Category cyber-attacks

Large-Scale Campaign Exploits Kubernetes RBAC for Cryptocurrency Mining

In a recently uncovered attack campaign, Kubernetes (K8s) Role-Based Access Control (RBAC) vulnerabilities have been exploited to establish backdoors and deploy cryptocurrency miners. Cloud security firm Aqua reported that attackers utilized DaemonSets to commandeer resources within targeted K8s clusters. Dubbed “RBAC Buster,” the campaign has reportedly infiltrated 60 unprotected K8s clusters. The attack began with the exploitation of a misconfigured API server, followed by a search for competing miner malware, and the establishment of persistence through RBAC adjustments. Aqua noted that the attacker created a new ClusterRole with almost admin-level permissions and set up a ‘ServiceAccount’ named ‘kube-controller’ in the ‘kube-system’ namespace.

Kubernetes RBAC Vulnerability Exploited in Major Cryptocurrency Mining Campaign On April 21, 2023, cybersecurity firm Aqua reported a large-scale attack exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) to establish backdoors and execute cryptocurrency mining operations. This operation, named “RBAC Buster,” has targeted numerous Kubernetes clusters, leveraging misconfigurations to gain unauthorized…

Read More

Large-Scale Campaign Exploits Kubernetes RBAC for Cryptocurrency Mining

In a recently uncovered attack campaign, Kubernetes (K8s) Role-Based Access Control (RBAC) vulnerabilities have been exploited to establish backdoors and deploy cryptocurrency miners. Cloud security firm Aqua reported that attackers utilized DaemonSets to commandeer resources within targeted K8s clusters. Dubbed “RBAC Buster,” the campaign has reportedly infiltrated 60 unprotected K8s clusters. The attack began with the exploitation of a misconfigured API server, followed by a search for competing miner malware, and the establishment of persistence through RBAC adjustments. Aqua noted that the attacker created a new ClusterRole with almost admin-level permissions and set up a ‘ServiceAccount’ named ‘kube-controller’ in the ‘kube-system’ namespace.

Paperbug Exploit: New Politically-Driven Surveillance Initiative in Tajikistan

On April 27, 2023, a relatively obscure Russian-speaking cyber-espionage group has been identified as the orchestrator of a new politically motivated surveillance initiative targeting senior government officials, telecom services, and public infrastructure in Tajikistan. The operation, named Paperbug by the Swiss cybersecurity firm PRODAFT, has been linked to a threat actor known as Nomadic Octopus (also referred to as DustSquad). According to PRODAFT’s comprehensive technical report shared with The Hacker News, “The types of compromised machines range from individual computers to operational technology devices. These targets render ‘Operation Paperbug’ intelligence-driven.” While the ultimate motives behind the attacks are still uncertain, the cybersecurity firm has suggested the possibility of involvement from domestic opposition groups or an intelligence-gathering effort conducted by Russia or China. Nomadic Octopus first gained attention in October 2018.

Paperbug Attack: Emerging Politically-Driven Surveillance Campaign in Tajikistan April 27, 2023 A relatively obscure Russian-speaking cyber-espionage group has been implicated in a politically-motivated surveillance campaign aimed at high-ranking government officials and critical infrastructure in Tajikistan. This operation, referred to as “Paperbug” by Swiss cybersecurity firm PRODAFT, is linked to a…

Read More

Paperbug Exploit: New Politically-Driven Surveillance Initiative in Tajikistan

On April 27, 2023, a relatively obscure Russian-speaking cyber-espionage group has been identified as the orchestrator of a new politically motivated surveillance initiative targeting senior government officials, telecom services, and public infrastructure in Tajikistan. The operation, named Paperbug by the Swiss cybersecurity firm PRODAFT, has been linked to a threat actor known as Nomadic Octopus (also referred to as DustSquad). According to PRODAFT’s comprehensive technical report shared with The Hacker News, “The types of compromised machines range from individual computers to operational technology devices. These targets render ‘Operation Paperbug’ intelligence-driven.” While the ultimate motives behind the attacks are still uncertain, the cybersecurity firm has suggested the possibility of involvement from domestic opposition groups or an intelligence-gathering effort conducted by Russia or China. Nomadic Octopus first gained attention in October 2018.

Tonto Team Exploits Anti-Malware File to Attack South Korean Institutions

April 28, 2023
Malware / Cyber Threat

Recent attacks by the China-aligned threat actor known as the Tonto Team have targeted South Korean education, construction, diplomatic, and political institutions. The AhnLab Security Emergency Response Center (ASEC) reported that the group is utilizing a file associated with anti-malware products to carry out their malicious activities. Active since at least 2009, Tonto Team has a history of attacks across various sectors in Asia and Eastern Europe. Earlier this year, they were linked to an unsuccessful phishing attempt on the cybersecurity firm Group-IB. According to ASEC, the attack begins with a Microsoft Compiled HTML Help (.CHM) file that runs a binary to side-load a malicious DLL (slc.dll) and deploy the ReVBShell backdoor, an open-source VBScript tool also used by another Chinese threat actor, Tick.

Emerging Cyber Attacks: Tonto Team Targets South Korean Institutions with Unusual Tactics April 28, 2023 In a notable escalation of cyber threats, South Korean institutions across several critical sectors—namely education, construction, diplomacy, and politics—are facing fresh attacks attributed to a China-aligned threat group known as the Tonto Team. A report…

Read More

Tonto Team Exploits Anti-Malware File to Attack South Korean Institutions

April 28, 2023
Malware / Cyber Threat

Recent attacks by the China-aligned threat actor known as the Tonto Team have targeted South Korean education, construction, diplomatic, and political institutions. The AhnLab Security Emergency Response Center (ASEC) reported that the group is utilizing a file associated with anti-malware products to carry out their malicious activities. Active since at least 2009, Tonto Team has a history of attacks across various sectors in Asia and Eastern Europe. Earlier this year, they were linked to an unsuccessful phishing attempt on the cybersecurity firm Group-IB. According to ASEC, the attack begins with a Microsoft Compiled HTML Help (.CHM) file that runs a binary to side-load a malicious DLL (slc.dll) and deploy the ReVBShell backdoor, an open-source VBScript tool also used by another Chinese threat actor, Tick.

Meta Exposes Extensive Cyber Espionage Campaigns on Social Media in South Asia

May 04, 2023
Social Media / Cyber Risk

Three distinct threat actors exploited countless elaborate fake profiles on Facebook and Instagram to conduct targeted attacks against individuals in South Asia. “These advanced persistent threats (APTs) relied heavily on social engineering tactics to deceive users into clicking malicious links, downloading malware, or sharing sensitive information online,” stated Guy Rosen, Meta’s chief information security officer. “This focus on social engineering reduced their need to invest heavily in malware development.” The counterfeit accounts utilized traditional tactics, pretending to be romantic interests, recruiters, journalists, or military personnel. Notably, two cyber espionage initiatives involved low-sophistication malware, likely attempting to evade app verification measures from Apple and Google. Meta’s findings revealed…

Meta Uncovers Extensive Cyber Espionage Campaigns Targeting South Asia On May 4, 2023, Meta revealed the discovery of a significant cyber espionage operation involving multiple threat actors utilizing a network of fraudulent identities on Facebook and Instagram. These campaigns aimed at individuals across South Asia, deploying a variety of deceptive…

Read More

Meta Exposes Extensive Cyber Espionage Campaigns on Social Media in South Asia

May 04, 2023
Social Media / Cyber Risk

Three distinct threat actors exploited countless elaborate fake profiles on Facebook and Instagram to conduct targeted attacks against individuals in South Asia. “These advanced persistent threats (APTs) relied heavily on social engineering tactics to deceive users into clicking malicious links, downloading malware, or sharing sensitive information online,” stated Guy Rosen, Meta’s chief information security officer. “This focus on social engineering reduced their need to invest heavily in malware development.” The counterfeit accounts utilized traditional tactics, pretending to be romantic interests, recruiters, journalists, or military personnel. Notably, two cyber espionage initiatives involved low-sophistication malware, likely attempting to evade app verification measures from Apple and Google. Meta’s findings revealed…

U.S. Government Dismantles Russia’s Advanced Snake Cyber Espionage Tool

May 10, 2023
Cyber Espionage / Cyber Attack

On Tuesday, the U.S. government announced the successful court-authorized disruption of a global network compromised by an advanced malware strain known as Snake, utilized by Russia’s Federal Security Service (FSB). Referred to as the “most sophisticated cyber espionage tool,” Snake is attributed to the Russian state-sponsored group Turla (also known as Iron Hunter, Secret Blizzard, SUMMIT, Uroburos, Venomous Bear, and Waterbug), connected to a unit within Center 16 of the FSB. This threat actor has historically targeted entities in Europe, the Commonwealth of Independent States (CIS), and NATO-affiliated countries, with recent efforts expanding into Middle Eastern nations viewed as threats to Russian-supported interests in the region. “For nearly 20 years, this unit […] has leveraged versions of the Snake malware to steal sensitive documents from hundreds of computer systems in at least 50 countries…”

U.S. Government Disrupts Advanced Russian Cyber Espionage Network On May 10, 2023, the U.S. government announced it had successfully disrupted a sophisticated cyber espionage network tied to an advanced malware strain known as Snake. This operation was carried out with court authorization and targeted a global network compromised by this…

Read More

U.S. Government Dismantles Russia’s Advanced Snake Cyber Espionage Tool

May 10, 2023
Cyber Espionage / Cyber Attack

On Tuesday, the U.S. government announced the successful court-authorized disruption of a global network compromised by an advanced malware strain known as Snake, utilized by Russia’s Federal Security Service (FSB). Referred to as the “most sophisticated cyber espionage tool,” Snake is attributed to the Russian state-sponsored group Turla (also known as Iron Hunter, Secret Blizzard, SUMMIT, Uroburos, Venomous Bear, and Waterbug), connected to a unit within Center 16 of the FSB. This threat actor has historically targeted entities in Europe, the Commonwealth of Independent States (CIS), and NATO-affiliated countries, with recent efforts expanding into Middle Eastern nations viewed as threats to Russian-supported interests in the region. “For nearly 20 years, this unit […] has leveraged versions of the Snake malware to steal sensitive documents from hundreds of computer systems in at least 50 countries…”

Advanced DownEx Malware Campaign Targets Central Asian Governments

May 10, 2023
Malware / Cyber Attack

Central Asian government entities are under threat from a sophisticated espionage operation utilizing a previously unidentified strain of malware known as DownEx. In a report shared with The Hacker News, cybersecurity firm Bitdefender indicated that the malicious activities are ongoing, with indications pointing towards involvement from Russia-based threat actors. The malware was first detected in a highly targeted assault on foreign government institutions in Kazakhstan in late 2022, followed by an attack in Afghanistan. The use of a diplomat-themed lure document and the campaign’s emphasis on data exfiltration imply the actions of a state-sponsored group, although the exact identity of the hacking organization remains unclear. The campaign’s initial breach method appears to involve spear-phishing emails containing a malicious payload disguised as a Microsoft Word file.

Sophisticated DownEx Malware Campaign Targets Central Asian Governments A newly identified malware campaign, known as DownEx, is targeting government institutions in Central Asia, raising significant concerns within the cybersecurity community. According to a recent report by Bitdefender, the ongoing campaign indicates strong ties to threat actors operating from Russia. This…

Read More

Advanced DownEx Malware Campaign Targets Central Asian Governments

May 10, 2023
Malware / Cyber Attack

Central Asian government entities are under threat from a sophisticated espionage operation utilizing a previously unidentified strain of malware known as DownEx. In a report shared with The Hacker News, cybersecurity firm Bitdefender indicated that the malicious activities are ongoing, with indications pointing towards involvement from Russia-based threat actors. The malware was first detected in a highly targeted assault on foreign government institutions in Kazakhstan in late 2022, followed by an attack in Afghanistan. The use of a diplomat-themed lure document and the campaign’s emphasis on data exfiltration imply the actions of a state-sponsored group, although the exact identity of the hacking organization remains unclear. The campaign’s initial breach method appears to involve spear-phishing emails containing a malicious payload disguised as a Microsoft Word file.

Researchers Discover Advanced Backdoor and Custom Implant in Year-Long Cyber Operation

May 15, 2023
Cyber Threat / Malware

A fresh cyber threat has emerged, targeting government, aviation, education, and telecom sectors across South and Southeast Asia. This campaign, linked to a newly identified hacking group, began in mid-2022 and extended into early 2023. Symantec, a division of Broadcom Software, has dubbed this activity “Lancefly,” identifying a sophisticated backdoor known as Merdoor. Investigation reveals that this custom implant may have been in use as early as 2018. The campaign’s objectives appear to focus on intelligence gathering, given the tools employed and the specific targets chosen. According to Symantec’s analysis shared with The Hacker News, “The backdoor is deployed very selectively, impacting only a limited number of networks and devices over the years, indicating a highly targeted approach.” Additionally, the attackers appear to possess an updated version of the ZXShell rootkit.

Researchers Identify Sophisticated Backdoor and Custom Implant Amid Extended Cyber Campaign May 15, 2023 A newly identified hacking group has executed a sustained cyber campaign impacting key sectors including government, aviation, education, and telecommunications across South and Southeast Asia. This operation, which began in mid-2022 and persisted into early 2023,…

Read More

Researchers Discover Advanced Backdoor and Custom Implant in Year-Long Cyber Operation

May 15, 2023
Cyber Threat / Malware

A fresh cyber threat has emerged, targeting government, aviation, education, and telecom sectors across South and Southeast Asia. This campaign, linked to a newly identified hacking group, began in mid-2022 and extended into early 2023. Symantec, a division of Broadcom Software, has dubbed this activity “Lancefly,” identifying a sophisticated backdoor known as Merdoor. Investigation reveals that this custom implant may have been in use as early as 2018. The campaign’s objectives appear to focus on intelligence gathering, given the tools employed and the specific targets chosen. According to Symantec’s analysis shared with The Hacker News, “The backdoor is deployed very selectively, impacting only a limited number of networks and devices over the years, indicating a highly targeted approach.” Additionally, the attackers appear to possess an updated version of the ZXShell rootkit.

Mustang Panda Hackers from China Target TP-Link Routers for Ongoing Attacks

May 16, 2023
Network Security / Threat Intelligence

The Chinese state-sponsored group known as Mustang Panda has been connected to a series of sophisticated, targeted attacks aimed at European foreign affairs entities since January 2023. According to researchers Itay Cohen and Radoslaw Madej from Check Point, these intrusions involve a custom firmware implant specifically designed for TP-Link routers. This implant includes several malicious components, featuring a custom backdoor dubbed “Horse Shell” that allows attackers to maintain persistent access, establish anonymous infrastructure, and facilitate lateral movement within compromised networks. Furthermore, the implant’s firmware-agnostic design enables its components to be integrated into various firmware from different vendors. The Israeli cybersecurity firm is monitoring this threat group, also known as Camaro Dragon, along with other aliases such as BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich.

Mustang Panda Hackers Target European Foreign Affairs with TP-Link Router Exploit On May 16, 2023, it was reported that the Chinese state-sponsored hacking group, known as Mustang Panda, has orchestrated a series of sophisticated and targeted attacks against European foreign affairs organizations since January 2023. This alarming development highlights the…

Read More

Mustang Panda Hackers from China Target TP-Link Routers for Ongoing Attacks

May 16, 2023
Network Security / Threat Intelligence

The Chinese state-sponsored group known as Mustang Panda has been connected to a series of sophisticated, targeted attacks aimed at European foreign affairs entities since January 2023. According to researchers Itay Cohen and Radoslaw Madej from Check Point, these intrusions involve a custom firmware implant specifically designed for TP-Link routers. This implant includes several malicious components, featuring a custom backdoor dubbed “Horse Shell” that allows attackers to maintain persistent access, establish anonymous infrastructure, and facilitate lateral movement within compromised networks. Furthermore, the implant’s firmware-agnostic design enables its components to be integrated into various firmware from different vendors. The Israeli cybersecurity firm is monitoring this threat group, also known as Camaro Dragon, along with other aliases such as BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich.