Aquext

18/06/2021

AqueXT APT Profile Series

MITRE GROUP ID: G0016
Associated Groups: Dark Halo, StellarParticle, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke
Contributors: Matt Brenton, Zurich Insurance Group; Katie Nickels, Red Canary

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015
In April 2021, the US and UK governments attributed the SolarWinds supply chain compromise cyber operation to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, and Dark Halo.

14/06/2021

Multiple critical security flaws have been disclosed in Samsung's pre-installed Android apps, which, if successfully exploited, could have allowed adversaries access to personal data without users' consent and take control of the devices.

"The impact of these bugs could have allowed an attacker to access and edit the victim's contacts, calls, SMS/MMS, install arbitrary apps with device administrator rights, or read and write arbitrary files on behalf of a system user which could change the device's settings," Sergey Toshin, founder of mobile security startup Oversecured, said in an analysis published Thursday.

Read More on The Hacker News

11/06/2021

[via : SecurityMagazine] The Kimsuky APT—also known as Thallium, Black Banshee, and Velvet Chollima— continues to target the South Korean government, according to the Malwarebytes Threat Intelligence team, who is actively monitoring this actor and has been able to spot phishing websites, malicious documents, and scripts that have been used to target high profile people within the government of South Korea. The structure and TTPs used in these recent activities align with what has been reported in KISA’s report.

Kimsuky is a North Korean threat actor that has been active since 2012. The group conducts cyber espionage operations to target government entities mainly in South Korea. On December 2020, KISA (Korean Internet & Security Agency) provided a detailed analysis about the phishing infrastructure and TTPs used by Kimsuky to target South Korea.

11/06/2021

[Via : TheHackerNews]An emerging ransomware strain in the threat landscape claims to have breached 30 organizations in just four months since it went operational, riding on the coattails of a notorious ransomware syndicate.

First observed in February 2021, "Prometheus" is an offshoot of another well-known ransomware variant called Thanos, which was previously deployed against state-run organizations in the Middle East and North Africa last year.

The affected entities are believed to be government, financial services, manufacturing, logistics, consulting, agriculture, healthcare services, insurance agencies, energy and law firms in the U.S., U.K., and a dozen more countries in Asia, Europe, the Middle East, and South America, according to new research published by Palo Alto Networks' Unit 42 threat intelligence team.

Like other ransomware gangs, Prometheus takes advantage of double-extortion tactics and hosts a dark web leak site, where it names and shames new victims and makes stolen data available for purchase, at the same time managing to inject a veneer of professionalism into its criminal activities.

Read More on The Hacker News

11/06/2021

[Via : SCMagazine] Researchers reported Friday that TeamTNT is using compromised AWS credentials to attack AWS cloud environments via the cloud platform’s application programming interface. The threat actors are now also targeting the credentials of 16 additional applications, including the AWS apps as well as Google Cloud credentials.

The researchers said the threat actors can now identify all identity and access management (IAM) permissions, elastic computer cloud instances, S3 buckets, CloudTrail configurations, and CloudFormation operations granted to the compromised AWS credentials.

This attack was significant because in hitting Google Cloud it represents the first time attackers have targeted IAM credentials on compromised cloud instances outside of AWS. Although it’s still possible that TeamTNT could target the IAM credentials of Microsoft Azure, Alibaba Cloud, Oracle Cloud, or IBM Cloud using similar methods, Unit 42 researchers have yet to find evidence that there has been an attack on the other cloud providers. TeamTNT first started collecting AWS credentials on cloud instances they had compromised as early as August 2020.

Read More on SCMagazine.

10/06/2021

[Via :HackRead] Generally, agencies crack messages or seize an already available encrypted communication platform to keep track of cybercriminals. Two such examples would be Encrochat and Phantom Secure, which were encrypted messaging networks.

However, it turns out that, like always FBI has been a step ahead of other agencies as it took control of a full-fledged encrypted communications company, Anom or known to users as the Anom app, when it was in its infancy phase and transformed it into a large-scale honeypot.

This means, instead of going after criminals, the FBI lured them to come to the bureau. Interestingly, the bureau tried to fill the void created by the seizure of encrypted services like Encrochat and SkyGlobal and presented Anom as the perfect mode of communication to criminals worldwide.

Read More on : Hack Read

10/06/2021

[Via : ThreatPost] An ongoing surveillance operation has been uncovered that targets a Southeast Asian government, researchers said – using a previously unknown espionage malware.

According to Check Point Research, the attack involves spear-phishing emails with malicious Word documents to gain initial access, along with the exploitation of older, known Microsoft Office security vulnerabilities. But most notable, researchers said, is the novel backdoor, which they said has been in development by a Chinese APT for at least three years.

The documents were “sent to different employees of a government entity in Southeast Asia,” according to the Check Point analysis. “In some cases, the emails are spoofed to look like they were from other government-related entities. The attachments to these emails are weaponized copies of legitimate looking official documents and use the remote template technique to pull the next stage from the attacker’s server.”

Read More On : ThreatPost

09/06/2021

[Via : HackRead] According to Canada Post, a detailed forensic analysis was carried out, and they found no evidence that financial information was exposed in the attack. When the impact of manifests was analyzed, investigators identified that the exposed data dated back to July 2016 until March 2019. Around 97% of the exposed data contained the receiver’s name and address, and the remaining 3% contained email addresses or contact information.

Read More on : HackRead

08/06/2021

[ Via : The Hacker News] Security researchers have discovered the first known malware, dubbed "Siloscope," targeting Windows Server containers to infect Kubernetes clusters in cloud environments.

"Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers," said Unit 42 researcher Daniel Prizmant. "Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers such as, but not limited to, cryptojackers."
Read More on thehackernews.com

Follow us on Instagram , Facebook and LinkedIn

31/03/2021

[Via : IndianExpress] Gurgaon-based mobile payments and digital wallet company MobiKwik on Tuesday said it would get a third-party forensic data security audit done after allegations of a data breach containing the company’s users’ details resurfaced. Cybersecurity experts claimed that the data of as many as 10 crore MobiKwik users had been leaked and put up for sale on darkweb.

“The company is closely working with requisite authorities on this matter, and considering the seriousness of the allegations will get a third party to conduct a forensic data security audit. For its users, the company reiterates that all MobiKwik accounts and balances are completely safe,” the company said in a statement.

Though the details of the alleged leak have been in public domain for over a month now, the issue gained prominence on Monday after the so-called data dump was said to be posted for sale on darkweb. Later, a link with a search bar, where anyone could search if their phone number or email address and other details was present in the data dump, was available on the darknet.

Read More : https://bit.ly/39qovAP

29/03/2021

May the festival of Holi add colors of happiness, colors of prosperity and colors of love in your life to help you paint a colorful life. Best wishes on Holi to you and your family from Team AqueXT.

28/03/2021

Cyber security complacency puts UK at risk, says NCSC head

National Cyber Security Centre CEO Lindy Cameron, in her maiden speech in the role, warns of challenges ahead for the UK and sets out the future agenda for cyber

National Cyber Security Centre CEO Lindy Cameron, in her maiden speech in the role, warns of challenges ahead for the UK and sets out the future agenda for cyber.