Mar 28, 2024NewsroomCyber Espionage / Malware

The Police of Finland (aka Poliisi) has formally accused a Chinese nation-state actor tracked as APT31 for orchestrating a cyber attack targeting the country’s Parliament in 2020.

The intrusion, per the authorities, is said to have occurred between fall 2020 and early 2021. The agency described the ongoing criminal probe as both demanding and time-consuming, involving extensive analysis of a “complex criminal infrastructure.”

The breach was first disclosed in December 2020, with the Finnish Security and Intelligence Service (Supo) describing it as a state-backed cyber espionage operation designed to penetrate the Parliament’s information systems.

“The police have previously informed that they are investigating the hacking group APT31’s connections with the incident,” Poliisi said. “These connections have now been confirmed by the investigation, and the police have also identified one suspect.”

APT31, also called Altaire, Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium), is a Chinese state-backed group that has been active since at least 2010.

Earlier this week, the U.K. and the U.S. blamed the adversarial collective for engaging in a widespread cyber espionage campaign targeting businesses, government officials, dissidents, and politicians.

Seven operatives associated with the group have been charged in the U.S. for their involvement in the hacking spree. Two of them – Ni Gaobin and Zhao Guangzong – have been sanctioned by the two nations, alongside a company named Wuhan XRZ, which allegedly served as a cover for orchestrating cyber attacks against critical infrastructure.

“Guangzong is a Chinese national who has conducted numerous malicious cyber operations against U.S. victims as a contractor for Wuhan XRZ,” the U.S. Treasury said. “Ni Gaobin assisted Zhao Guangzong in many of his most high profile malicious cyber activities while Zhao Guangzong was a contractor at Wuhan XRZ.”

In July 2021, the U.S. and its allies implicated APT31 in a widespread campaign exploiting zero-day security flaws in Microsoft Exchange servers with the goal of likely “acquiring personally identifiable information and intellectual property.”

China, however, has hit back against the accusations that it’s behind the hacking campaign targeting the West. It has accused the Five Eyes (FVEY) alliance of spreading “disinformation about the threats posed by the so-called ‘Chinese hackers.'”

“We urge the U.S. and the U.K. to stop politicizing cybersecurity issues, stop smearing China and imposing unilateral sanctions on China, and stop cyberattacks against China,” China’s Foreign Ministry Spokesperson Lin Jian said. “China will take necessary measures to firmly safeguard its lawful rights and interests.”

Jan 11, 2024NewsroomCloud Security / Cyber Attacks

A new Python-based hacking tool called FBot has been uncovered targeting web servers, cloud services, content management systems (CMS), and SaaS platforms such as Amazon Web Services (AWS), Microsoft 365, PayPal, Sendgrid, and Twilio.

“Key features include credential harvesting for spamming attacks, AWS account hijacking tools, and functions to enable attacks against PayPal and various SaaS accounts,” SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News.

FBot is the latest addition to the list of cloud hacking tools like AlienFox, GreenBot (aka Maintance), Legion, and Predator, the latter four of which share code-level overlaps with AndroxGh0st.

SentinelOne described FBot as “related but distinct from these families,” owing to the fact that it does not reference any source code from AndroxGh0st, although it exhibits similarities with Legion, which first came to light last year.

The end goal of the tool is to hijack cloud, SaaS, and web services as well as harvest credentials to obtain initial access and monetize it by selling the access to other actors.

FBot, in addition to generating API keys for AWS and Sendgrid, packs an assortment of features to generate random IP addresses, run reverse IP scanners, and even validate PayPal accounts and the email addresses associated with those accounts.

“The script initiates the Paypal API request via the website hxxps://www.robertkalinkin.com/index.php, which is a Lithuanian fashion designer’s retail sales website,” Delamotte noted. “Interestingly, all identified FBot samples use this website to authenticate the Paypal API requests, and several Legion Stealer samples do as well.”

On top of that, FBot packs in AWS-specific features to check for AWS Simple Email Service (SES) email configuration details and determine the targeted account’s EC2 service quotas. The Twilio-related functionality, likewise, is utilized to gather specifics about the account, namely the balance, currency, and phone numbers connected to the account.

The features don’t end there, for the malware is also capable of extracting credentials from Laravel environment files.

The cybersecurity firm said it uncovered samples starting from July 2022 to as recently as this month, suggesting that it is being actively used in the wild. That said, it’s currently not known if the tool is actively maintained and how it’s distributed to other players.

“We found indications that FBot is the product of private development work, so contemporary builds may be distributed through a smaller scale operation,” Delamotte said.

“This aligns with the theme of cloud attack tools being bespoke ‘private bots’ tailored for the individual buyer, which is a theme prevalent among AlienFox builds.”