Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.
The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.
Read more…
Source: Kaspersky
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Kenya reports cyber attacks causing government system outages
July 28, 2023
Cyber attackers targeted a digital platform used by Kenya’s government to deliver services, the country’s technology minister said, highlighting the vulnerabilities of the system. The attack on the e-Citizen platform in recent days caused system outages that left users unable to access a broad range of government services, ranging from passport applications to electricity payments. Some ...
- Anomaly detection in certificate-based TGT requests
July 28, 2023
One of the most complex yet effective methods of gaining unauthorized access to corporate network resources is an attack using forged certificates. Attackers create such certificates to fool the Key Distribution Center (KDC) into granting access to the target company’s network. An example of such an attack is the Shadow Credentials technique, which lets an attacker ...
- California: City of Hayward says computer network restored 2 weeks after cyberattack discovered
July 27, 2023
Officials in the city of Hayward announced that the city’s internal computer network has been restored following a ransomware attack that took systems down earlier this month. In a statement Thursday, city officials said the network was brought back on Tuesday, more than two weeks after the cyberattack was first discovered. “The restored network ties together ...
- CISA and Partners Release Joint Cybersecurity Advisory on Preventing Web Application Access Control Abuse
July 27, 2023
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) are releasing a joint Cybersecurity Advisory (CSA), Preventing Web Application Access Control Abuse, to warn vendors, designers, developers, and end-user organizations of web applications about insecure direct object reference (IDOR) vulnerabilities. These vulnerabilities are ...
- A Tale of Two Cities’ water attacks
July 27, 2023
There have been more than 130 control system cyber incidents in water/wastewater utilities. Like Oldsmar and Discovery Bay, most of these incidents have occurred in small water utilities. Many of these incidents were not publicly disclosed, nor were the utilities required to disclose these incidents. Additionally, some of the real cases that were made public were ...
- Uncovering an Iranian mobile malware campaign
July 27, 2023
During a recent proactive hunt for malicious mobile malware, Sophos X-Ops researchers from SophosLabs discovered a group of four credential-harvesting apps targeting customers of several Iranian banks. Most of the apps are signed using the same – possibly stolen – certificate, and share various classes and strings. The apps target the following banks: Bank Mellat Bank Saderat Resalat ...

