Posts

Threat Actor BlackTech

Image
  About  Advanced Persistent Threat BlackTech is China linked cyber espionage group. They have targeted many organizations working with the U.S, and Japan militaries to steal sensitive information. They are also capable of modifying router firmware, deploying backdoors in victims' networks, and moving laterally between the networks while evading detection. First appeared in 2010, BlackTech make use of various malwares to affect Windows, Linux, and FreeBSD and updates them regularly. With the help of stolen code signing certificates, adversaries sign the malware to make them appear legitimate and avoid their victims' defense mechanisms. The threat actor can also blend in benign operating systems and network activities via Living-off-the-Land tools as well as techniques.  However, their most dangerous technique is modifying router firmware without detection. This sophisticated technique helps in establishing persistence, disable logging, move laterally, and hide their C2 communic

Threat Actor Higaisa

Image
  Overview Threat actor Higaisa is suspected to have South Korean origins. They have repeatedly targeted government, public, and trade organizations of North Korea, along with China, Russia, Poland, and other nations. Although it was discovered in 2019, but have been in action since 2009 at least. How does Higaisa works? The initial access is achieved via spear phishing. They send emails containing malicious links to their targets. These links are laced with files disguised either as the documents of interest or as opinion forms allegedly coming from another organization. The victim ends up downloading the malicious link file or an executable (leading to a Cobalt Strike loader). Protection Owners of the network edge devices should ensure that management interfaces are not exposed to the public internet to reduce their attack surface. Enforce strong multi-factor authentication (MFA) policies with the help of hardware security keys or Microsoft Authenticator.  Reduce the attack surface b

Stone Panda

Image
  About Stone Panda or APT10 or Red Apollo or MenuPass or POTASSIUM, is a China-backed cyberespionage group, active since 2006. They generally targets aerospace, engineering, and telecom firms of China's rival countries.  Allegedly, in March 2021, this advanced persistent threat have also targeted the world's largest vaccine makers, Bharat Biotech and Serum Institute of India (SII), by identifying gaps and vulnerabilities in their IT infrastructure and supply chain software. The motive behind this is exfiltrating intellectual property and getting competitive advantage over Indian pharmaceutical companies.  Tactics This group use RAT and directly targets managed information technology service providers (MSPs). Generally, an MSP helps manage a company's computer network and can be compromised via Poison Ivy, FakeMicrosoft, PlugX, ArtlEF, Graftor, and ChChes, through spear-phishing emails.  Prevention General methods to combat a ransomware attack are as follows- Mandatory stro

GambleForce

Image
  Overview A previously unknown threat actor codenamed GambleForce has been discovered in 2023. It was tracked under the name EagleStrike GambleForce in Group IB's Threat Intelligence Platform. Since its emergence, it has targeted more than 20 gambling, government, retail, and travel websites of the countries like Australia, India, Canada, Indonesia, the Philippines, China, South Korea, Thailand, and Brazil.  GambleForce make use of very basic yet sophisticated techniques, such as SQL injections and the exploitation of vulnerable website Content Management System (CMS), to steal sensitive information. Its name was also coined due its initial target interest in the gambling industry.  Tactics & Techniques The basic strategy of GambleForce rely on fundamental but effective techniques to exploit SQL vulnerabilities and weak spots in website CMS. They have precise target scope with the gambling, government, retail, and travel industries in their crosshairs. However, the infamous SQ

UNC3886

Image
  Overview UNC3886 is a China-linked hacker group, that has been exploiting vCenter server zero-day vulnerability CVE-2023-34048 since at least late 2021. They possess unique capabilities in how they operate on-network as well as tools used in their campaigns.  They generally targets firewall and virtualization technologies which lack EDR support. This indicates that the group have curated a  deeper-level of understanding of such technologies. They have also modified the publicly available malware.  How does it works? According to an investigation, UNC3886 relies on vSphere Installation Bundles (VIBs) to install two backdoors on the ESXi hypervisors, tracked as VIRTUALPITA and VIRTUALPIE. VIBs are collection of files designed to manage virtual systems used to create startup tasks, custom firewall rules, or deploy custom binaries upon the restart of an ESXi machine. The cyber espionage group harvest credentials for service accounts from a vCenter Server for all the connected ESXi hosts

APT 28

Image
  Introduction APT 28 is also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, Tsar Team, and STRONTIUM or Forest Blizzard. It is a Russian cyber espionage group and allegedly related to the Russian military intelligence agency GRU. Active since 2004, this group uses zero-day exploits, spear phishing, and malware to attack their targets.  It has reportedly compromised the Hilary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016, attempting to interfere the U.S. presidential elections. They are also said to be related with the cyber attacks on the German Parliament, the Norwegian Parliament, the French television station TV5Monde, the White House, NATO, the Organization for Security and Co-operation in Europe, and the campaign of French presidential candidate Emmanuel Macron. Targets APT28 have targeted Eastern European governments and militaries, the country of Georgia and the Caucasus, Ukraine, security related organ

Earth Lusca: The Chinese Threat Actor

Image
  Introduction Earth Lusca is also known as AQUATIC PANDA, BRONZE UNIVERSITY, CHROMIUM, Charcoal Typhoon, ControlX, FISHMONGER, Red Dev 10, RedHotel, and TAG-22. It is a Chinese threat actor, that targets the organizations of interest to the Chinese government.  So far, they have targeted academic institutions, telecommunication companies, religious organizations, and other civil society groups. Its tools closely resembles to those used by Winnti Umbrella. However, it seems the group operates separately. Earth Lusca has also started targeting the cryptocurrency payment platforms and cryptocurrency exchanges in its financially motivated attacks.  How does Earth Lusca works? The initial access is achieved via spear phishing and/or watering hole websites. They send emails containing malicious links to their targets. These links are laced with files disguised either as the documents of interest or as opinion forms allegedly coming from another organization. The victim ends up downloading t