Volt. Flax. Salt. Many typhoons have emerged in the last year and aren’t strictly related to the weather. But, like their meteorological namesakes, they do cause catastrophic damage. These typhoons are high-profile state-sponsored cyberattacks. Recent incidents include exploiting a zero-day vulnerability in Versa Director, a software product used by many Internet Service Providers (ISPs), to directly attack Singapore Telecommunications, representing part of ongoing cyberattacks against glo
apt (16)
Cryptocurrency-related businesses have been targets of North Korean-affiliated threat actors for some time now, with multiple campaigns aiming to steal funds and/or insert backdoor malware into targets. In April 2023, researchers detailed an APT campaign targeting macOS users with multi-stage malware that culminated in a Rust backdoor capable of downloading and executing further malware on infected devices. ‘RustBucket,’ as they labeled it, was attributed with strong confidence to the BlueNoroff
China-linked APT group Salt Typhoon (FamousSparrow and GhostEmperor) breached US broadband providers, including Verizon, AT&T, and Lumen Technologies, potentially accessing systems for lawful wiretapping and other data.
See: https://redskyalliance.org/xindustry/hotels-under-attack
According to the Wall Street Journal, which reported the news exclusively, the security breach poses a major national security risk. The WSJ states that the compromise remained undisclosed due to possible impact on na
So maybe China and Russia are not such good friends after all. Cyber security researchers have uncovered an apparently new Advanced Persistent Threat (APT) group targeting Russian government entities, known as CloudSorcerer. They use a sophisticated cyber espionage tool, discovered by investigators and reported in an advisory they published in June, and is designed for covert data collection and exfiltration, using Microsoft Graph, Yandex Cloud, and Dropbox for its command and control (C2) inf
It is no longer theoretical; the world's major powers are working with large language models to enhance offensive cyber operations. Advanced persistent threats (APTs) aligned with China, Iran, North Korea, and Russia use large language models (LLMs) to enhance their operations. New blog posts from OpenAI and Microsoft reveal that five prominent threat actors have used OpenAI software for research, fraud, and other malicious purposes. After identifying them, OpenAI shuttered all their accounts
SentinelLabs recently posted a very interesting report on leaked information about a Chinese company, I-Soon.
Executive Summary / I-Soon (上海安洵), a company that contracts for many PRC agencies–including the Ministry of Public Security, Ministry of State Security, and People’s Liberation Army, was subject to a data leak over the weekend of 16 February. It is not known who pilfered the information nor their motives, but this leak provides a first-of-its-kind look at the internal operations of a st
A Chinese cyber espionage group targeting organizations and individuals in China and Japan has remained under the radar for roughly five years, cybersecurity firm ESET https://www.eset.com reports. Researchers have tracked it as Blackwood and active since at least 2018, the Advanced Persistent Threat (APT) actor has been using Adversary-in-the-Middle (AitM) attacks to deploy a sophisticated implant via the update mechanisms of legitimate software such as Sogou Pinyin, Tencent QQ, and WPS Office
SentinelLabs has provided a timely report on the current cyber posture regarding the Israel-Hamas War. Since the start of the Israel-Hamas war, the cyber domain has played a critical role in the conflict, albeit in ways the world may not have expected. Immediately following the attacks from Hamas on 7 October, social media became a hotbed of disinformation, inaccurate self-described OSINT investigators, and public confusion. Unfortunately, leading social media platforms failed to stop the spre
Advanced Persistent Threat (APT) actors have exploited known vulnerabilities in Zoho ManageEngine and Fortinet VPN products to hack an organization in the aeronautical sector, according to a joint report from the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Cyber Command’s Cyber National Mission Force (CNMF). Impacting more than 20 on-premises Zoho ManageEngine products, the first bug, tracked as CVE-2022-47966 (CVSS score of 9.8), allows remote attackers to execute
Operational technology/industrial control system (OT/ICS) assets that operate, control, and monitor day-to-day critical infrastructure and industrial processes continue to be an attractive target for malicious cyber actors. These cyber actors, including advanced persistent threat (APT) groups, target OT/ICS assets to achieve political gains, economic advantages, or destructive effects. Because OT/ICS systems manage physical operational processes, cyber actors’ operations could result in physica
Security researchers have warned that countless global organizations might be at risk of remote compromise after discovering more than 8000 exposed Virtual Network Computing (VNC) instances. Virtual networking enables communication between multiple computers, virtual machines (VMs), virtual servers, or other devices across different office and data center locations. While physical networking connects computers through cabling and other hardware, virtual networking extends these capabilities by u
The Newcomer’s Guide to Cyber Threat Actor Naming (original article from 2018)
I was driven by a deep frustration when I started my public “APT Groups and Operations” spreadsheet in 2015. I couldn’t understand why I had to handle so many different names for the same threat actor. Today (2018), I understand the reasons for the different names and would like to explain to them so newcomers stop asking for standardization. Off the record: you just reveal a lack of insight by demanding complete st
Espionage comes in many forms, for advanced persistent threat (APT) “UNC3524” as dubbed by security company Mandiant, the objective is to collect emails dealing with corporate development, mergers & acquisitions, and corporate transactions. “UNC3524” was first discovered in December 2019 and has been tracked since then. The group’s corporate targets and interest in M&A plans point to financial motivation, however, the group’s ability to linger in a target environment while collecting emails, s
Our friends at the National Defense Transportation Association (NDTA) shared a PowerPoint from the BIO-ISAC that explains recent cyber-attacks on Bio-Manufacturing research and development companies. A serious APT attack has been identified in the biomanufacturing sector that has been found within a pharmaceutical company that is involved in COVID-19 therapeutics, as well as another pharmaceutical company.
The APT is named Tardigrade and was publicly announced on 22 November 2021. As with any
Activity Summary - Week Ending 16 April 2021:
- Red Sky Alliance observed 58 new unique email accounts compromised with Keyloggers
- Analysts identified 30,373 connections from new unique IP addresses
- 3,512 new IP addresses participating in various Botnets were Observed
- Security Researcher under Attack
- CISA’s New Tool – Aviary
- FormBook Malware
- State Sponsored APT
- Lazarus and Vyvera
- TiT-for-TaT is Never Good
- Myanmar and Taiwan Protests
Link to full report: IR-21-106-001_weekly_106.pdf
Palmerworm, an advanced persistent threat (APT) group, has been active since 2013 and is engage in cyber espionage campaigns that target organizations in the US, East Asia, particularly Taiwan, and occasionally Japan and Hong Kong. Palmerworm hackers are using new customized malware as well as ‘living off the land’ techniques manipulating tools and commands already built into an operating system for malicious purposes.
This APT group, also known as BlackTech, has conducted long-term espionage c
