Connect with us

Experts linked APT41 to selected phishing cyberattacks

Published

on

Experts have compared parts of the group’s network infrastructure with phishing attacks on users in India.

Cybersecurity specialists from BlackBerry Research and Intelligence tied up Chinese cybercriminal group APT41 (also known as Barium or Winnti) with seemingly disparate malware campaigns using malware. Experts have compared parts of the group’s network infrastructure to phishing attacks on users in India that used COVID-19-themed decoys.

APT41 has been carrying out Chinese government-sponsored espionage activities since 2012, combined with financially motivated operations for personal gain. Criminals have attacked healthcare, technology and telecommunications to provide long-term access and facilitate theft of intellectual property. The group is known for cyber attacks aimed at stealing source code and digital certificates, manipulating virtual currency and installing ransomware, as well as compromising the software supply chain by injecting malicious code into legitimate files.

BlackBerry research builds on previous conclusions Mandiant in March 2020 detailing APT41’s “global hacking campaign” by exploiting a number of vulnerabilities in Cisco and Citrix devices. The criminals installed next-stage payloads, which subsequently loaded Cobalt Strike beacons onto the compromised systems. The downloader featured a flexible C&C server profile that allowed the beacons to combine their network communications with the remote server into legitimate traffic originating from the victim’s network.

BlackBerry, which discovered a similar C&C server profile uploaded to GitHub on March 29 by a Chinese security researcher under the pseudonym 1135, used metadata configuration information to identify a new cluster of APT41-related domains that attempt to disguise beacon traffic as legitimate traffic from Microsoft sites.

Subsequent analysis of the URLs revealed three malicious PDFs that were uploaded to one of the aforementioned domains. The documents were allegedly used in phishing emails as COVID-19 advisories issued by the Indian government or notices of the latest income tax laws.

The attachments were .LNK or .ZIP files that, when opened, display a PDF document to the victim, while in the background the infection chain triggers the execution of Cobalt Strike beacons. While attacks using similar phishing lures discovered in September 2020 have been linked to Evilnum, experts said the hacking indicators point to the APT41 campaign.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Security

Vodafone is suing the UK over a contract to develop a hacker-proof communication line

Published

on

The company considers it unfair that the contract was awarded to Fujitsu, although both bidders did not meet the requirements.

Mobile operator Vodafone filed in court against the UK government after losing a tender to develop a hacker-proof communications system, in which the Japanese company Fujitsu also took part.

Although both bidders were found to have failed to meet the government’s minimum requirements, Vodafone believes Fujitsu was unfairly awarded a £ 184m ($ 254m) contract to improve the communications system used by 532 British embassies and other agencies.

The Echo 2 project aims to provide secure communications for the UK Foreign and Commonwealth Office, employees and agents in over 170 countries.

According to the government, the current communications system operated by Vodafone is “outdated” and poses a risk to national security.

Vodafone went to court after Cable & Wireless, acquired by the operator in 2012, lost its long-term contract for the Echo 1.

“We do not believe that the procurement process was carried out correctly. The contracting authority itself admitted that the Fujitsu Solution was ‘not fit for purpose,’ said a Vodafone spokesman.

According to foreign ministry lawyers, Fujitsu’s proposal had problems with two requirements, but generally met the terms of the tender. Fujitsu representatives did not comment on the situation.

The trial in this case is scheduled for January 2022. The court allowed the UK government to enter into a “conditional contract” with Fujitsu. The details of the contract were not disclosed due to security concerns.

Continue Reading

Security

FIN7 recruits specialists to carry out ransomware attacks

Published

on

FIN7 created a fictitious information security company with the aim of hiring experts, ostensibly to conduct penetration tests.

It appears that cybercriminal group FIN7 is trying to find a new source of income by joining the ranks of ransomware hackers. In particular, FIN7 created a fictitious information security company with the aim of hiring cybersecurity experts, ostensibly to conduct penetration testing, but in fact – to carry out ransomware attacks.

According to investigation specialists Gemini Advisory (a division of the information security company Recorded Future), the group posted hiring advertisements on the website of a company called Bastion Secure, allegedly specializing in providing penetration testing services to companies and organizations around the world. The “company” was interested in specialists in the field of reverse engineering, system administrators, programmers with knowledge of C ++, Python and PHP. The proposed salary ranged from $ 800 to $ 1200 per month.

Gemini Advisory managed to get an insight into Bastion Secure’s work with the help of an “insider”. As it turned out, job seekers were asked to complete a three-stage interview, which, however, did not include any explanation or legal documents authorizing penetration tests.

In practical terms, applicants were only allowed to use certain tools that were not detectable by security solutions, and to search for backups and file storage systems on the company’s network. At the same time, the tasks set “coincided with the steps taken in the preparation of ransomware attacks.” During the attacks, the ransomware Ryuk or REvil was installed, experts say.

Proposed testing tools included Carbanak and Lizar / Tirion malware, which security experts have linked to FIN7 attacks.

This is not the first time the group has used fictitious companies to attract specialists. For example, a few years ago FIN7 set up a company called Combi Security that looked for pentesters to hack companies’ networks and install malware on PoS terminals.

Although creating and running fictitious companies is a laborious process, hiring an information security expert will cost FIN7 much less than partnering with hackers or hacker groups recruited through cybercriminal forums, which are likely to demand a share of the proceeds from ransomware attacks, the researchers explained.

Continue Reading

Security

US authorities demanded data on patent systems from tech giants

Published

on

The US Consumer Financial Protection Bureau has issued a series of information collection orders for payment systems.

The US Consumer Financial Protection Bureau (CFPB) has issued a series of collection orders for major payment systems including Amazon, Apple, Facebook, Google, PayPal and Square. Chinese payment systems WeChat and AliPay will also be studied, but the CFBP orders will not apply to them.

The directives do not indicate a specific violation, but indicate the intention of the CFPB to become more involved in the regulation of consumer products of technology companies. In particular, the directives are designed to eradicate any data collection or anti-competitive behavior that may not have been detected yet.

According to Reuters, CFPB chief Rohit Chopra called the orders an attempt to prevent technology companies from using payment processing to influence users or gain a competitive advantage over smaller companies.

At present, little is known about how the tech giant will use its payment platforms, Chopra said.

“For example, will payment operators engage in invasive financial research and combine collected customer data with location and browsing data? … Will payment platforms really be neutral, or will they use their scale to generate rents from market participants?” Chopra said.

Continue Reading

Most Popular