In a joint advisory issued by the intelligence services of Australia, Canada, New Zealand, the United Kingdom, and the United States, also known as the Five Eyes, further details have been provided on a recent cyberespionage campaign conducted by the GRU, Russia’s military intelligence agency. The campaign was first described by Ukraine’s SBU earlier this month and involved the use of a malware called “Infamous Chisel” to target Android devices. The US Cybersecurity and Infrastructure Security Agency (CISA) explains that Infamous Chisel is capable of performing various malicious activities, including network backdoor access and file transfer. The malware was found to have mainly targeted Ukrainian military devices.
In another cyberattack incident, a Russian hacktivist group known as NoName057(16) launched distributed denial-of-service (DDoS) attacks on several Polish and Czech organizations. The attacks affected the Warsaw Stock Exchange, the Polish Government’s Trusted Profile identity verification service, and five major commercial banks in Poland. The attacks were carried out as a show of support for citizens in Poland who oppose their government’s perceived anti-Russian sentiment. The group then shifted its focus to Czech targets, including banks and the Prague stock exchange, with the intention of punishing those organizations for their support of Ukraine.
Polish authorities have arrested two Polish citizens in connection with an attack on the country’s railroad system. The attack resulted in the halting of twenty trains and was carried out by transmitting an acoustic tone over a radio system to issue stop signals. The suspects were found in possession of radio equipment and are believed to be behind the incident. The investigation is ongoing.
North Korea’s Lazarus Group has been found exploiting a vulnerability in ManageEngine ServiceDesk to target an internet backbone infrastructure provider in Europe, as well as healthcare entities in the US and Europe. The threat actor used the vulnerability to deploy a new malware called QuiteRAT, which has similar capabilities to Lazarus Group’s previously known MagicRAT malware. However, QuiteRAT has a significantly smaller file size due to the use of only a few required libraries. The Lazarus Group has been involved in various cyber activities recently.
A China-linked threat actor known as “GREF” has been distributing Android malware called BadBazaar via Trojanized versions of Telegram and Signal. The malware has previously been used to target Uyghurs and other Turkic ethnic minorities. This time, the malicious apps were shared in Uyghur Telegram groups, and the Signal app allowed the attacker to secretly monitor a victim’s communications.
A cyberespionage campaign conducted by a group called “Earth Estries” has been targeting government and technology organizations in several countries, including the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US. The threat actor behind Earth Estries is believed to be highly skilled and experienced in cyberespionage activities. There are some similarities between Earth Estries and another China-linked group called FamousSparrow APT.
Meta, the parent company of Facebook, has taken down a long-running and persistent Chinese influence campaign. The campaign, dubbed “Spamouflage,” was the company’s biggest single takedown to date. The operators of the influence campaign appeared to have learned from previous similar campaigns, but their execution was not successful in gaining significant traction.
The Microsoft Threat Intelligence team has warned about a rise in adversary-in-the-middle (AiTM) phishing attacks, which are launched via phishing-as-a-service (PhaaS) offerings. These attacks aim to circumvent multi-factor authentication (MFA) protections at scale. A new malware called “Prysmax” has been identified as a fully undetectable information stealer, capable of manipulating file associations to execute whenever an executable file is opened.
Securonix has discovered a new attack campaign called DB#JAMMER, which targets exposed MSSQL databases with brute-force attacks to deliver the FreeWorld ransomware. The attackers use a range of tools, including enumeration software, remote access trojans, and credential stealing software. The FreeWorld ransomware appears to be a variant of the Mimic ransomware.
In terms of patch news, various companies, including Mozilla, VMware, Juniper Networks, and Cisco, have released patches and mitigations for vulnerabilities in their products. CISA has also released an advisory for a vulnerability in PTC CodeBeamer, an industrial control system (ICS) software.
Lastly, the US Justice Department has announced the takedown of the Qakbot botnet, which was a multinational operation involving the FBI and other countries’ law enforcement agencies. Qakbot is a banking trojan that has infected thousands of computers worldwide and has been used to steal financial information from individuals and organizations.