ToddyCat: your hidden email assistant. Part 2


Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.

Read more…
Source: Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Lenovo laptops vulnerable to bug allowing admin privileges

    December 16, 2021

    Lenovo laptops, including ThinkPad and Yoga models, are vulnerable to a privilege elevation bug in the ImControllerService service allowing attackers to execute commands with admin privileges. The flaws are tracked as CVE-2021-3922 and CVE-2021-3969 and affect the ImControllerService component of all Lenovo System Interface Foundation versions below 1.1.20.3. When viewing the Windows services screen, this service ...

  • Suspected Iranian hackers target airline with new backdoor

    December 16, 2021

    A suspected, state-sponsored Iranian threat group has attacked an airline with a never-before-seen backdoor. On Wednesday, cybersecurity researchers from IBM Security X-Force said an Asian airline was the subject of the attack, which likely began in October 2019 until 2021. The advanced persistent threat (APT) group ITG17, also known as MuddyWater, leveraged a free workspace channel on ...

  • Owowa: the add-on that turns your OWA into a credential stealer and remote access panel

    December 14, 2021

    While looking for potentially malicious implants that targeted Microsoft Exchange servers, Kaspersky researchers identified a suspicious binary that had been submitted to a multiscanner service in late 2020. Analyzing the code, researchers determined that the previously unknown binary is an IIS module, aimed at stealing credentials and enabling remote command execution from OWA. Kaspersky named ...

  • Second Log4j vulnerability CVE 2021-45046 discovered, patch already released

    December 14, 2021

    A second vulnerability involving Apache Log4j was found on Tuesday after cybersecurity experts spent days attempting to patch or mitigate CVE-2021-44228. The description of the new vulnerability, CVE 2021-45046, says the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was “incomplete in certain non-default configurations.” “This could allow attackers… to craft malicious input data using a JNDI ...

  • Artificial Intelligence: How to make Machine Learning Cyber Secure?

    December 14, 2021

    Machine learning (ML) is currently the most developed and the most promising subfield of artificial intelligence for industrial and government infrastructures. By providing new opportunities to solve decision-making problems intelligently and automatically, artificial intelligence (AI) is applied in almost all sectors of our economy. While the benefits of AI are significant and undeniable, the development of ...

  • CISA Issues Apache Log4j Vulnerability Guidance

    December 14, 2021

    CISA and its partners, through the Joint Cyber Defense Collaborative, are responding to active, widespread exploitation of a critical remote code execution (RCE) vulnerability (CVE-2021-44228) in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as “Log4Shell” and “Logjam.” Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as ...