Advanced Persistent Threat


NEWS 
  • Accellion FTA Zero-Day Attacks Show Ties to Clop Ransomware, FIN11

    February 22, 2021

    Researchers have identified a set of threat actors (dubbed UNC2546 and UNC2582) with connections to the FIN11 and the Clop ransomware gang as the cybercriminal group behind the global zero-day attacks on users of the Accellion legacy File Transfer Appliance product. Multiple Accellion FTA customers, including the Jones Day Law Firm, Kroger and Singtel, have all ...

  • Chinese hackers cloned attack tool belonging to NSA’s Equation Group

    February 22, 2021

    Chinese threat actors “cloned” and used a Windows zero-day exploit stolen from the NSA’s Equation Group for years before the privilege escalation flaw was patched, researchers say. On Monday, Check Point Research (CPR) said the tool was a “clone” of software developed by the US National Security Agency (NSA)’s Equation Group, identified by FireEye in 2015 ...

  • IronNetInjector: Turla’s New Malware Loading Tool

    February 19, 2021

    In recent years, more and more ready-made malware is released on software development hosting sites available for everybody to use – including threat actors. This not only saves the bad guys development time, but also makes it much easier for them to find new ideas to prevent detection of their malware. Unit 42 researchers have found ...

  • U.S. Accuses North Korean Hackers of Stealing Millions

    February 17, 2021

    The U.S. Department of Justice has indicted three North Korean computer programmers for their alleged participation in widespread, destructive cyberattacks as part of the advanced persistent threat (APT) known as Lazarus Group. The indictment broadens the scope of crimes that the DoJ has linked to Lazarus Group (and by extension, to North Korea). The feds also ...

  • France links Russian Sandworm hackers to hosting provider attacks

    February 15, 2021

    The French national cyber-security agency has linked a series of attacks that resulted in the breach of multiple French IT providers over a span of four years to the Russian-backed Sandworm hacking group. ANSSI (short for Agence Nationale de la Sécurité des Systèmes d’Information) has not been able to determine how the servers were compromised. Therefore, it ...

  • Android spyware strains linked to state-sponsored Confucius threat group

    February 11, 2021

    Two variants of Android spyware connected to pro-India, state-sponsored hacking campaigns have been discovered. On Tuesday, cybersecurity firm Lookout said that two malware strains, dubbed Hornbill and SunBird, have been linked to Confucius, an advanced persistent threat (APT) group thought to be state-sponsored and to have pro-India ties. First detected in 2013, Confucius has been linked to ...

  • BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech

    February 9, 2021

    Highly malleable, highly sophisticated and over 10,000 bytes of machine code. This is what Unit 42 researchers were met with during code analysis of this “bear” of a file. The code behavior and features strongly correlate with that of the WaterBear malware family, which has been active since as early as 2009. Analysis by Trend ...

  • Hacking group also used an IE zero-day against security researchers

    February 4, 2021

    An Internet Explorer zero-day vulnerability has been discovered used in recent North Korean attacks against security and vulnerability researchers. Last month, Google disclosed that the North Korean state-sponsored hacking group known as Lazarus was conducting social engineering attacks against security researchers. To perform their attacks, the threat actors created elaborate online ‘security researcher’ personas that would then ...

  • CISA Issues Supply Chain Compromise Alert, Forms Coordination Group with Other Government Agencies

    January 21, 2021

    The Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert regarding an advanced persistent threat (APT) compromising government agencies, critical infrastructures, and private sector organizations. According to CISA, the APT actor is accountable for the compromise of the SolarWinds Orion supply chain. The actor is also responsible for the abuse of commonly used authentication mechanisms. ...

  • Raindrop Backdoor: New Malware Discovered in SolarWinds Investigation

    January 20, 2021

    Symantec, a division of Broadcom, has uncovered an additional piece of malware used in the SolarWinds attacks which was used against a select number of victims that were of interest to the attackers. Raindrop (Backdoor.Raindrop) is a loader which delivers a payload of Cobalt Strike. Raindrop is very similar to the already documented Teardrop tool, but ...

  • XDR investigation uncovers PlugX, unique technique in APT attack

    January 20, 2021

    Advanced persistent threats (APT) are known — and are universally dreaded — for their stealth. Actors behind such attacks actively innovate their techniques to evade detection and ensure that they maintain a foothold inside an environment as long as possible. Through the Apex One with Endpoint Sensor (iES), we discovered one such incident wherein an ...

  • Sophisticated Hacks Against Android, Windows Reveal Zero-Day Trove

    January 13, 2021

    Google researchers have detailed a major hacking campaign that was detected in early 2020, which mounted a series of sophisticated attacks, some using zero-day flaws, against Windows and Android platforms. Working together, researchers from Google Project Zero and the Google Threat Analysis Group (TAG) uncovered the attacks, which were “performed by a highly sophisticated actor,” Ryan ...

  • Sunburst backdoor – code overlaps with Kazuar

    January 11, 2021

    On December 13, 2020, FireEye published a blog post detailing a supply chain attack leveraging Orion IT, an infrastructure monitoring and management platform by SolarWinds. In parallel, Volexity published an article with their analysis of related attacks, attributed to an actor named “Dark Halo”. FireEye did not link this activity to any known actor; instead, ...

  • Adversary Infrastructure Report 2020: A Defender’s View

    January 8, 2021

    Recorded Future tracks the creation and modification of new malicious infrastructure for a multitude of post-exploitation toolkits, custom malware frameworks, and open-source remote access trojans. The effort has been ongoing since 2017, when Insikt Group created methodologies to identify the deployments of open-source remote access trojans (RATs). Recorded Future collected over 10,000 unique command and control ...

  • North Korean hackers launch RokRat Trojan in campaigns against the South

    January 7, 2021

    A North Korean hacking group is utilizing the RokRat Trojan in a fresh wave of campaigns against the South Korean government. The Remote Access Trojan (RAT) has been connected to attacks based on the exploit of a Korean language word processor commonly used in South Korea for several years; specifically, the compromise of Hangul Office documents ...

  • Major Gaming Companies Hit with Ransomware Linked to APT27

    January 5, 2021

    A recent slew of related ransomware attacks on top videogame companies has been associated with the notorious Chinese-linked APT27 threat group, suggesting that the advanced persistent threat (APT) is swapping up its historically espionage centralized tactics to adopt ransomware, a new report says. Researchers noticed the “strong links” to APT27 when they were brought in as ...

  • Lazarus covets COVID-19-related intelligence

    December 23, 2020

    As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that actors, such as the Lazarus group, are going after intelligence that could help these efforts by attacking entities related to COVID-19 research. While tracking the Lazarus group’s continuous campaigns targeting various ...

  • Sunburst: connecting the dots in the DNS requests

    December 19, 2020

    On December 13, 2020 FireEye published important details of a newly discovered supply chain attack. An unknown attacker, referred to as UNC2452 or DarkHalo planted a backdoor in the SolarWinds Orion IT software. This backdoor, which comes in the form of a .NET module, has some really interesting and rather unique features. We spent the past ...

  • Microsoft Caught Up in SolarWinds Spy Effort, Joining Federal Agencies

    December 18, 2020

    Microsoft has become the latest victim of the ever-widening SolarWinds-driven cyberattack that has impacted rafts of federal agencies and tech targets. Its president, Brad Smith, warned late Thursday to expect many more victims to come to light as investigations continue. Adversaries were able to use SolarWinds’ Orion network management platform to infect users with a stealth ...

  • SUPERNOVA: SolarStorm’s Novel .NET Webshell

    December 17, 2020

    The SolarStorm actors behind the supply chain attack on SolarWinds’ Orion software have demonstrated a high degree of technical sophistication and attention to operational security, as well as a novel combination of techniques in the potential compromise of approximately 18,000 SolarWinds customers. As published in the original disclosure, the attackers were observed removing their initial ...