Mar 27, 2024NewsroomCyber Espionage / Data Breach

Indian government entities and energy companies have been targeted by unknown threat actors with an aim to deliver a modified version of an open-source information stealer malware called HackBrowserData and exfiltrate sensitive information in some cases by using Slack as command-and-control (C2).

“The information stealer was delivered via a phishing email, masquerading as an invitation letter from the Indian Air Force,” EclecticIQ researcher Arda Büyükkaya said in a report published today.

“The attacker utilized Slack channels as exfiltration points to upload confidential internal documents, private email messages, and cached web browser data after the malware’s execution.”

The campaign, observed by the Dutch cybersecurity firm beginning March 7, 2024, has been codenamed Operation FlightNight in reference to the Slack channels operated by the adversary.

Targets of the malicious activity span multiple government entities in India, counting those related to electronic communications, IT governance, and national defense.

The threat actor is said to have successfully compromised private energy companies, harvesting financial documents, personal details of employees, details about drilling activities in oil and gas. In all, about 8.81 GB of data has been exfiltrated over the course of the campaign.

The attack chain starts with a phishing message containing an ISO file (“invite.iso”), which, in turn, contains a Windows shortcut (LNK) that triggers the execution of a hidden binary (“scholar.exe”) present within the mounted optical disk image.

Simultaneously, a lure PDF file that purports to be an invitation letter from the Indian Air Force is displayed to the victim while the malware clandestinely harvests documents and cached web browser data and transmits them to an actor-controlled Slack channel named FlightNight.

The malware is an altered version of HackBrowserData that goes beyond its browser data theft features to incorporate capabilities to siphon documents (Microsoft Office, PDFs, and SQL database files), communicate over Slack, and better evade detection using obfuscation techniques.

It’s suspected that the threat actor stole the decoy PDF during a previous intrusion, with behavioral similarities traced back to a phishing campaign targeting the Indian Air Force with a Go-based stealer called GoStealer.

Details of the activity were disclosed by an Indian security researcher who goes by the alias xelemental (@ElementalX2) in mid-January 2024.

The GoStealer infection sequence is virtually identical to that FlightNight, employing procurement-themed lures (“SU-30 Aircraft Procurement.iso”) to display a decoy file while the stealer payload is deployed to exfiltrate information of interest over Slack.

By adapting freely available offensive tools and repurposing legitimate infrastructure such as Slack that’s prevalent in enterprise environments, it allows threat actors to reduce time and development costs, as well as easily fly under the radar.

Image source: ElementalX2

The efficiency benefits also mean that it’s that much easier to launch a targeted attack, even allowing less-skilled and aspiring cybercriminals to spring into action and inflict significant damage to organizations.

“Operation FlightNight and the GoStealer campaign highlight a simple yet effective approach by threat actors to use open-source tools for cyber espionage,” Büyükkaya said.

“This underscores the evolving landscape of cyber threats, wherein actors abuse widely used open-source offensive tools and platforms to achieve their objectives with minimal risk of detection and investment.”

Feb 28, 2024NewsroomCyber Espionage / Malware

An Iran-nexus threat actor known as UNC1549 has been attributed with medium confidence to a new set of attacks targeting aerospace, aviation, and defense industries in the Middle East, including Israel and the U.A.E.

Other targets of the cyber espionage activity likely include Turkey, India, and Albania, Google-owned Mandiant said in a new analysis.

UNC1549 is said to overlap with Smoke Sandstorm (previously Bohrium) and Crimson Sandstorm (previously Curium), the latter of which is an Islamic Revolutionary Guard Corps (IRGC) affiliated group which is also known as Imperial Kitten, TA456, Tortoiseshell, and Yellow Liderc.

“This suspected UNC1549 activity has been active since at least June 2022 and is still ongoing as of February 2024,” the company said. “While regional in nature and focused mostly in the Middle East, the targeting includes entities operating worldwide.”

The attacks entail the use of Microsoft Azure cloud infrastructure for command-and-control (C2) and social engineering involving job-related lures to deliver two backdoors dubbed MINIBIKE and MINIBUS.

The spear-phishing emails are designed to disseminate links to fake websites containing Israel-Hamas related content or phony job offers, resulting in the deployment of a malicious payload. Also observed are bogus login pages mimicking major companies to harvest credentials.

The custom backdoors, upon establishing C2 access, act as a conduit for intelligence collection and for further access into the targeted network. Another tool deployed at this stage is a tunneling software called LIGHTRAIL that communicates using Azure cloud.

While MINIBIKE is based in C++ and capable of file exfiltration and upload, and command execution, MINIBUS serves as a more “robust successor” with enhanced reconnaissance features.

“The intelligence collected on these entities is of relevance to strategic Iranian interests and may be leveraged for espionage as well as kinetic operations,” Mandiant said.

“The evasion methods deployed in this campaign, namely the tailored job-themed lures combined with the use of cloud infrastructure for C2, may make it challenging for network defenders to prevent, detect, and mitigate this activity.”

CrowdStrike, in its Global Threat Report for 2024, described how “faketivists associated with Iranian state-nexus adversaries and hacktivists branding themselves as ‘pro-Palestinian’ focused on targeting critical infrastructure, Israeli aerial projectile warning systems, and activity intended for information operation purposes in 2023.”

This includes Banished Kitten, which unleashed the BiBi wiper malware, and Vengeful Kitten, an alias for Moses Staff that has claimed data-wiping activity against more than 20 companies’ industrial control systems (ICS) in Israel.

That said, Hamas-linked adversaries have been noticeably absent from conflict-related activity, something the cybersecurity firm has attributed to likely power and internet disruptions in the region.

Feb 20, 2024NewsroomHacking / Cyber Espionage

North Korean state-sponsored threat actors have been attributed to a cyber espionage campaign targeting the defense sector across the world.

In a joint advisory published by Germany’s Federal Office for the Protection of the Constitution (BfV) and South Korea’s National Intelligence Service (NIS), the agencies said the goal of the attacks is to plunder advanced defense technologies in a “cost-effective” manner.

“The regime is using the military technologies to modernize and improve the performance of conventional weapons and to develop new strategic weapon systems including ballistic missiles, reconnaissance satellites and submarines,” they noted.

The infamous Lazarus Group has been blamed for one of the two hacking incidents, which involved the use of social engineering to infiltrate the defense sector as part of a long-standing operation called Dream Job. The campaign has been ongoing since August 2020 over several waves.

In these attacks, the threat actors either create a fake profile or leverage legitimate-but-compromised profiles on platforms like LinkedIn to approach prospective targets and build trust with them, before offering lucrative job opportunities and shifting the conversation to a different messaging service like WhatsApp to initiate the recruitment process.

Victims are then sent coding assignments and job offer documents laden with malware that, when launched, activate the infection procedure to compromise their computers.

“Universally, the circumstance that employees usually do not talk to their colleagues or employer about job offers plays into the hands of the attacker,” the agencies said.

“The Lazarus Group changed its tools throughout the campaign and demonstrated more than once that it is capable of developing whatever is necessary to suit the situation.”

The second case concerns an intrusion into a defense research center towards the end of 2022 by executing a software supply chain attack against an unnamed company responsible for maintaining one of the research center’s web servers.

“The cyber actor further infiltrated the research facility by deploying remote-control malware through a patch management system (PMS) of the research center, and stole various account information of business portals and email contents,” the BfV and NIS said.

The breach, which was carried by another North Korea-based threat actor, unfolded over five stages –

• Hack into the web server maintenance company, steal SSH credentials, and gain remote access to the research center’s server
• Download additional malicious tooling using curl commands, including a tunneling software and a Python-based downloader
• Conduct lateral movement and plunder employee account credentials
• Leverage the stolen security manager’s account information to unsuccessfully distribute a trojanized update that comes with capabilities to upload and download files, execute code, and to collect system information
• Persist within target environment by weaponizing a file upload vulnerability in the website to deploy a web shell for remote access and send spear-phishing emails

“The actor avoided carrying out a direct attack against its target, which maintained a high level of security, but rather made an initial attack against its vendor, the maintenance and repair company,” the agencies explained. “This indicates that the actor took advantage of the trustful relationship between the two entities.”

The security bulletin is the second to be published by BfV and NIS in as many years. In March 2023, the agencies warned of Kimsuky actors using rogue browser extensions to steal users’ Gmail inboxes. Kimsuky was sanctioned by the U.S. government in November 2023.

The development comes as blockchain analytics firm Chainalysis revealed that the Lazarus Group has switched to using YoMix bitcoin mixer to launder stolen proceeds following the shutdown of Sinbad late last year, indicating their ability to adapt their modus operandi in response to law enforcement actions.

“Sinbad became a preferred mixer for North Korea-affiliated hackers in 2022, soon after the sanctioning of Tornado Cash, which had previously been the go-to for these sophisticated cybercriminals,” the company said. “With Sinbad out of the picture, Bitcoin-based mixer YoMix has acted as a replacement.”

The malicious activities are the work of a plethora of North Korean hacking units operating under the broad Lazarus umbrella, which are known to engage in an array of hacking operations ranging from cyber espionage to cryptocurrency thefts, ransomware, and supply chain attacks to achieve their strategic goals.

Dec 20, 2023The Hacker NewsBrandjacking / Cyber Threat

Hands-On Review: Memcyco’s Threat Intelligence Solution

Website impersonation, also known as brandjacking or website spoofing, has emerged as a significant threat to online businesses. Malicious actors clone legitimate websites to trick customers, leading to financial scams and data theft causing reputation damage and financial losses for both organizations and customers.

The Growing Threat of Website Impersonation and Brandjacking

Research shows a new phishing site is created every 11 seconds in 2023. Typically, even though the company is a victim of spoofing, the customer holds them responsible for the data breach.

Current market solutions rely on threat intelligence tools that search for fake sites and attempt takedowns. However, takedown processes can be time-consuming, leaving fake sites active and the scope of attacks remains unknown during the critical window of exposure, the time between when the fake site is up and until it is down.

1. Bad actor researches a business to target and uses the information gathered to create a spoof of the original website.
2. Organizations’ customers fall into the trap and are conned into sharing personal data.
3. Companies are unaware and cannot see the scope of the attack. They don’t know who was attacked or the compromised customers’ details.

Exposing the Challenge of Unseen Threats in the World of Website Impersonation

Even though organizations spend millions on threat intelligence solutions to protect their domains and reputations, they only have visibility to the suspicious domains that are discovered but have no visibility at all to how many users were attacked, who fell for the scam and what is the potential damage. Without customers complaining, companies are left in the dark. During that time of exposure to a still active spoofed site, the company and its customers are vulnerable (even if the impersonating site is detected). Now, there’s a new approach available to the market addressing this challenge.

A New Perspective; Redefining Protection with Memcyco

Memcyco, a Tel Aviv-based Real-Time Website Spoofing Protection Solution, redefines protection against website impersonation. The solution safeguards customers and organizations from the moment the attack’s window of exposure opens, irrespective of its duration. This article will delve into Memcyco’s Proof of Source Authenticity (PoSA) solution, offering an in-depth breakdown of its capabilities.

Safeguarding Simplicity with Agentless Installation

To protect websites from spoofing, Memcyco’s solution is easily installed within minutes on the authentic site or its network. Various attack scenarios were tested to evaluate its effectiveness. Let’s get into the findings of their process next.

1. Detecting and Preventing Website Spoofing in Real Time

In order to simulate impersonation attacks on customers we created clones of the protected site using several available “spoof kits”.

We then navigated to the cloned site as if clicking on the fake site URL – the way an innocent customer would do if they got the fake site URL in an email or text message which they trust to be from the real organization.

Immediately upon attempting to load the URL the following message appears:

Simultaneously, the Memcyco console provides Security Operations teams with detailed attack information.

Image source: Memcyco

2. Memcyco’s Proof of Source Authenticity (PoSA) Technology

Memcyco’s PoSA raises alerts over other significant events that may lead up to an attack – such as attempts to build an impersonating website. Such reconnaissance efforts by the bad actor raise the following alert:

Image source: Memcyco

3. Enhancing Digital Trust: Proving The Authenticity Of The Real Site With A Digital Watermark

Memcyco enhances user trust without requiring customers to rely on security checklists in order to determine if the site they are on is fake or real. Memcyco’s product verifies site authenticity by displaying a unique-to-the-user digital watermark to prove the site’s authenticity to customers.

Image source: Memcyco

4. Memorable and Personalized User Authentication

Organizations invest a lot in educating their customers to be on the vigil for scams of this type, essentially trying to turn them into cyber-savvy users who can spot a fake email and site and avoid scams. Memcyco offers a simple solution to this “fake or real” conundrum that doesn’t depend on the user’s ability and willingness to exercise a security checklist every time they access the brand site.

To do so Memcyco can display a digital watermark to prove the site’s authenticity to customersUsers are provided a unique secret presented within the watermark and they can personalize this secret for easy recognition. The PoSA watermark secret is unforgetable and unique to each user. Imposter sites cannot replicate it, ensuring users only see their own code on the authentic site. The watermark secret can be personalized by customers to something they can easily recall – either a text code or an image.

.

Image source: Memcyco

5. Beyond the Surface: Navigating Back-End Dashboard Tools for Attack Visibility

Memcyco’s PoSA solution includes back-end dashboard and reporting tools for real-time brand impersonation monitoring and post mortem attack analysis. A global view of attack locations and counters help businesses stay informed and provides full visibility of the attack’s magnitude and its details.

Image source: Memcyco

6. Workflow Activation Through Seamless Integration with SIEMs

PoSA integrates with SIEMs for workflows like URL takedown and account takeover prevention. Memcyco alerts kick-start these processes.

Memcyco’s Benefits in Defending Against Website Impersonation

• Less data leakage and privacy issues
• Fewer financial losses for the company’s customers
• Lower cost for the company
• Improved customer retention and engagement
• Support in keeping up with regulation
• Protection of brand reputation

Summarizing Memcyco’s Solution for Website Spoofing

Memcyco’s solution goes beyond takedown approaches, actively protecting its customers and their customers during the critical window of exposure. It is an agentless solution that promises to reduce brand reputation damage and protect consumers from scams. With its features and real-time capabilities, Memcyco is a refreshing change when it comes to phishing, website spoofing and ATO (Account Take Over). It redefines website spoofing protection with maximum attack visibility and protection for companies and their customers.

Dec 22, 2023NewsroomThreat Intelligence / Supply Chain Attack

Organizations in the Defense Industrial Base (DIB) sector are in the crosshairs of an Iranian threat actor as part of a campaign designed to deliver a never-before-seen backdoor called FalseFont.

The findings come from Microsoft, which is tracking the activity under its weather-themed moniker Peach Sandstorm (formerly Holmium), which is also known as APT33, Elfin, and Refined Kitten.

“FalseFont is a custom backdoor with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its [command-and-control] servers,” the Microsoft Threat Intelligence team said on X (previously Twitter).

The first recorded use of the implant was in early November 2023.

The tech giant further said that the latest development aligns with previous activity from Peach Sandstorm and demonstrates a continued evolution of the threat actor’s tradecraft.

In a report published in September 2023, Microsoft linked the group to password spray attacks carried out against thousands of organizations globally between February and July 2023. The intrusions primarily singled out satellite, defense, and pharmaceutical sectors.

The end goal, the company said, is to facilitate intelligence collection in support of Iranian state interests. Peach Sandstorm is believed to have been active since at least 2013.

The disclosure comes as the Israel National Cyber Directorate (INCD) accused Iran and Hezbollah of attempting to unsuccessfully target Ziv Hospital through hacking crews named Agrius and Lebanese Cedar.

The agency also revealed details of a phishing campaign in which a fake advisory for a security flaw in F5 BIG-IP products is employed as a decoy to deliver wiper malware on Windows and Linux systems.

The lure for the targeted attack is a critical authentication bypass vulnerability (CVE-2023-46747, CVSS score: 9.8) that came to light in late October 2023. The scale of the campaign is currently unknown.