The researchers make no attribution, but they note that "a recent report by Amnesty International links the group’s malware to an Indian cybersecurity company that may be selling the spyware or offering a hackers-for-hire service to governments of the region." The DoNot Team's focused list of targeted countries is suggestive: Pakistan, Bangladesh, Nepal, and Sri Lanka.ĮSET states, "According to ESET telemetry, Donot Team has been consistently targeting the same entities with waves of spearphishing emails with malicious attachments every two to four months. the web shells on these 18 compromised systems established a timeline that started on Decemand continued until December 29, 2021." DoNot Team targets South Asia.ĮSET offers an account of an APT (the "DoNot Team") which it regards as unsophisticated, but highly focused and tenacious. It’s important to note that ~34% of the 180 Horizon servers (62) we analyzed were unpatched and internet-facing at the time of this publication. The researchers stated, "Based on Huntress’ dataset of 180 Horizon servers, we’ve validated NHS’ intel and discovered 10% of these systems (18) had been backdoored with a modified absg-worker.js web shell. This activity amounts to "exploitation of Horizon itself and not the abuse of web shells" that were observed earlier. Researchers at Team Huntress, following up on warnings from the UK's NIH, have confirmed that unpatched VMware Horizon servers are now being actively attacked with Cobalt Strike implants.
Unpatched VMware Horizon servers attacked. The social engineering techniques can be broken down into spear phishing emails and watering hole websites." The third vector involves exploiting vulnerabilities in web-facing applications, including Microsoft Exchange ProxyShell and Oracle GlassFish. Trend Micro notes, "The group has three primary attack vectors, two of which involve social engineering. Trend Micro's technical analysis of the group's activity describes its infrastructure, a distinctive strain of malware, and its extensive social engineering. Its interests include "government and educational institutions, religious movements, pro-democracy and human rights organizations in Hong Kong, Covid-19 research organizations, and the media," all predictable espionage targets, but Earth Lusca's activities are mixed: they also extend to some apparently financially motivated operations against gambling and cryptocurrency outfits. Earth Lusca is assessed as a Chinese group, part of the "Winnti Cluster," although it represents a distinct operation. Trend Micro on Monday reported on an "elusive" threat actor it calls "Earth Lusca," and that it's been tracking since the middle of last year.
Though cyber espionage is already a regular facet of global activity, as the situation deteriorates, we are likely to see more aggressive information operations and disruptive cyber attacks within and outside of Ukraine."Ĭhinese cyberespionage campaign, with some apparently financially motivated attacks. 'Russia and its allies will conduct cyber espionage, information operations, and disruptive cyber attacks during this crisis.
Security firm Mandiant has outlined the form it expects Russian cyber operations to assume. It was, however, less sophisticated than its predecessor, and in particular it lacked the self-propagating worm features that made NotPetya a general danger. WhisperGate was, like NotPetya a few years ago, a pseudo-ransomware attack that delivered a wiper behind defacements and spurious ransom demands. The Wall Street Journal sees last week's cyberattacks against Ukrainian targets as pointing to a broader risk of more general cyberwar. The operation is being called "WhisperGate." Microsoft has given the threat actor the temporary tracking identifier DEV-0586. It is, however, confident that the attack involved the use of a wiper, malware whose intent was the destruction of data, not their temporary denial (as in a conventional ransomware attack) or their theft. Microsoft said last Saturday that it hadn't been able to draw connections between Friday's cyberattacks against Ukraine and any of the threat actors it tracks. Russia operates in the grey zone against Ukraine.
0 kommentar(er)
