Goto

Collaborating Authors


Russia's elite hacking unit has been silent, but busy

ZDNet

Turla, one of the codenames given by the cyber-security industry to one of Russia's oldest and most "talented" cyber-espionage unit, has been very active in the past three years, even though their operations have not received the same media coverage of other more flashy Russian hacking outfits. According to new research presented yesterday at the Virus Bulletin security conference held in Montreal, Canada, the group has been behind dozens of hacks around the world, operating with revamped malware and a tendency towards runtime scripting and the usage of open source tools. "Turla was absent from the milestone DNC hack event where Sofacy [APT28] and CozyDuke [APT29] were both present, but Turla was quietly active around the globe on other projects," said Kaspersky's GReAT team in a report published shortly after the presentation. But while APT28 and APT29's loudmouth dissemination of the DNC hacked data has led to public inquiries into their ties to Russian intelligence agencies --which eventually led to several public indictments [1, 2, 3]-- Turla has remained the same mystery as it always was. Considered by many to be Russia's elite hacking unit, Turla is believed to have ties to Moonlight Maze, one of the first government-backed hacking operations ever discovered, back in the 90s.


Latest Turla backdoor leverages email PDF attachments as C&C mechanism

#artificialintelligence

Malware researchers from ESET have conducted a new analysis of a backdoor used by the Russia-linked APT Turla in targeted espionage operations. The new analysis revealed a list of high-profile victims that was previously unknown. Turla is the name of a Russian cyber espionage APT group (also known as Waterbug, Venomous Bear and KRYPTON) that has been active since at least 2007 targeting government organizations and private businesses. The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command. In June 2016, researchers from Kaspersky reported that the Turla APT had started using rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla.


OceanLotus APT is very active, it used new Backdoor in recent campaigns

#artificialintelligence

The OceanLotus Group has been active since at least 2013, according to the experts it is a state-sponsored hacking group linked to Vietnam, most of them in Vietnam, the Philippines, Laos, and Cambodia. The hackers targeting organizations across multiple industries and have also targeted foreign governments, dissidents, and journalists. Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam's manufacturing, consumer products, and hospitality sectors. The APT32 is also targeting peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors. Researchers at Volexity has been tracking the threat actor since May 2017, they observed attacks aimed at the Association of Southeast Asian Nations (ASEAN), and media, human rights, and civil society organizations.


Jupyter trojan: Newly discovered malware stealthily steals usernames and passwords

ZDNet

A newly uncovered trojan malware campaign is targeting businesses and higher education in what appears to be an effort to steal usernames, passwords and other private information as well as creating a persistent backdoor onto compromised systems. Jupyter infostealer has been detailed by cybersecurity company Morphisec who discovered it on the network of an unnamed higher education establishment in the US. It's thought the trojan has been active since May this year. The attack primarily targets Chromium, Firefox, and Chrome browser data, but also has additional capabilities for opening up a backdoor on compromised systems, allowing attackers to execute PowerShell scripts and commands, as well as the ability to download and execute additional malware. The Jupyter installer is disguised in a zipped file, often using Microsoft Word icons and file names that look like they need to be urgently opened, pertaining to important documents, travel details or a pay rise. If the installer is run, it will install legitimate tools in an effort to hide the real purpose of the installation – downloading and running a malicious installer into temporary folders in the background.