13th July, 2023
Foreign-Backed Cyber Attack Detected: New Espionage Campaign Targets U.S. Organizations
A joint cybersecurity advisory by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) has revealed a foreign-backed espionage campaign targeting a range of organizations. The campaign came to light after an unnamed Federal Civilian Executive Branch (FCEB) agency in the U.S. detected suspicious email activity in their Microsoft 365 (M365) cloud environment in mid-June 2023. Microsoft subsequently confirmed that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data. The affected organizations include the U.S. State Department, Commerce Department, as well as the email accounts of a congressional staffer, a U.S. human rights advocate, and U.S. think tanks. While the origin of the attack has not been officially disclosed, Microsoft has attributed the campaign to a threat actor known as Storm-0558, which primarily targets government agencies in Western Europe. The attack involved forged authentication tokens and the use of custom malware tools named Bling and Cigril.
Rising TrueBot Malware Attacks Prompt Alarm from Cybersecurity Agencies
Cybersecurity agencies have issued warnings about the emergence of new variants of the TrueBot malware, which are now specifically targeting companies in the United States and Canada. These sophisticated attacks exploit a critical vulnerability (CVE-2022-31199) found in the widely used Netwrix Auditor server and its associated agents. By leveraging this vulnerability, unauthorized attackers can execute malicious code with elevated privileges, granting them unrestricted access to compromised systems. The TrueBot malware, associated with cybercriminal groups Silence and FIN11, is being deployed to extract sensitive data and spread ransomware, posing a significant threat to infiltrated networks. The attackers first exploit the identified vulnerability to gain initial access and then proceed to install TrueBot. They further escalate their privileges by installing the FlawedGrace Remote Access Trojan (RAT) and establishing persistence on compromised systems. The attackers utilize Cobalt Strike beacons for post-exploitation tasks, including data theft and the installation of ransomware or other malware payloads. Unlike previous versions, the updated TrueBot malware leverages the CVE-2022-31199 vulnerability instead of relying on malicious email attachments, enabling broader attacks within infiltrated environments. Notably, the Netwrix Auditor software is utilized by over 13,000 organizations worldwide. The advisory urges organizations to promptly implement recommended security measures, such as installing necessary updates to mitigate the vulnerability, deploying multi-factor authentication (MFA), actively monitoring networks for signs of TrueBot contamination, and reporting any incidents to the appropriate authorities.
RedEnergy: A Stealer-as-a-Ransomware Threat Targeting Energy and Telecom Sectors
Privacy Threat: Spyware Apps Target 1.5 Million Android Users
Two file management apps on the Google Play Store have been identified as spyware, putting the privacy and security of 1.5 million Android users at risk. Pradeo, a leading mobile security company, uncovered this alarming discovery, revealing that the apps named File Recovery and Data Recovery (com.spot.music.filedate) and File Manager (com.file.box.master.gkd) are developed by the same group. Despite their claims on the Google Play Store that no data is collected, these apps engage in deceptive behaviour and secretly collect various personal information without user consent. Contact lists, media files, real-time location, device details, and more are stolen and sent to malicious servers operated by foreign threat actors. Furthermore, these spyware apps employ tactics to appear legitimate and evade detection, such as artificially inflating their download numbers and hiding their icons on the home screen. Pradeo advises individuals to exercise caution when downloading apps, read and understand permissions, and businesses to educate employees about mobile threats and implement robust mobile detection and response systems. This incident underscores the ongoing battle between cybersecurity experts and malicious actors, highlighting the need for users to stay vigilant and rely on trusted sources for software.