A joint cybersecurity advisory was issued by US and Japanese security and intelligence agencies warning about the threat of “BlackTech,” an industrial espionage activity cluster operated by China. The joint advisory highlights how BlackTech has demonstrated the ability to modify router firmware without detection and exploit routers’ domain-trust relationships. The campaign begins by compromising routers in subsidiary companies before pivoting to corporate headquarters in the US and Japan. The main objective of BlackTech’s collection efforts has been the acquisition of intellectual property.
In other news, Group-IB has identified a new ransomware-as-a-service (RaaS) affiliate called “ShadowSyndicate.” This group has been notable for its versatility, using seven different ransomware families over the past year. Additionally, Resecurity warns that the Smishing Triad threat actor has greatly expanded its attack footprint in the United Arab Emirates (UAE), targeting individuals through malicious text messages. This group has also started offering its smishing kits for sale on Telegram to other cybercriminals.
Secureworks has published a report on the financially motivated threat actor known as “Gold Melody,” which acts as an initial access broker for other cybercriminal groups. Gold Melody relies on web shells, built-in operating system utilities, and proprietary remote access trojans (RATs) and tunneling tools to facilitate its activity within a compromised environment.
There have also been reports of a ransomware gang, Ransomed.vc, claiming to have successfully hacked into Sony and gained access to sensitive information. However, outsiders who have seen the proof-of-hack offer are skeptical, suggesting that the information may have been gathered from various third-party sources. Another criminal actor, “MajorNelson,” disputes credit with Ransomed.vc, claiming responsibility for the hack.
Moving on to unattributed Advanced Persistent Threats (APTs), NSFOCUS Security Labs has been tracking an APT group called “AtlasCross,” which impersonates the Red Cross to target its victims. This group has compromised twelve servers in the US, all hosted in an Amazon cloud, and it shares no significant attribution indicators with other known threat groups.
Cisco Talos has discovered a new intrusion set, “ShroudedSnooper,” that targets Middle Eastern telecommunications providers. Talos has not been able to attribute this group to any known actors, but state-sponsored groups, particularly those operating on behalf of Iran and China, have recently shown a preference for attacking telecommunication providers in the Middle East and Asia.
Securonix has identified a phishing campaign targeting the Ukrainian military, with threat actors delivering malware through maliciously altered Microsoft help files. While the threat actor remains unattributed, the campaign appears to be acting in the Russian interest.
Another threat actor known as “Sandman” has been targeting telecommunication providers in the Middle East, Western Europe, and South Asia. Sandman uses a backdoor called “LuaDream,” which indicates a well-executed, maintained, and actively developed project of considerable scale. However, the researchers have not been able to attribute this activity to any known threat actors.
Finally, Palo Alto Networks’s Unit 42 has reported on an obscure threat actor called “Gelsemium” that has been targeting a Southeast Asian government. This actor uses a combination of rare tools and techniques to gain access to sensitive information from government entities. Three separate clusters of cyberespionage activity have targeted different governmental entities in the same country, suggesting the involvement of distinct threat actors.
In an unrelated incident, the International Criminal Court (ICC) recently disclosed a cybersecurity incident that affected its information systems. The ICC has not provided further details about the incident, but it has involved the investigation of war crimes and crimes against humanity, particularly those committed by Russia in its invasion of Ukraine.
Yurii Shchyhol, head of the State Service of Special Communications and Information Protection of Ukraine (SSSCIP), has stated that Russian cyberespionage services have shifted their focus from Ukraine’s electrical power infrastructure to its law enforcement agencies. This shift suggests that the Russian intelligence organs may be attempting to destroy evidence and interfere with war crimes investigations or engage in opposition research to discredit credible allegations of war crimes.
Overall, these developments underscore the ongoing cybersecurity threats posed by state-sponsored groups and cybercriminal organizations. It is crucial for organizations and governments to remain vigilant and constantly update their security measures to defend against these evolving threats.