APT42, which is believed to work for Iran’s Revolutionary Guard Corps, targeted about a dozen people associated with both Trump’s and Biden’s campaigns this spring, according to Google’s Threat Analysis Group.
Iran increases phishing attempts on U.S., Israeli targets
Hackers linked to Iran’s Islamic Revolutionary Guard Corps targeted the Trump and Biden presidential campaigns amid increased phishing attacks against U.S. and Israeli officials and institutions, according to a new report from Google’s Threat Analysis Group.
Google TAG researchers saw “small but steady” attempts by IRGC this election cycle to steal credential information from people associated with President Joe Biden and former President Donald Trump. The report also noted an increase in phishing attacks against Israeli military, defense, academic institutions and civil society organizations starting in April.
“This spring and summer, they have shown the ability to run numerous simultaneous phishing campaigns, particularly focused on Israel and the U.S. As hostilities between Iran and Israel intensify, we can expect to see increased campaigns there from APT42,” Google’s report noted, using Mandiant’s threat actor naming convention.
Last week, the Trump campaign alleged that Iran was the source of an attempted hack-and-leak operation by a persona dubbed “Robert” that claimed to multiple media outlets that they had inside access to campaign materials for the Trump campaign.
Former National Security Agency cybersecurity head Rob Joyce said Sunday at the DEF CON conference in Las Vegas that hack-and-leak operations of that kind — which harken back to the 2016 presidential election and efforts by Russia to sway the election using stolen emails — will likely ramp up as election day draws closer.
From May to June, researchers saw the IRGC attempt to steal logins of “roughly a dozen” former and current U.S. government officials, as well as individuals connected to the presidential campaigns of both Trump and Biden months before he dropped out and was replaced at the top of the Democratic ticket by Vice President Kamala Harris.
Google also confirmed Microsoft’s report last week that the IRGC successfully infiltrated the email of a “high-profile political consultant.”
Iran has been described as a “chaos agent” by intelligence officials and Google’s report noted that the U.S. and Israel combined to make up more than half of the IRGC’s geographic targeting.
The IRGC has been steadily targeting high-profile individuals with connections to Israeli defense, diplomatic and civil society organizations. Hackers used a combination of social engineering and fake Google services masquerading as Gmail, Google Sites or Drive, or other fake sites impersonating Dropbox and OneDrive, the report noted.
In one case, the IRGC attempted to social engineer former senior Israeli military and aerospace officials by acting as a journalist looking for comment on air strikes. The emails would not have malicious links or malware attached, but hackers would try to use the engagement to further trick the target down the line by using a fake landing page where they would be prompted to enter their credentials.
The state-backed hackers also imitated organizations like the Institute for the Study of War and the Brookings Institution using similar website or email domains, the report found.
The post Iran increases phishing attempts on U.S., Israeli targets appeared first on CyberScoop.
Black Basta-Linked Attackers Target Users with SystemBC Malware
An ongoing social engineering campaign with alleged links to the Black Basta ransomware group has been linked to “multiple intrusion attempts” with the goal of conducting credential theft and deploying a malware dropper called SystemBC.
“The initial lure being utilized by the threat actors remains the same: an email bomb followed by an attempt to call impacted users and offer a fake solution,”
“The initial lure being utilized by the threat actors remains the same: an email bomb followed by an attempt to call impacted users and offer a fake solution,”
How to Investigate Emerging Cyber Threats in 2024 – SOC/DFIR Team Guide
In the rapidly evolving world of cybersecurity, emerging threats pose significant challenges to organizations worldwide. These threats, characterized by their novelty and complexity, often exploit new vulnerabilities and technologies, making them difficult to predict and defend against.
As cybercriminals continually refine their methods, businesses must stay informed and proactive to protect their assets. One powerful tool in this effort is the Threat Intelligence (TI) Lookup service from ANY.RUN, which provides valuable insights into these emerging threats.
Emerging threats differ from persistent threats in several ways:
- Novel Techniques: They involve new methods and tools that have not been widely seen before.
- Continuous Evolution: Attackers constantly refine their strategies to evade detection.
- Unpredictability: Their unpredictable nature makes them particularly challenging to defend against.
- Potential Impact: They can have severe implications for victims, including financial losses and reputational damage.
Why Monitoring Emerging Threats is Crucial
Many organizations struggle to handle emerging threats due to a lack of awareness, resources, or expertise. These threats can disrupt operations, lead to data breaches, and erode customer trust. Staying informed about emerging threats and taking proactive measures is essential for safeguarding organizational assets.
How Threat Intelligence Lookup Assists
ANY.RUN’s Threat Intelligence Lookup is a valuable resource for organizations looking to stay ahead of emerging threats. Powered by a global community of 400,000 security experts, the service provides access to a vast database of indicators of compromise (IOCs) and other threat data. Users can search through this data using various parameters to gather information on malware and phishing threats.
Key Features of TI Lookup:
- Comprehensive Search: Users can search through 2TB of the latest threat data using over 40 different search parameters.
- Quick Results: Each search provides quick results with corresponding sandbox sessions.
- YARA Search: A built-in rule editor allows users to use custom YARA rules for more precise searches.
- API Integration: TI Lookup can be integrated with existing security systems for seamless operation.
Examples of Emerging Threats and Investigation Methods
1. New Phishing Threats
Cybercriminals continually devise new phishing tactics, often abusing legitimate services to deceive users. For example, a recent campaign exploited Amazon Simple Email Service (SES) accounts to distribute phishing emails.
Example: Abuse of SES Accounts by Tycoon 2FA Phish-kit
Recently, ANY.RUN researchers spotted a phishing campaign exploiting compromised Amazon Simple Email Service (SES) accounts to distribute phishing emails.
By using TI Lookup, security teams can identify and analyze such campaigns, gathering data on domains, IPs, and files involved.
2. New and Evolving Malware Families
New malware strains, like the recently discovered DeerStealer, pose significant threats. These malware types often employ advanced evasion techniques. TI Lookup allows users to gather information on these threats using YARA Search, providing detailed sandbox reports for further analysis.
Example: DeerStealer Malware
In July 2024, ANY.RUN discovered a new malware family called DeerStealer. This malware was distributed through a phishing campaign that mimicked the Google Authenticator website.
Using Threat Intelligence Lookup, we can efficiently gather information on the latest DeerStealer samples by utilizing YARA Search. This tool allows us to apply custom YARA rules to identify samples based on their content.
According to ANY.RUN analysis, The service provides four samples with their corresponding sandbox sessions, allowing us to take a closer look at how the threat operates and collect valuable intelligence.
3. Tactics, Techniques, and Procedures (TTPs)
Attackers frequently update their tactics to exploit vulnerabilities and avoid detection. For instance, the new version of HijackLoader includes a User Account Control (UAC) bypass. TI Lookup can identify such updates using queries based on the MITRE ATT&CK framework.
Example: Samples of New HijackLoader Version
Earlier in 2024, HijackLoader received an update featuring a User Account Control (UAC) bypass (TT1548.002), allowing the malware to execute by bypassing Windows security controls. To find samples of this updated HijackLoader version, we can use the following query in TI Lookup.
To find samples of the new HijackLoader version, you can use the following query in TI Lookup: MITRE:”T1548.002″ AND threatName:”hijackloader”.
4. Exploitation of World Events
Cybercriminals often exploit global events to launch attacks. During the CrowdStrike outage, attackers launched phishing campaigns to exploit the confusion. TI Lookup helped identify malicious domains mimicking official sites, aiding in the investigation.
Example: CrowdStrike Incident
ANY.RUN analysts were quick to identify threats exploiting a recent security incident, with TI Lookup playing a key role. One of their search queries (domainName:”crowdstrike” AND threatLevel:”malicious”) successfully detected domains mimicking the official CrowdStrike domain, which surfaced shortly after the event.
Additional Investigation Techniques with TI Lookup
- Check Suspicious Connections: Quickly determine the threat level of suspicious IPs.
- Enrich Intelligence on C2 Infrastructure: Stay updated on changes in command and control infrastructure used by attackers.
- Discover Malicious Network Activity: Use Suricata IDS rules to detect and analyze network threats.
- Learn about the Current Threat Landscape: Explore threats specific to certain regions based on local submissions.
Effective investigation of emerging threats relies on comprehensive threat intelligence. ANY.RUN’s TI Lookup provides a wealth of data, enabling organizations to better understand and mitigate these threats. By leveraging this tool, businesses can enhance their cybersecurity posture and ensure the safety and integrity of their systems.
About ANY.RUN
ANY.RUN supports over 400,000 cybersecurity professionals worldwide with its interactive sandbox and threat intelligence products, including TI Lookup, YARA Search, and Feeds. These tools help organizations quickly respond to incidents and learn more about emerging threats.
The post How to Investigate Emerging Cyber Threats in 2024 – SOC/DFIR Team Guide appeared first on Cyber Security News.
How to Weaponize Microsoft Copilot for Cyberattackers
At Black Hat USA, security researcher Michael Bargury released a “LOLCopilot” ethical hacking module to demonstrate how attackers can exploit Microsoft Copilot — and offered advice for defensive tooling.
University Professors Targeted by North Korean Cyber Espionage Group
The North Korea-linked threat actor known as Kimsuky has been linked to a new set of attacks targeting university staff, researchers, and professors for intelligence gathering purposes.
Cybersecurity firm Resilience said it identified the activity in late July 2024 after it observed an operation security (OPSEC) error made by the hackers.
Kimsuky, also known by the names APT43, ARCHIPELAGO,
Cybersecurity firm Resilience said it identified the activity in late July 2024 after it observed an operation security (OPSEC) error made by the hackers.
Kimsuky, also known by the names APT43, ARCHIPELAGO,
New Linux Kernel Exploit Technique ‘SLUBStick’ Discovered by Researchers
Cybersecurity researchers have shed light on a novel Linux kernel exploitation technique dubbed SLUBStick that could be exploited to elevate a limited heap vulnerability to an arbitrary memory read-and-write primitive.
“Initially, it exploits a timing side-channel of the allocator to perform a cross-cache attack reliably,” a group of academics from the Graz University of Technology said [PDF]. “
“Initially, it exploits a timing side-channel of the allocator to perform a cross-cache attack reliably,” a group of academics from the Graz University of Technology said [PDF]. “
Fortune 50 Co. Pays Record-Breaking $75M Ransomware Demand
The runaway success of an upstart ransomware outfit called “Dark Angels” may well influence the cyberattack landscape for years to come.
APT41 Hackers Use ShadowPad, Cobalt Strike in Taiwanese Institute Cyber Attack
A Taiwanese government-affiliated research institute that specializes in computing and associated technologies was breached by nation-state threat actors with ties to China, according to new findings from Cisco Talos.
The unnamed organization was targeted as early as mid-July 2023 to deliver a variety of backdoors and post-compromise tools like ShadowPad and Cobalt Strike. It has been attributed
The unnamed organization was targeted as early as mid-July 2023 to deliver a variety of backdoors and post-compromise tools like ShadowPad and Cobalt Strike. It has been attributed
Critical Flaw in Acronis Cyber Infrastructure Exploited in the Wild
Cybersecurity company Acronis is warning that a now-patched critical security flaw impacting its Cyber Infrastructure (ACI) product has been exploited in the wild.
The vulnerability, tracked as CVE-2023-45249 (CVSS score: 9.8), concerns a case of remote code execution that stems from the use of default passwords.
The flaw impacts the following versions of Acronis Cyber Infrastructure (ACI) –
The vulnerability, tracked as CVE-2023-45249 (CVSS score: 9.8), concerns a case of remote code execution that stems from the use of default passwords.
The flaw impacts the following versions of Acronis Cyber Infrastructure (ACI) –
&