#AxisOfEasy 244: Goldbackdoor Malware Is Used Against Journalists By Nation-State Hackers


Weekly Axis Of Easy #244


Last Week’s Quote was  “Honest disagreement is often a good sign of progress,” was by Ghandi. We had 3 correct guesses, but Ruslan got it first! Congrats !

This Week’s Quote:  “How much time he saves who does not look to see what his neighbor says or does or thinks.” …by???

THE RULES: No searching up the answer, must be posted to the blog – the place to post the answer is at the bottom of the post, in the comments section.

The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.

 


This is your easyDNS #AxisOfEasy Briefing for the week of May 2nd, 2022, wherein our Technology Correspondent Joann L Barnes and easyCEO Mark E. Jeftovic send out a short briefing on the state of the ‘net and how it affects your business, security and privacy. 
 
In this issue:
  • Reviews of Xi Jinping’s book have been removed from Amazon on Beijing orders 
  • Ukraine is battling against state-sponsored cyberattacks 
  • The EU joins Mastodon and creates its server
  • Experts Call Attention to 3 Hacking Teams Working Under the TA410 Group 
  • Goldbackdoor malware is used against journalists by nation-state hackers
 
Elsewhere online:
  • Twitter DMs should be end-to-end encrypted, according to Elon Musk
  • SharePoint, VPNs, and virtual machines targeted by Lapsus$
  • Vulnerabilities exploited during hacking contest warn Sybnology, QNAP and WD
  • Atlassian releases patches for Jira’s critical vulnerability
  • Sanctioned billionaire sells family stake in the digital bank to the richest person in Russia


Reviews of Xi Jinping’s book have been removed from Amazon on Beijing orders

Amazon removed all comments and reviews from a listing on its Chinese website that promoted speeches and writings by the Communist leader Xi Jinping after Beijing requested the removal of the comments on its site. According to a Reuters report, the action took place about two years ago, and it was part of a strategic effort to maintain favor in China.

Reuters notes that in an internal briefing published by Amazon in 2018, the company stated that propaganda and ideological control were how the Chinese communist party achieved and maintained its success. In response to the question, Amazon said, “We are not making any judgment on whether or not it is correct or incorrect.”

Moreover, Reuters showed that Amazon partnered with “an arm of China’s propaganda apparatus” to create a selling portal on its American website promoting life in Xinjiang, where around 1 million Uyghurs work in forced labor camps.

Read: https://www.newsweek.com/amazon-removed-reviews-xi-jinpings-book-orders-beijing-report-1660795 


Ukraine is battling against state-sponsored cyberattacks

At least five state-sponsored advanced persistent threat groups are believed involved in cyberattacks against Ukraine, which are tied to ground campaigns and designed to damage Ukraine’s digital infrastructure. Mr. Burt noted in a recent blog post that Russia is allegedly using cyberattacks to disrupt civilian services and institutions in Ukraine and to undermine confidence in that country’s leadership.

In the meantime, researchers at the Computer Emergency Response Team of Ukraine (CERT-UA) said the agency recorded 802 cyberattacks in the first quarter of 2022, more than double the number registered for the same period last year.

Nevertheless, Microsoft security teams collaborated with Ukrainian officials, government officials, and private-sector cybersecurity experts to identify and remediate threats against Ukrainian networks. The threat groups with known or suspected ties to Russia carried out a series of wiper attacks against Ukrainian organizations before the war started.

Microsoft said that 40% of the destructive attacks against Ukraine targeted critical infrastructure organizations, 32% government organizations, and eight malware families were deployed on Ukrainian networks in its most recent report. A detailed timeline of the attacks, including the malware used to support Russia’s military activity, is also included in the report.

Read: https://threatpost.com/cyberwar-ukraine-military/179421/ 


The EU joins Mastodon and creates its server

After Elon Musk’s bid for Twitter was accepted, the European Union created an EU Voice server to join Mastodon’s social network. European Commission’s server, dubbed EU Voice, joins Mastodon’s decentralized social network, known as a “Fediverse.”

The project represents the EU’s mission to support private and open-source software that can compete with mainstream platforms such as Twitter, Facebook, and YouTube. The European Commission also opened up an account for PeerTube, another decentralized video-sharing platform.

According to European Data Protection Supervisor Wojciech Wiewiórowski, the EU Voice and EU Video pilot launch prioritize individuals’ privacy and data protection rights by not relying on transfers of personal data to countries outside the European Union Economic Area. “These measures, amongst others, give individuals a choice and control over how their data is used,” he said.

The news could help Mastodon gain more visibility as it attempts to compete with Twitter. According to Mastodon founder Eugen Rochko, Mastodon grew in users over the past few days following Musk’s Twitter takeover announcement.

Read: https://www.pcmag.com/news/eu-joins-mastodon-social-network-sets-up-its-own-server 


Experts Call Attention to 3 Hacking Teams Working Under the TA410 Group

Cyberespionage threat actors targeting critical infrastructure sectors in Africa, the Middle East, and the U.S. have been using upgraded versions of remote access trojans that steal information. According to the Slovak cybersecurity firm ESET, the hacker collective called TA410 comprises three subgroups, dubbed FlowingFrog, LookingFrog, and JollyFrog, each with its tools and targets. 

Researchers first became aware of TA410 in 2019 when Proofpoint documented a phishing campaign targeting three U.S. utility companies using a novel malware called LookBack. The group resurfaced about a year later with a new backdoor called FlowCloud, which was also delivered to utility companies in the U.S. Proofpoint describes this as malware that gives attackers complete control over infected systems.

ESET’s investigation into the TA410 hacking crew’s toolset reveals a new version of FlowCloud, which can monitor clipboard events, monitor sound levels near compromised computers, and control cameras to take pictures.

Each team within TA410 uses different toolsets, including QuasarRAT, Korplug, X4, and LookBack. FlowingFrog uses a downloader called Tendyron, while LookingFrog uses X4 and LookBack to launch attacks against universities and governments.

TA410 is a cyber espionage umbrella targeting high-profile entities such as governments and universities worldwide,” ESET said. “Even though the JollyFrog team uses generic tools, FlowingFrog and LookingFrog have access to complex implants like FlowCloud and LookBack.”

Read: https://thehackernews.com/2022/04/experts-detail-3-hacking-teams-working.html 


Goldbackdoor malware is used against journalists by nation-state hackers

Hackers believed to be tied to the North Korean government used a sophisticated malware, dubbed Goldbackdoor, to steal information from journalists. The purpose of the attacks is to steal sensitive information that has been collected through multistage infections. According to Stairwell researchers, the campaign might’ve started in March and is still ongoing.

Stairwell followed up on a report from NK News that North Korean hacker group APT37 had stolen information from a former South Korean intelligence official’s computer. Reports indicate that the threat actor attempted to impersonate NK News to target journalists who used the official as a source. Researchers from the security firm uncovered the malware used in the attack and said it was likely a successor to the Bluelight malware.

Stairwell researchers noted that journalists are often targets for cyber-espionage attacks, and compromised journalists may give access to sensitive information. They have identified multiple malware samples used in a spear-phishing campaign targeting journalists that specialize in the DPRK. One of these samples is Goldbackdoor, a multistage malware designed to separate the first stage tooling and the final payload and that uses Microsoft Azure for remote command execution.

Researchers analyzed a ZIP file containing an LNK shortcut called Kang Min-chol Edits2.zip used by a compromised site that impersonated NK News. The LNK shortcut then executed a PowerShell script that started the deployment process of Goldbackdoor, researchers said.

A PowerShell script decodes a second PowerShell script, executing a shellcode payload XOR – named “Fantasy” stored on Microsoft OneDrive, to deliver Goldbackdoor. The second shellcode payload will provide a Windows Portable Executable PE file for Goldbackdoor.

Read: https://threatpost.com/hackers-target-journalists-goldbackdoor/179389/   


Elsewhere online:

Twitter DMs should be end-to-end encrypted, according to Elon Musk

Read: https://www.bitdefender.com/blog/hotforsecurity/elon-musk-says-twitter-dms-should-be-end-to-end-encrypted-2/

SharePoint, VPNs, and virtual machines targeted by Lapsus$

Read: https://www.techtarget.com/searchsecurity/news/252516516/Lapsus-targeting-SharePoint-VPNs-and-virtual-machines 

Vulnerabilities exploited during hacking contest warn Sybnology, QNAP and WD

Read: https://www.securityweek.com/synology-qnap-wd-warn-users-about-vulnerabilities-exploited-hacking-contest 

Atlassian releases patches for Jira’s critical vulnerability

Read: https://thehackernews.com/2022/04/atlassian-drops-patches-for-critical.html 
 
Sanctioned billionaire sells family stake in the digital bank to the richest person in Russia

Read: https://www.businessinsider.com/oleg-tinkov-tinkoff-sanctioned-russian-vladimir-potanin-putin-bank-ukraine-2022-4


Previously on #AxisOfEasy

If you missed the previous issues, they can be read online here:



 

 

 

 

3 thoughts on “#AxisOfEasy 244: Goldbackdoor Malware Is Used Against Journalists By Nation-State Hackers

  1. This weeks quote
    “How much time he saves who does not look to see what his neighbor says or does or thinks”,

    paraphrasing the original stoic, Marcus Aurelius.

Leave a Reply

Your email address will not be published. Required fields are marked *