based on the toolset deployed to attack its victims.

The first wave from May 2020 to February 2021 is said to have targeted government, infrastructure, and healthcare industries in Taiwan and the banking sector in China, whereas the succeeding set of intrusions from August 2021 to June 2022 infiltrated high-profile victims in Ukraine and several countries in Asia.

This included defence, aviation, insurance, and urban development industries in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine.

The victimology patterns and the targeted sectors overlap with attacks mounted by a distinct sister group of APT41 (aka Winnti) known as Earth Baku, the Japanese cybersecurity company added.

Some of Earth Baku’s malicious cyber activities have been tied to groups called by other cybersecurity firms ESET and Symantec under the names SparklingGoblin and Grayfly, respectively.

images from Hacker News

Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign

Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign

A new malicious campaign has compromised over 15,000 WordPress websites in an attempt to redirect visitors to bogus Q&A portals.

“These malicious redirects appear to be designed to increase the authority of the attacker’s sites for search engines,” Sucuri researcher Ben Martin said in a report published last week, calling it a “clever black hat SEO trick.”

The search engine poisoning technique is designed to promote a “handful of fake low quality Q&A sites” that share similar website-building templates and are operated by the same threat actor.

A notable aspect of the campaign is the ability of the hackers to modify over 100 files per website on average, an approach that contrasts dramatically from other attacks of this kind wherein only a limited number of files are tampered with to reduce footprint and escape detection.

Some of the most commonly infected pages consist of wp-signup.php, wp-cron.php, wp-links-opml.php, wp-settings.php, wp-comments-post.php, wp-mail.php, xmlrpc.php, wp-activate.php, wp-trackback.php, and wp-blog-header.php.

images from Hacker News

What is an External Penetration Test?

What is an External Penetration Test?

A penetration test (also known as a pentest) is a security assessment that simulates the activities of real-world attackers to identify security holes in your IT systems or applications.

The aim of the test is to understand what vulnerabilities you have, how they could be exploited, and what the impact would be if an attacker was successful.

Usually performed first, an external pentest (also known as external network penetration testing) is an assessment of your perimeter systems. Your perimeter is all the systems that are directly reachable from the internet. By definition, they are exposed and are, therefore the most easily and regularly attacked.

Testing for weaknesses

External pentests look for ways to compromise these external, accessible systems and services to access sensitive information and see how an attacker could target your clients, customers or users.

In a high-quality external pentest, the security professional(s) will copy the activities of real hackers, like executing exploits to attempt to gain control of your systems. They will also test the extent of any weaknesses they find to see how far a malicious attacker could burrow into your network, and what the business impact of a successful attack would be.

images from Hacker News

New KmsdBot Malware Hijacking Systems for Mining Crypto and Launch DDoS Attacks

New KmsdBot Malware Hijacking Systems for Mining Crypto and Launch DDoS Attacks

A newly discovered evasive malware leverages the Secure Shell (SSH) cryptographic protocol to gain entry into targeted systems with the goal of mining cryptocurrency and carrying out distributed denial-of-service (DDoS) attacks.

Dubbed KmsdBot by the Akamai Security Intelligence Response Team (SIRT), the Golang-based malware has been found targeting a variety of companies ranging from gaming to luxury car brands to security firms.

“The botnet infects systems via an SSH connection that uses weak login credentials,” Akamai researcher Larry W. Cashdollar said. “The malware does not stay persistent on the infected system as a way of evading detection.”

The malware gets its name from an executable named “kmsd.exe” that’s downloaded from a remote server following a successful compromise. It’s also designed to support multiple architectures, such as Winx86, Arm64, mips64, and x86_64.

KmsdBot comes with capabilities to perform scanning operations and propagate itself by downloading a list of username and password combinations. It’s also equipped to control the mining process and update the malware.

images from Hacker News

Worok Hackers Abuse Dropbox API to Exfiltrate Data via Backdoor Hidden in Images

Worok Hackers Abuse Dropbox API to Exfiltrate Data via Backdoor Hidden in Images

A recently discovered cyber espionage group dubbed Worok has been found hiding malware in seemingly innocuous image files, corroborating a crucial link in the threat actor’s infection chain.

Czech cybersecurity firm Avast said the purpose of the PNG files is to conceal a payload that’s used to facilitate information theft.

“What is noteworthy is data collection from victims’ machines using Dropbox repository, as well as attackers using Dropbox API for communication with the final stage,” the company said.

The development comes a little over two months after ESET disclosed details of attacks carried out by Worok against high-profile companies and local governments located in Asia and Africa. Worok is believed to share tactical overlaps with a Chinese threat actor tracked as TA428.

The Slovak cybersecurity company also documented Worok’s compromise sequence, which makes use of a C++-based loader called CLRLoad to pave the way for an unknown PowerShell script embedded within PNG images, a technique known as steganography.

That said, the initial attack vector remains unknown as yet, although certain intrusions have entailed the use of ProxyShell vulnerabilities in Microsoft Exchange Server to deploy the malware.

images from Hacker News

Experts Uncover Two Long-Running Android Spyware Campaigns Targeting Uyghurs

Experts Uncover Two Long-Running Android Spyware Campaigns Targeting Uyghurs

Two long-running surveillance campaigns have been found targeting the Uyghur community in China and elsewhere with Android spyware tools designed to harvest sensitive information and track their whereabouts.

This encompasses a previously undocumented malware strain called BadBazaar and updated variants of an espionage artefact dubbed MOONSHINE by researchers from the University of Toronto’s Citizen Lab in September 2019.

“Mobile surveillance tools like BadBazaar and MOONSHINE can be used to track many of the ‘pre-criminal’ activities, actions considered indicative of religious extremism or separatism by the authorities in Xinjiang,” Lookout said in a detailed write-up of the operations.

The BadBazaar campaign, according to the security firm, is said to date as far back as late 2018 and comprise 111 unique apps that masquerade as benign video players, messengers, religious apps, and even TikTok.

While these samples were distributed through Uyghur-language social media platforms and communication channels, Lookout noted it found a dictionary app named “Uyghur Lughat” on the Apple App Store that communicates with a server used by its Android counterpart to gather basic iPhone information.

The iOS app continues to be available on the App Store.

images from Hacker News