China-Aligned MirrorFace Hackers Lure EU Diplomats with World Expo 2025 Scheme

Date: Nov 07, 2024
Category: Threat Intelligence / Cyber Espionage

The China-aligned hacking group MirrorFace has recently targeted a diplomatic organization within the European Union for the first time. According to ESET’s APT Activity Report for April to September 2024, the attackers exploited the upcoming World Expo 2025 in Osaka, Japan, as bait. This incident illustrates that while their geographic focus is shifting, MirrorFace continues to emphasize connections to Japan and related events. Also known as Earth Kasha, MirrorFace is part of a broader group, APT10, which includes other clusters like Earth Tengshe and Bronze Starlight. The group has been actively cyber-spying on Japanese organizations since at least 2019, with a recent expansion in 2023 that included targets in Taiwan and India. Over time, their malware tools have significantly advanced, showcasing their persistent threat landscape.

China-Aligned MirrorFace Hackers Target EU Diplomats with World Expo 2025 Bait

On November 7, 2024, cybersecurity experts from ESET reported a significant development in cyber espionage, revealing that the China-aligned hacking group known as MirrorFace has set its sights on a diplomatic organization within the European Union. This marks a noteworthy expansion for the group, which has primarily focused its operations on Japanese entities since at least 2019.

The threat actor strategically utilized the upcoming World Expo 2025 in Osaka, Japan, as bait to lure its targets, underscoring its ongoing emphasis on Japan-related events despite this new geographic focus. According to ESET’s APT Activity Report covering the period from April to September 2024, the tactics employed point to a sophisticated approach aimed at misleading potential victims using a globally recognized event.

MirrorFace, also referred to as Earth Kasha, is assessed to be affiliated with the expansive APT10 umbrella group. This group encompasses various clusters, including Earth Tengshe and Bronze Starlight, and has demonstrated an evolving methodology for cyberattacks. Recent campaigns have highlighted an increased operational scope, extending the group’s targets to encompass both Taiwan and India as of early 2023.

The nature of the attack suggests the use of several tactics outlined within the MITRE ATT&CK framework. Initial access may have been achieved through social engineering techniques, leveraging the World Expo’s impending significance as a plausible entry point. Persistence mechanisms could have been deployed to maintain access to compromised systems, allowing the threat actor to gather intelligence over a sustained period. Additionally, privilege escalation tactics may have been utilized to gain unauthorized control over critical systems, thus enhancing the attackers’ capabilities within the targeted organizations.

This incident serves as a stark reminder of the evolving landscape of cyber threats and the necessity for businesses, especially those connected to diplomatic sectors, to remain vigilant. With international events acting as potential hooks for cybercriminals, organizations must bolster their defenses by continually updating their cybersecurity posture and fostering employee awareness about social engineering tactics.

MirrorFace’s recent activities illuminate a critical intersection of geopolitical ambitions and cyber espionage, calling attention to the complexities faced by diplomats and organizations within the EU. As the cyber realm grows increasingly sophisticated, both public and private sectors must take decisive action to anticipate and mitigate the myriad risks posed by state-aligned hacking groups. The ongoing developments surrounding MirrorFace highlight the urgent need for comprehensive cybersecurity strategies that are aligned with the evolving nature of these threats.

Source link

Related Posts

Urgent: Microsoft Releases Security Patches for 97 Vulnerabilities, Including Active Ransomware Threat

April 12, 2023
Patch Tuesday / Software Updates

On the second Tuesday of the month, Microsoft has issued security updates addressing a total of 97 vulnerabilities within its software. Notably, one of these flaws is currently being exploited in active ransomware attacks. Of the 97 issues, seven are classified as Critical and 90 as Important. The updates notably include 45 remote code execution flaws and 20 elevation of privilege vulnerabilities. This release follows previous fixes for 26 vulnerabilities found in the Edge browser over the past month. The actively exploited flaw is CVE-2023-28252 (CVSS score: 7.8), a privilege escalation vulnerability within the Windows Common Log File System (CLFS) Driver. According to Microsoft’s advisory, “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” with credit given to researchers Boris Larin, Genwei Jiang, and Quan Jin for their discovery. CVE-2023-28252 represents the fourth privilege escalation flaw recently identified…

Lazarus Hacker Group Adapts Tactics, Tools, and Targets in DeathNote Campaign

The North Korean cyber threat group known as Lazarus has been observed changing its strategies and rapidly enhancing its tools within its ongoing DeathNote campaign. While historically focused on the cryptocurrency sector, recent attacks have also expanded to include the automotive, academic, and defense sectors in Eastern Europe and beyond. This shift is seen as a major change in approach. Kaspersky researcher Seongsu Park noted that the group has switched its decoy documents to job descriptions for defense contractors and diplomatic services, marking a strategic pivot that began in April 2020. This campaign is also identified by other names such as Operation Dream Job or NukeSped, with Google-owned Mandiant linking certain activities to this evolving threat.

RTM Locker: A Rising Cybercrime Collective Targeting Enterprises with Ransomware

April 13, 2023
Ransomware / Cyber Attack

Cybersecurity experts have revealed insights into the tactics of a burgeoning cybercriminal organization known as “Read The Manual” (RTM) Locker. This group operates as a private ransomware-as-a-service (RaaS) provider, executing opportunistic attacks to illicitly generate profits. According to a report from cybersecurity firm Trellix shared with The Hacker News, “The RTM Locker gang employs affiliates to extort victims, all of whom must adhere to the gang’s stringent rules.” The structured nature of the group, where affiliates are expected to remain active or inform the gang of their departure, highlights its organizational maturity, akin to that seen in other sophisticated groups like Conti. Originally documented by ESET in February 2017, RTM began in 2015 as a banking malware targeting businesses in Russia through methods such as drive-by downloads, spam, and phishing emails. The group’s attack strategies have since evolved to include ransomware deployment.