Defense operators of the U.S. Cyber Command have returned from Croatia following an investigation of malicious cyber activity
For the first time in American Cyber Command history, a team of cyber operators returned from Croatia with a new perception to hunt for harmful activity. These hunts are conducted routinely to learn about adversary activities and defend the homeland and collective cybersecurity.
Croatian Security and Intelligence Agency’s (SOA) Cyber Security Centre experts and U.S. military personnel are exploring national networks for weaknesses and malicious cyber activity. The team has recently returned to the United Estates, sharing each other’s methodologies and abilities.
By August 2022, the team has managed 35 hunt operations in countries like Estonia, Lithuania, Montenegro, North Macedonia, and Ukraine. The concept of “hunting” in cybersecurity refers to the act of observing threats that have yet to be detected on a network or system. Hunt operation teams enable their counterparts to pursue and address the threats they have found.
Besides opposing malicious cyber activity and the actors who target allied nations’ networks, data, and platforms, the U.S. and these nations gain valuable insight into the information of adversaries’ tactics, techniques, and platforms. By knowing their plans and tools, American and allied forces are aided in disrupting and even stopping this illegal cyber activity before they cause harm.
Read: https://www.helpnetsecurity.com/2022/08/19/u-s-cyber-command-croatia/
An updated version of Escanor RAT malware is being distributed via Microsoft Office documents and PDF files
Security researchers at Resecurity have identified a new remote administration tool (RAT) dubbed Escanor. The researchers spotted this RAT in dark web forums and Telegram channels. They reported that hackers used it to weaponize Microsoft Office and Adobe PDF documents to deliver malicious code.
On January 26th, 2022, Escanor was released as an HVNC implant allowing you to connect silently to a victim’s computer via remote control. Eventually, it evolved into a full-scale commercial RAT, gaining over 28,000 Telegram subscribers and a big reputation on the Dark Web.
A mobile version known as “Esca RAT” is also being actively used by cybercriminals to attack online-banking customers via the interception of OTP codes. This tool can also be used to collect the victim’s GPS coordinates, activate hidden cameras, and browse their files to steal data. The actors use documents and imitate invoices and notifications from well-known online services.
Most notably, Escanor has been identified as connected to APT-C-23, a group active within the Middle Eastern region, known to target Israeli military assets. Most victims infected by Escanor have been identified in the U.S., Canada, UAE, Saudi Arabia, Kuwait, Bahrain, Egypt, Israel, Mexico, and Singapore, with some infections in South-East Asia.
Read: https://www.infosecurity-magazine.com/news/escanor-rat-malware-microsoft-pdf/
Shalev Hulio: CEO of Blacklisted Israeli Spyware Resigns his Position
Shalev Hulio, CEO of NSO group (Israeli company behind Pegasus spyware), will be stepping down from a restructuring plan that will cut 100 jobs. The group announced this on Sunday, stating they’ll focus on sales in countries belonging to the North Atlantic Treaty Organization (NATO) alliance. The company is known for a July 2021 investigation that revealed that Pegasus spyware was sold to governments and used against human rights activists and reporters worldwide.
Even though NSO is privately owned, the Israeli Ministry of Defense must first approve any export of cyber warfare technologies. This has led privacy activists and political commentators to state that Israel’s political interests have influenced Pegasus’ sales to governments with human rights abuse records. Although NSO denied the wrongdoing, the company was added to a US export blacklist last year to prevent it from buying from American companies.
Recently, Pegasus spyware was spotted targeting the European Justice Commissioner in April 2022. It was used in an espionage campaign months later, targeting a pro-democracy movement in Thailand. The spyware was also found on the Spanish PM’s smartphone in May.
Read: https://www.infosecurity-magazine.com/news/ceo-israeli-spyware-nso-pegasus/
New Russian Malware Detected by Microsoft
Microsoft tracked a threat actor referred to as Nobelium, Cozy Bear, the Dukes, and Yttrium, thought to have orchestrated the SolarWinds hack in 2020 and the attack against the DNC (Democratic National Committee) in 2016. In 2021, Microsoft published an analysis via FoggyWeb, a data-collection tool that they were deploying on AD FS (Active Directory Federation Services) servers.
Nowadays, Microsoft is sharing details on MagicWeb, adding access capabilities on top of data theft, allowing the attackers to sign into the compromised Active Directory of any user. As was observed, Nobelium used highly privileged credentials to access, later gaining administrative advantages to an AD FS system before deploying MagicWeb.
After accessing AD FS, the threat actor replaced a legitimate DLL with a malicious one, modifying a configuration file to load the backdoor library at startup and then bypassing AD FS’s claims-based authentication. MagicWeb injects itself into the claims process, manipulating the user authentication certificates that Security Assertion Markup Language (SAML) uses and bypassing AD FS policies. Microsoft states that the attack relies on the compromise of administrator accounts that are highly privileged and that protecting them should stop the threat.
Read: https://www.securityweek.com/microsoft-details-new-post-compromise-malware-used-russian-cyberspies
Elsewhere Online
Critics doubt that spyware maker NSO Group’s struggles will lower the use of its eavesdropping tech Read: https://www.cyberscoop.com/nso-group-reorganization-spyware-abuses/
How Microsoft found a critical defect in ChromeOS, and how Google managed to fix it
Read: https://www.zdnet.com/article/microsoft-how-we-unearthed-a-critical-flaw-in-chromeos-and-how-google-fixed-it/
Counterfeit Phones Found With Backdoor to Hack WhatsApp Accounts
Read: https://thehackernews.com/2022/08/researchers-find-counterfeit-phones.html
NSA: Nigeria Has Become a Part Of Budapest Cybercrime Convention
Read: https://tribuneonlineng.com/nigeria-now-part-of-budapest-convention-on-cybercrime-%E2%80%95-nsa/
Sferra Discloses Data Breach
Read: https://www.securityweek.com/textile-company-sferra-discloses-data-breach
That MUSt be by great philosopher and economist Thomas Sowell?