ToddyCat: your hidden email assistant. Part 2


Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.

Read more…
Source: Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Actively Exploited Windows Kernel EoP Bug Allows Takeover

    February 9, 2021

    Microsoft has addressed nine critical-severity cybersecurity bugs in February’s Patch Tuesday updates, plus an important-rated vulnerability that is being actively exploited in the wild. Six of the security holes – including one of the critical bugs – were already publicly disclosed. Overall, the computing giant has released patches for 56 CVEs covering Microsoft Windows components, the .NET ...

  • Florida: Hacker Changed Chemical Levels at Oldsmar’s Water Treatment Plant

    February 8, 2021

    Pinellas County Sheriff Bob Gualtieri said at a news conference Monday there were two intrusions, hours apart. The first one happened at 8 a.m., when a plant operator noticed someone remotely accessing the system he was monitoring, which controls chemicals and other plant operations. But he didn’t think much of it, according to the sheriff, because ...

  • Billions of Passwords Offered for $2 in Cyber-Underground

    February 8, 2021

    A “compilation of many breaches” – COMB for short – has been leaked on the cyber-underground, according to researchers. The so-called COMB contains a staggering 3.27 billion unique combinations of cleartext email addresses and passwords. The trove is an aggregate database that brings together older stolen data from breaches past – including credentials from Netflix, LinkedIn, ...

  • Fortinet fixes critical vulnerabilities in SSL VPN and web firewall

    February 7, 2021

    Fortinet has fixed multiple severe vulnerabilities impacting its products. The vulnerabilities range from Remote Code Execution (RCE) to SQL Injection, to Denial of Service (DoS) and impact the FortiProxy SSL VPN and FortiWeb Web Application Firewall (WAF) products. Multiple advisories published by FortiGuard Labs this month and in January 2021 mention various critical vulnerabilities that Fortinet has ...

  • Signal ignores proxy censorship vulnerability, bans researchers

    February 7, 2021

    Signal, an end-to-end encrypted messaging platform was recently blocked by the Iranian government. To help its users bypass censorship in Iran, the company suggested a TLS proxy workaround. However, multiple researchers have now discovered flaws in the workaround that can let a censor or government authority probe into Signal TLS proxies, rendering these protections moot and potentially ...

  • Eletrobras, Copel energy companies hit by ransomware attacks

    February 5, 2021

    Centrais Eletricas Brasileiras (Eletrobras) and Companhia Paranaense de Energia (Copel), two major electric utilities companies in Brazil have announced that they suffered ransomware attacks over the past week. State-controlled, both are key players in the country. Copel being the largest in the state of Paraná while Eletrobras is the largest power utility company in Latin America ...