New malware from SolarWinds hackers emerges
The threat actor is yet another example of an ever-evolving threat
Advanced persistent threat (APT) actors rarely simply stop operations when their malware and techniques get publicly exposed. They just regroup, refresh their toolkits, and resume operations when the spotlight is turned away from them. Such appears to be the case with the Russian-government affiliated threat actor behind the supply attack on SolarWinds in 2020.
Microsoft called the hacking group “skillful and methodic operators who follow operations security (OpSec) best practices.”
Nobelium, aka StellarParticle, as the group is called, has been linked to two new pieces of malware that cybersecurity firm CrowdStrike said was deployed against targets in mid-2019, once again reaffirming the threat actor's capability to adapt as an always shape-shifting threat and stay undetected for years.
What’s trending in security?
🔎 The NSO Group fallout continues. According to reports from The Guardian and The Washington Post, a whistleblower has accused the Pegasus spyware-maker of offering “bags of cash” to security company Mobileum in exchange for access to cellular networks in 2017. The allegations were made by former Mobileum VP Gary Miller.
What’s more, the U.S. Federal Bureau of Investigation confirmed to the Post that it had a license to use the spyware (under the name Phantom) and that it tested out the software’s capabilities. However, the agency added that it used the product “for product testing and evaluation only,” and never used it operationally or to support any investigation.
It's worth noting that NSO Group has repeatedly reiterated that Pegasus cannot be used on phone numbers with a +1 country code and is only allowed to be used in countries outside the U.S. [The Guardian / The Washington Post]
🌐 Researchers found an unconventional method to fingerprint systems that enables users to be tracked down through the graphics cards used on their devices. The method, dubbed DrawnApart, relies on the minute differences between hardware components to generate a fingerprint trace that extends the tracking time of state-of-the-art techniques by 67%. [The Hacker News / AmIUnique]
📨 A new campaign named OiVaVoii has been found targeting company executives and general managers with malicious OAuth apps and custom phishing lures sent from hijacked Office 365 accounts. The impact of executive account takeovers ranges from lateral movement on the network and insider phishing to deploying ransomware and business email compromise incidents. [Proofpoint]
💵 BlackCat ransomware attacks have claimed victims in the U.S., Europe, the Philippines since surfacing in mid-November 2021 spanning construction and engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components, and pharmaceuticals sectors.
BlackCat is also one of the first piece of ransomware to use Rust programming language. “By leveraging this programming language, the malware authors are able to easily compile it against various operating system architectures,” the researchers said. “Given its numerous native options, Rust is highly customizable, which facilitates the ability to pivot and individualize attacks.”
In a related development, the BlackCat ransomware gang, also known as ALPHV, confirmed they are former members of the notorious BlackMatter/DarkSide ransomware operation. [Unit 42 / The Record]
🚨 Infrastructure overlaps have been found between APT35, one of Iran's most active cyber espionage groups, and Memento, a ransomware strain that was deployed on corporate towards the end of last year. The ransomware is unique because it features a unique failsafe mechanism where it locked files inside password-protected WinRAR archives in the event the main file encryption operation fails. [The Hacker News]
⛔ A new Mars Stealer has appeared in the wild, and all indications point to it being a redesign of the Oski malware that shut down development abruptly in the summer of 2020. Mars Stealer is an information-stealing malware that steals data from all popular web browsers, two-factor authentication plugins, and multiple cryptocurrency extensions and wallets. [Bleeping Computer]
📄 A hacking group from Russia, known as Gamaredon, is stepping up its attacks in Ukraine and has been caught trying to breach a Western government outfit located in the country. The initial attack vector is a little unusual: rather than sending a typical phishing email, the attackers used a local employment portal and uploaded a malware-laced resume for an active job listing with the Western entity. [The Hacker News]
🛡️ Microsoft said "from January 2021 through December 2021, we've blocked more than 25.6 billion Azure AD brute force authentication attacks and intercepted 35.7 billion phishing emails." It also blocked more than 9.6 billion malware threats targeting enterprise and consumer customer devices. [Microsoft]
⚡ A pseudonymous hacker, known only as P4X, has taken credit for orchestrating a series of mysterious internet outages targeting North Korea last month. The cyber vigilante claimed he took the action after he was targeted by the Lazarus Group hackers in 2021. [WIRED]
⚠️ Malware targeting Linux-based operating systems, commonly deployed in Internet of Things (IoT) devices, increased by 35% in 2021 compared to 2020, according to telemetry data from CrowdStrike, with the top three malware families — XorDDoS, Mirai, and Mozi — accounting for 22% of all Linux-based IoT malware in 2021. [CrowdStrike]
🔓 A growing class of phishing kits known as reverse proxy kits are being used to get past multi-factor authentication using man-in-the-middle (MitM) attacks. The findings come months after researchers demonstrated a tool called PHOCA to identify MitM phishing kits in the wild. [Proofpoint / The Hacker News]
📱 The first ever instance of a smishing campaign targeting iPhone devices was discovered in Japan. As part of the attacks, users were lured into accessing a malicious link sent via SMS, resulting in their devices being infected with TianySpy credential stealing malware. [Trend Micro]
🗄️ The past week in data breaches, leaks, and ransomware: British Council, KP Snacks, Marquard & Bahls, News Corp, Securitas, Swissport, and Wormhole.
Tips, Comments, Ideas?
Send them my way by writing replying to this email.
Thanks again for reading. See you in the next edition!