Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.
The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.
Read more…
Source: Kaspersky
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Recent Cloud Atlas activity
August 12, 2019
Also known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported Cloud Atlas in 2014 and we’ve been following its activities ever since. From the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor ...
- IT threat evolution Q2 2019: Targeted attacks and malware campaigns
August 12, 2019
In March, we published the results of our investigation into a sophisticated supply-chain attack involving the ASUS Live Update Utility, used to deliver BIOS, UEFI and software updates to ASUS laptops and desktops. The attackers added a backdoor to the utility and then distributed it to users through official channels. ASUS was not the only company used ...
- Three major vulnerabilities found in Cisco SMB switches
August 7, 2019
Three of Cisco’s most popular switches for SMBs contain serious security flaws that could allow a hacker to remotely access the device and infiltrate an organisation’s network. The critical vulnerabilities, which affect Cisco’s Small Business 220 Series of smart switches, include a remote code execution (RCE) bug rated 9.8/10 by Cisco in terms of threat severity, an authentication bypass rated 9.1/10 ...
- KDE Linux Desktops Could Get Hacked Without Even Opening Malicious Files
August 7, 2019
If you are running a KDE desktop environment on your Linux operating system, you need to be extra careful and avoid downloading any “.desktop” or “.directory” file for a while. A cybersecurity researcher has disclosed an unpatched zero-day vulnerability in the KDE software framework that could allow maliciously crafted .desktop and .directory files to silently run ...
- New ‘warshipping’ technique gives hackers access to enterprise offices
August 7, 2019
Researchers have described a new technique which could be used by cyberattackers to infiltrate corporate setups — with a little help from your friendly neighborhood delivery workers. On Wednesday, Charles Henderson, Global Managing Partner of IBM X- Force Red documented the theoretical method known as warshipping. The technique builds upon wardialing — in which numbers are called en masse ...
- Microsoft Says Russia’s Strontium Behind IoT Hacks
August 7, 2019
Russian hackers have been identified by security experts at Microsoft as being behind a series of attacks on IoT devices. Microsoft’s Threat Intelligence Center said in a blog posting that the Russian state-linked hackers were Strontium. The Strontium hackers are also known as the Fancy Bear group, or alternatively ‘APT28′ and are closely linked to the Russian military intelligence ...

