Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
The blog post “Linux Defense Evasion Techniques Detected by AhnLab EDR (1)” [1] covered methods where the threat actors and malware strains attacked Linux servers before incapacitating security services such as firewalls and security modules and then concealing the installed malware.
This post will cover additional defense evasion techniques against Linux systems not covered in the past post.…
Summary:
Insikt Group's recent analysis reveals that North Koreans continue to use foreign technology to access the internet despite heavy sanctions. This includes Apple, Samsung, and Huawei devices, as well as various social media platforms. A notable finding is the increased use of obfuscation services like VPNs and proxies to circumvent censorship and surveillance.…
Published On : 2024-07-19
EXECUTIVE SUMMARYIn the second quarter of 2024, Advanced Persistent Threat (APT) groups from China, North Korea, Iran, and Russia demonstrated a surge in dynamic and innovative cyber activities, significantly challenging the global cybersecurity landscape.
Starting with Iran, state-sponsored threat actors exhibited advanced capabilities across various regions and sectors.…
This is Part 1 of our two-part technical deep dive into APT41’s new tooling, which includes DodgeBox and MoonWalk. For details about MoonWalk, go to Part 2.
In April 2024, Zscaler ThreatLabz uncovered a previously unknown loader called DodgeBox. Upon further analysis, striking similarities were found between DodgeBox and variants of StealthVector, a tool associated with the China-based advanced persistent threat (APT) actor APT41 / Earth Baku.…
The Sysdig Threat Research Team (TRT) continued observation of the SSH-Snake threat actor we first identified in February 2024. New discoveries showed that the threat actor behind the initial attack expanded its operations greatly, justifying an identifier to further track and report on the actor and campaigns: CRYSTALRAY.…
This is Part 2 of our two-part technical deep dive into APT41’s new tooling, DodgeBox and MoonWalk. For details of DodgeBox, go to Part 1.
In Part 2 of this blog series, we examine the MoonWalk backdoor, a new addition to APT41’s toolkit. Continuing from our previous analysis of the DodgeBox loader in Part 1, we have discovered that MoonWalk shares several evasion techniques.…
Summary: NATO has announced plans to establish a new cyber-defense facility, the NATO Integrated Cyber Defence Centre (NICC), to enhance situational awareness and collective cyber-resilience among member states.
Threat Actor: N/A Victim: N/A
Key Point :
The NICC will be based at the Supreme Headquarters Allied Powers Europe (SHAPE) in Belgium and will consist of civilian and military experts from member states.…Summary: The White House is implementing increased cybersecurity protocols for research and development (R&D) institutions, including those in higher education.
Threat Actor: N/A Victim: R&D institutions, including those in higher education
Key Point :
The Office of Science and Technology Policy has mandated that federal research agencies certify proper security requirements for covered institutions, including those in higher education.…This advisory, authored by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV), the Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center, and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Police Agency (NPA)—hereafter referred to as the “authoring agencies”—outlines a People’s Republic of China (PRC) state-sponsored cyber group and their current threat to Australian networks.…
Summary: Chinese government-backed cyber espionage group APT41 has added a loader called DodgeBox and a backdoor named MoonWalk to its malware arsenal, according to research by Zscaler’s ThreatLabz team.
Threat Actor: APT41 | APT41 Victim: Multiple victims | APT41 victims
Key Point:
APT41, also known as Barium, Wicked Panda, Wicked Spider, and Earth Baku, is a Chinese government-backed cyber espionage group with ties to the Chinese Ministry of State Security.…Summary: Several Macau government websites were targeted in a distributed denial-of-service (DDoS) attack, causing them to go offline for almost an hour. Local authorities have launched a criminal investigation to trace the source of the attack.
Threat Actor: Unknown | Unknown Victim: Macau government websites | Macau government websites
Key Point :
Several Macau government websites, including those of the security service, police force, fire and rescue services, and the academy for public security forces, were targeted in a DDoS attack.…Summary: The content discusses a collaboration between CISA and ASD’s ACSC to release an advisory on the cyber activities of a state-sponsored cyber group from the People’s Republic of China (PRC) called APT40.
Threat Actor: APT40 | APT40 Victim: Various organizations targeted by APT40
Key Point :
CISA and ASD’s ACSC have collaborated to release an advisory on the cyber activities of APT40, a state-sponsored cyber group from the PRC.…Written by: John Hultquist
As North Atlantic Treaty Organization (NATO) members and partners gather for a historic summit, it is important to take stock of one of its most pressing challenges—the cyber threat. The Alliance faces a barrage of malicious cyber activity from all over the globe, carried out by emboldened state-sponsored actors, hacktivists, and criminals who are willing to cross lines and carry out activity that was previously considered unlikely or inconceivable.…
Summary: Four vulnerabilities in the Gogs open-source self-hosted Git service solution could enable attackers to steal, modify, or delete valuable source code.
Threat Actor: Unknown | Unknown Victim: Gogs | Gogs
Key Point :
Three of the vulnerabilities enable “argument injection,” allowing attackers to read, modify, or delete code on a vulnerable Gogs server.…Threat Actor: Unknown | Unknown Victim: China’s Largest Natural Gas Company | China’s Largest Natural Gas Company Price: Not specified Exfiltrated Data Type: Comprehensive information about gas users and their insurance details
Key Points :
The threat actor claims to be selling data allegedly stolen from China’s largest natural gas company.…Threat Actor: Unknown | Unknown Victim: OpenAI | OpenAI Price: Not applicable Exfiltrated Data Type: Internal discussions among researchers and employees
Key Points :
The threat actors gained access to the internal discussions among researchers and other employees at OpenAI. No source code or customer data was compromised in the security breach.…Summary: Operation Morpheus is an international law enforcement operation aimed at combatting the criminal abuse of the Cobalt Strike red teaming tool.
Threat Actor: Various threat actors, including APT29, FIN7, RYUK, Trickbot, and Conti, have used the Cobalt Strike platform.
Victim: No specific victim mentioned.
Key Point :
Operation Morpheus is led by the UK National Crime Agency and includes law enforcement authorities from Australia, Canada, Germany, the Netherlands, Poland, and the United States.…Summary: Over 384,000 websites have been linking to a site that was recently involved in a supply-chain attack, redirecting visitors to malicious sites.
Threat Actor: Funnull | Funnull Victim: Websites | websites
Key Point:
The JavaScript code hosted at polyfill[.]com, which was previously a legitimate open source project, was acquired by Funnull.…BleepingComputer has verified that the helpdesk portal of a router maker is currently sending MetaMask phishing emails in response to newly filed support tickets, in what appears to be a compromise.
The Canadian router manufacturer, Mercku provides equipment to Canadian and European Internet Service providers (ISP) and networking companies including Start.ca, FibreStream,…