Researchers have uncovered new attacks by a North Korean advanced persistent threat actor – Andariel APT group – targeting Korean corporations and other organizations. The victims include educational institutions and companies in the manufacturing and construction sectors. The attackers employed keyloggers, infostealers, and proxy tools alongside backdoors to control and extract data from compromised systems, said researchers at the AhnLab Security Intelligence Center (ASEC). The malware used in these attacks includes strains previously attributed to the Andariel APT group, including the backdoor "Nestdoor." Additional tools include web shells and proxy tools linked to the North Korean Lazarus group that now contain modifications compared to earlier versions. Researchers first observed a confirmed attack case where a malware was distributed via a web server running an outdated 2013 version of Apache Tomcat, which is vulnerable to various attacks. "The threat actor used the web server to install backdoors, proxy tools, etc.," the researchers said. [caption id="attachment_73866" align="aligncenter" width="1000"] Apache Tomcat compromised to spread malware by Andariel APT. (Credit: Ahnlab)[/caption]

Malware Used by Andariel APT in this Campaign

The first of the two malware strains used in the latest campaign was Nestdoor, a remote access trojan (RAT) that has been active since May 2022. This RAT can execute commands from the threat actor to control infected systems. Nestdoor has been found in numerous Andariel attacks, including those exploiting the VMware Horizon product’s Log4Shell vulnerability (CVE-2021-44228). The malware is developed in C++ and features capabilities such as file upload/download, reverse shell, command execution, keylogging, clipboard logging, and proxy functionalities. A specific case in 2022 involved Nestdoor being distributed alongside TigerRAT using the same command and control (C&C) server. Another incident in early 2024 saw Nestdoor disguised as an OpenVPN installer. This version maintained persistence via the Task Scheduler and communicated with a C&C server. The Andariel APT has been developing new malware strains in the Go language for each campaign. Dora RAT, a recent discovery is one such malware strain. The backdoor malware supports reverse shell and file transfer operations and exists in two forms: a standalone executable and an injected process within "explorer.exe." The latter variant uses an executable in WinRAR SFX format, which includes an injector malware. The Dora RAT has been signed with a valid certificate from a UK software developer in an attempt to make it look legitimate.

Additional Malware Strains

• Keylogger/Cliplogger: Performs basic functions like logging keystrokes and clipboard contents, stored in the “%TEMP%” directory.
• Stealer: It is designed to exfiltrate files from the system, potentially handling large quantities of data.
• Proxy: Includes both custom-created proxy tools and open-source Socks5 proxy tools. Some proxies are similar to those used by the Lazarus group in past attacks.

The Andariel group, part of the larger Lazarus umbrella, has shifted from targeting national security information to also pursuing financial gains. Last month, the South Korean National Police Agency revealed a targeted campaign of the Andariel APT aimed at stealing the country’s defense technology. Andariel APT hackers gained access to defense industry data by compromising an employee account, which was used in maintaining servers of a defense industry partner. The hackers injected malicious code into the partner’s servers around October 2022, and extracted stored defense technology data. This breach exploited a loophole in how employees used their personal and professional email accounts for official system access. Andariel APT's initial attack methodology primarily includes spear phishing, watering hole attacks, and exploiting software vulnerabilities. Users should remain cautious with email attachments from unknown sources and executable files from websites. Security administrators are advised to keep software patched and updated, including operating systems and browsers, to mitigate the risk of malware infections, the researchers recommended.

IoCs to Watch for Signs of Andariel APT Attacks

IoCs to monitor for attacks from Andariel APT group include: MD5s – 7416ea48102e2715c87edd49ddbd1526: Nestdoor – Recent attack case (nest.exe) – a2aefb7ab6c644aa8eeb482e27b2dbc4: Nestdoor – TigerRAT attack case (psfile.exe) – e7fd7f48fbf5635a04e302af50dfb651: Nestdoor – OpenVPN attack case (openvpnsvc.exe) – 33b2b5b7c830c34c688cf6ced287e5be: Nestdoor launcher (FirewallAPI.dll) – 4bc571925a80d4ae4aab1e8900bf753c: Dora RAT dropper (spsvc.exe) – 951e9fcd048b919516693b25c13a9ef2: Dora RAT dropper (emaupdate.exe) – fee610058c417b6c4b3054935b7e2730: Dora RAT injector (version.dll) – afc5a07d6e438880cea63920277ed270: Dora RAT injector (version.dll) – d92a317ef4d60dc491082a2fe6eb7a70: Dora RAT (emaupdate.exe) – 5df3c3e1f423f1cce5bf75f067d1d05c: Dora RAT (msload.exe) – 094f9a757c6dbd6030bc6dae3f8feab3: Dora RAT (emagent.exe) – 468c369893d6fc6614d24ea89e149e80: Keylogger/Cliplogger (conhosts.exe) – 5e00df548f2dcf7a808f1337f443f3d9: Stealer (msload.exe) C&Cs – 45.58.159[.]237:443: Nestdoor – Recent attack case – 4.246.149[.]227:1443: Nestdoor – TigerRAT attack case – 209.127.19[.]223:443: Nestdoor – OpenVPN attack case – kmobile.bestunif[.]com:443 – Dora RAT – 206.72.205[.]117:443 – Dora RAT

Malicious actors from Russia, China, Israel, and Iran have been leveraging artificial intelligence to target victims, according to OpenAI's latest report. These threat actors from the aforementioned nations are using AI models in covert influence operations. The report details various adversary tactics ranging from the grammatical manipulations by the "Bad Grammar" network to the advanced strategies employed by the "Doppelganger" threat actor, providing deep insights into these malevolent activities. Through an in-depth analysis of recent developments and disruptions, the AI and Covert Influence Operations Latest Trends report offers invaluable insights into the modern-day tactics employed by threat actors to manipulate narratives and influence public opinion across online platforms.

Threat Actors Employ AI and Covert Influence Operations

These threat actors, hailing from diverse geopolitical regions, including Russia, China, Iran, and a commercial entity based in Israel, have exploited the technology of artificial intelligence, especially generative AI, to create a series of covert influence operations. These operations, meticulously documented and analyzed within the report, exemplify the sophisticated strategies employed by malicious actors to exploit AI technologies for their nefarious agendas, says OpenAI. One of the prominent operations highlighted in the report is "Bad Grammar," a previously undisclosed campaign originating from Russia. Operating primarily on the messaging platform Telegram, Bad Grammar sought to disseminate politically charged content targeting audiences in Ukraine, Moldova, the Baltic States, and the United States. Despite its geographic reach, this operation was characterized by its blatant grammatical errors, reflecting a deliberate attempt to undermine credibility while leveraging AI models for content generation. Similarly, the report sheds light on the activities of "Doppelganger," a persistent threat actor linked to Russia, engaged in disseminating anti-Ukraine propaganda across various online channels. Employing a hybrid approach that combines AI-generated content with traditional formats such as memes sourced from the internet, Doppelganger exemplifies the fusion of old and new tactics in these campaigns.

Influencing Geographical Politics

The report also highlights covert influence campaigns linked to China, Iran, and a commercial group in Israel, in addition to those connected with Russia. These operations, known by names like "Spamouflage" and "STOIC," use various strategies to push their specific agendas. Their activities include promoting pro-China narratives while attacking its detractors, as well as creating content focused on the Gaza conflict and the elections in India. Despite the diverse origins and tactics employed by these threat actors, the report highlights common trends that shed light on the current state of covert influence. One such trend is the pervasive use of AI models to augment productivity and streamline content generation processes. From generating multilingual articles to automating the creation of website tags, AI serves as a force multiplier for malicious entities seeking to manipulate digital discourse. Furthermore, the report goes deeper into the intricate interplay between AI-driven strategies and human error, emphasizing the inherent fallibility of human operators engaged in covert influence operations. Instances of AI-generated content containing threatening signs of automation by state-hackers.

Cybersecurity defenders have widely relied on blocking attacker IP addresses through identified IOCs in response to threat actor campaigns. However, Chinese threat actors are rapidly rendering this usual strategy obsolete through the widespread adoption of ORB Networks. ORBs are complex, multi-layered networks, typically managed by private companies or entities within the Chinese government. They offer access to a constantly shifting pool of IP addresses, allowing multiple threat actors to mask their activities behind seemingly innocuous traffic.

Use of ORB Networks by Threat Actors Present Additional Challenges to Defenders

Researchers from Mandiant stated that the sheer size and scope of these networks, often hundreds of thousands of nodes deep, provide a great deal of cover and make it difficult for defenders to attribute and learn more about attackers. Additionally, the geographic spread of ORBs allows hackers in China to circumvent geographic restrictions or appear less suspicious by connecting to targets from within their own region. Most importantly, ORB nodes are short-lived, with new devices typically cycled in and out every month or few months, making it difficult for defenders to tie IPs to their users for any good amounts of time. These operational relay box networks (ORBs) are maintained by private companies or elements within the Chinese government and are made up of five layers: Chinese servers, virtual private servers (VPS), traversal nodes, exit nodes, and victim servers. ORBs can be classified into two groups: provisioned, which use commercially rented VPS's, and nonprovisioned, built on compromised and end-of-life routers and Internet of Things (IoT) devices. These networks are akin to botnets and ORB network administrators can easily grow the size of their network with little effort and create a constantly evolving mesh network that can be used to conceal espionage operations. The researchers cited two prominent examples to illustrate the sophistication of these networks:

• ORB3/SPACEHOP: A provisioned network linked to APT5 and APT15, targeting entities in North America, Europe, and the Middle East. Known for exploiting vulnerabilities like CVE-2022-27518.
• ORB2/FLORAHOX: A hybrid network employing compromised Cisco, ASUS, and DrayTek routers, alongside TOR network relays and VPS servers. Linked to APT31 and Zirconium, demonstrating a multi-layered approach to traffic obfuscation.

Adapting to the Threat of ORB Networks

Researchers have advised that instead of simply blocking adversary infrastructure, defenders must now consider temporality, multiplicity of adversaries, and ephemerality. They recommend approaching these ORB networks as distinct entities with distinct tactics, techniques, and procedures (TTPs) rather than the use of inert indicators of compromise. By analyzing their evolving characteristics - including infrastructure patterns, behaviors, and TTPs - defenders can gain valuable insights into the adversary's tactics and develop more effective defenses. While leveraging proxy networks for attack obfuscation isn't new, the rise of the ORB network industry in China points to long-term investments in equipping cyber operators with more sophisticated tactics and tools. The evolution of these ORBs networks also highlight that a static defense may be a losing defense. To counter this growing threat and level the playing field, enterprises must embrace a mindset of continuous adaptation, while investing in advanced threat intelligence, behavioral analysis tools, and skilled personnel. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. law enforcement has arrested an alleged operator of "Incognito Market," a major online dark web narcotics marketplace that facilitated more than $100 million in illegal narcotics sales globally. Rui-Siang Lin, a 23-year-old from Taiwan, was arrested at John F. Kennedy Airport on May 18 for allegedly operating the Incognito Market using the pseudonym "Pharoah." Lin oversaw all aspects of the site, including managing employees, vendors and customers, revealed an unsealed indictment filed with the federal court at the U.S. Southern District of New York. Since its inception in October 2020 until its closure in March, Incognito Market sold vast quantities of illegal narcotics, including hundreds of kilograms of cocaine and methamphetamines, globally via the dark web site that could be reached through Tor web browser. The underground marketplace facilitated an overall sale of more than $100 million of narcotics in its 41 months of operation. The popularity of this marketplace can be gauged from the fact that by June 2023 it was generating sales of $5 million per month. [caption id="attachment_69369" align="aligncenter" width="2560"] Credit: Justice Department[/caption]

Features and Transactions of Incognito Market

Incognito Market mimicked legitimate e-commerce sites with features like branding, advertising and customer service. Users could search listings for various narcotics after logging in with unique credentials. [caption id="attachment_69367" align="aligncenter" width="624"] Credit: Justice Department[/caption] The site offered illegal narcotics and misbranded prescription drugs, including heroin, cocaine, LSD, MDMA, oxycodone, methamphetamines, ketamine, and alprazolam. [caption id="attachment_69368" align="aligncenter" width="624"] Credit: Justice Department[/caption] “For example, in November 2023, an undercover law enforcement agent received several tablets that purported to be oxycodone, which were purchased on Incognito Market. Testing on those tablets revealed that they were not authentic oxycodone at all and were, in fact, fentanyl pills,” the Justice Department said. Vendors paid a non-refundable admission fee of $750 and a 5% commission on each sale to Incognito Market, according to the indictment. This fee funded market operations, including salaries and server costs. Incognito Market also operated its own “bank,” to facilitate the illicit transactions. This bank allowed users to deposit cryptocurrency, which facilitated anonymous transactions between buyers and sellers while deducting the site’s commission, again of 5%. [caption id="attachment_69376" align="aligncenter" width="398"] Credit: Justice Department[/caption] This banking service obscured the locations and identities of vendors and customers from each other and from law enforcement. It kept the financial information of vendors and buyers separate, making it more difficult for any one actor on the marketplace to learn any other actor’s true identity, a complaint filed against Lin said. The bank also offered an “escrow” service enabling both buyers and customers to have additional security concerning their narcotics transactions. The escrow service was set in such a way that a buyer’s money would be released to a seller only after specified actions, for example, the shipment of narcotics is made. “With the escrow service, sellers know they will be paid for their illegal narcotics and buyers know their payments will be released to sellers after specified events occur,” the complaint said.

The Exit Scam

As Lin suddenly shuttered the Incognito Market in March 2024, he tried pulling an exit scam stealing the users’ funds stored in its escrow system and also tried to ransom the market’s drug vendors. Lin demanded ransom in the range of $100 to $2,000 from them in exchange of not turning their data over to the law enforcement.

Lin’s Technical Prowess

Lin seems like a knowledgeable person in the field of security and cryptocurrency, as per social media accounts listed in the complaint against him. Lin’s GitHub account describes him as a “Backend and Blockchain Engineer, Monero Enthusiast.” This GitHub account has approximately 35 publicly available software coding projects. “Collectively, these coding projects indicate that LIN has significant technical computing knowledge, including knowledge necessary to administer a site like (“Incognito Marketplace”),” the complaint said. The coding projects include operation of cryptocurrency servers and web applications like PoW Shield, a tool to mitigate DDoS attacks; Monero Merchant, a software tool that allows online merchants to accept XMR for payment; and Koa-typescript-framework, a webframe software program used as a foundation for web applications. Lin also did a YouTube interview explaining how his anti-DDoS tool “PoW Shield” worked for Pentester Academy TV in October 2021, displaying his technical prowess. The final evidence that law enforcement found linking Lin to the administrator “Pharoah” of Incognito Market was a “simple” hand-drawn workflow diagram of a darknet marketplace that was mailed from Lin’s personal email address. [caption id="attachment_69380" align="aligncenter" width="1690"] Workflow of Darknet Marketplace sent from Lin's personal email account. Credit: Justice Department[/caption] “This diagram appears to be a plan for a darknet market. Notably, the diagram indicated “vendor,” “listing,” “pgp key,” and “admin review,” all of which are features of (Incognito Market),” the complaint said.

Charges and Potential Sentences

Lin faces the following potential sentencing, if convicted:

• Continuing Criminal Enterprise: Mandatory minimum penalty of life in prison.
• Narcotics Conspiracy: Maximum penalty of life in prison.
• Money Laundering: Maximum penalty of 20 years in prison.
• Conspiracy to Sell Adulterated and Misbranded Medication: Maximum penalty of five years in prison.

A federal district court judge will determine Lin's sentence after reviewing the U.S. Sentencing Guidelines and other statutory factors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Secretforums, a data leaks forum, announced that it would bestow former BreachForums members with ranks similar to what they had previously held on the seized forums. The BreachForums domain had recently been taken down in a joint-law enforcement operation, with its main admin Baphomet reportedly being arrested. After its seizure, several other individuals and groups have been vying for control and credibility over the displaced cybercriminal community.

Secretforums Admin Alleges Ex-BreachForums Admin Was Informer

While the veracity of these claims are unknown and doubted, the SecretForums and former owner of Blackforums stated his belief that Baphomet, the admin and owner of BreachForums following its previous take down, was an informer to law enforcement. The Secretforums admin alleged that Baphomet expressed strong interest in being involved with the infrastucture management of Blackforums and had been attempting to influence him towards the set up of a bastion server to assist with logs and security issues. [caption id="attachment_69355" align="alignnone" width="433"] Source: Secretforums Telegram[/caption] The Secretforums admin claimed that that the requests had never been fulfilled with full access never being granted to anyone, including the other admins of Secretforums and that he was solely responsible for the forum's infrastructure and security. Additionally, the admin alleged that no logs were ever saved from either site aside from email addresses, usernames and password hashes for essential site functionality. The earlier allegations along with the offer to grant similar roles to ex-BreachForums members may be part of a concerted effort to gain traction among the seized forum's former members and contributors. The admin also cast doubt on the new admin ShinyHunters and their efforts to rebuild BreachForums through the use of older backups. [caption id="attachment_69354" align="alignnone" width="555"] Source: Secretforums Telegram[/caption] The admin directed ex-members to reach out to a specified handle with proof of their previous ranks along with their Secretforums username to be receive similar ranks, through a message on the Secretforums Telegram channel.

USDoD Shares Updates on 'Breach Nation' Details

In addition to the Secretforums development, the threat actor USDoD shared further details about his attempts towards to build Breach Nation in a long post on X(Twitter). The threat actor claimed that neither he nor Breach Nation were affiliated with BreachForums' staff. [caption id="attachment_69353" align="alignnone" width="447"] Source: X.com (@EquationCorp)[/caption] USDoD attempted to differentiate Breach Nation from BreachForums in stating that the new forum would not feature a porn section, and restrict itself to upload of databases and leads as a primary focus while not allowing for the upload of files such as combos and stealer logs 'to ensure the best quality content'. Additionally the site would be organized into "High-Quality Leaks" for databases originating from First World countries, and "Secondary Leaks" for leaks stemming from other countries with the lead section separated into its own category. The site would feature a threat intelligence section to facilitate discussions on the subject as the threat actor felt there was a range of opportunities within the scope of the topic. USDoD stated that he was working on obtaining the CDN records from the defunct BreachForums, and cited the presence of a market, functioning escrow system, credit system as similarities to the old forums. However, he also mentioned additional changes that might occur such as the option to use the credit system to boost ranks within the forums and the absence of categories such as software and cracking in the initial stages of the forum where he would function as the sole administrator. The forum would initially be public with a clearnet domain, but would later shift to invite-only and also feature an alternate onion address. These efforts made on both Secretforums and Breach Nation to bolster forum development and appeal to  former BreachForums members highlights the competitiveness between various cybercriminal forums, underlying fears of forum compromise by law enforcement and the recognition of the rank/credit system as a way to gain additional engagement by allowing contributors to build a reputation within the community. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

An Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS) is using destructive data wiping attacks combined with influence operations to target Israel and Albania. Tracked as Void Manticore, aka Storm-842, the threat actor operates under multiple online personas in which the primary alias includes “Homeland Justice” for attacks in Albania and "Karma" for those in Israel. Since October 2023, Check Point Research monitored Void Manticore's activities targeting Israeli organizations with destructive attacks using wipers and ransomware. The group employs five different methods for disruptive operations, including custom wipers for both Windows and Linux operating systems, as well as manual deletion of files and shared drives. Void Manticore’s activities in Israel are marked by the use of a custom wiper named “BiBi,” after Israeli Prime Minister Benjamin Netanyahu. The group also uses a persona named "Karma" to leak stolen information, portraying themselves as an anti-Zionist Jewish group. This persona gained prominence during the Israel-Hamas conflict in late 2023. Void Manticore threat actor employs relatively simple and direct techniques, often using basic publicly available tools. Their operations typically involve lateral movements using Remote Desktop Protocol (RDP) and the manual deployment of wipers. One of their prominent tools is “Karma Shell,” a homebrewed web shell disguised as an error page. This malicious shell is capable of directory listing, process creation, file uploads, and service management.

The Destructive Wiper Capabilities of Void Manticore

Void Manticore utilizes various custom wipers in their attacks:

1. Cl Wiper: First used in attacks against Albania, this wiper uses the ElRawDisk driver to interact with files and partitions, effectively erasing data by overwriting physical drives with predefined buffers.
2. Partition Wipers: These wipers remove partition information, leading to the loss of all data on the disk by corrupting the partition table, resulting in a system crash during reboot.
3. BiBi Wiper: Deployed in recent attacks against Israel, this wiper exists in both Linux and Windows variants. It corrupts files and renames them with specific extensions, causing significant data loss.

Apart from automated wipers, Void Manticore engages in manual data destruction using tools like Windows Explorer, SysInternals SDelete and the Windows Format utility, furthering their impact on targeted systems.

Psychological Warfare and Collaboration with Scarred Manticore

Void Manticore’s strategy also includes psychological operations, aiming to demoralize and disrupt their targets by publicly leaking sensitive information. This dual approach amplifies the impact of their cyberattacks, making them a formidable threat. Notably, there is a significant overlap and cooperation between Void Manticore and another Iranian threat group, Scarred Manticore (aka Storm-861). Analysis shows a systematic handoff of victims between these two groups. For instance, Scarred Manticore might establish initial access and exfiltrate data after which Void Manticore executes the destructive data wiping attack. This collaboration enables Void Manticore threat actor to leverage Scarred Manticore’s advanced capabilities and gain access to high-value targets. “In the case of one victim, we discovered that after residing on the targeted network for over a year, Scarred Manticore was interacting with the infected machine at the exact moment a new web shell was dropped to disk. Following the shell’s deployment, a different set of IPs began accessing the network, suggesting the involvement of another actor – Void Manticore,” the researchers said. “The newly deployed web shell and subsequent tools were significantly less sophisticated than those in Scarred Manticore’s arsenal. However, they led to the deployment of the BiBi wiper, which is linked to Karma’s activity.” Void Manticore represents a significant cyber threat, particularly in the context of geopolitical tensions involving Iran. Iranian President Ebrahim Raisi died in a helicopter crash in a remote area of the country. Rescuers identified Raisi's body early Monday after searching in the mountainous northwest near the Azerbaijan border. Since his election in 2021, Raisi had tightened morality laws, cracked down on antigovernment protests and resisted international oversight of Tehran’s nuclear program. Israel’s war in Gaza has escalated conflicts with Iran-backed groups like Hezbollah in Lebanon and the Houthis in Yemen. Last month, Iran and Israel exchanged direct strikes. It is still unclear whether Raisi’s death is also linked to Israeli operations. Meanwhile, the recent escalations meant that Void Manticore’s coordinated operations with Scarred Manticore, combines their dual approach of technical destruction and psychological manipulation and positions them as a highly dangerous actor. Their activities not only target infrastructure but also aim to influence public perception and political stability, underlining the multifaceted nature of modern cyber warfare. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

WTH? DPRK IT WFH: Justice Department says N. Korean hackers are getting remote IT jobs, posing as Americans.

The post North Korea IT Worker Scam Brings Malware and Funds Nukes appeared first on Security Boulevard.

Researchers have identified a recent cyber espionage campaign by a China-linked threat actor dubbed "UNK_SweetSpecter," which aims to harvest generative artificial intelligence (AI) secrets from experts in the United States. The threat actor targets AI experts using a remote access trojan (RAT) malware called SugarGh0st.  SugarGh0st infiltrates the systems of a highly selective list of AI experts from different verticals such as tech companies, government agencies and academic institutions. The SugarGh0st RAT was originally reported in November 2023 but was observed in only a limited number of campaigns. It is a custom variant of the Gh0st RAT, a tool that was first publicly attributed to a Chinese threat group in 2008. Researchers suspect that the threat actor UNK_SweetSpecter is likely of Chinese origin.

Spear-Phishing SugarGh0st Campaign Targets AI Experts

Proofpoint researchers discovered that the targets of this campaign were all connected to a leading US-based AI organization and were lured with distinct AI-themed emails. The infection chain began with a seemingly innocuous email from a free account, claiming to seek technical assistance with an AI tool. The attached zip file contained a shortcut file (LNK) that deployed a JavaScript dropper upon access. This dropper included a decoy document, an ActiveX tool for sideloading, and an encrypted binary, all encoded in base64. The infection chain ended with SugarGh0st RAT being deployed on the victim's system and communication being established with the attacker's command and control server. Analysis of the attack stages revealed that the group had shifted their C2 communications from an earlier domain to a new one, indicating their detection evasion motives. While the malware itself is relatively unsophisticated in it's attack chain, the targeted nature of AI the campaign makes it significant, the researchers noted. The SugarGh0st RAT was previously used in targeted campaigns in Central and East Asia.

Potential Motivations, Attribution and Context

Although direct attribution to a specific nation-state is challenging, researchers concluded the presence of Chinese language artifacts and the precise targeting of AI experts suggest a possible link to China-linked threat actors. The campaign also coincides with the U.S. government's efforts to restrict Chinese access to generative AI technologies. The new regulations established by the Biden administration would likely restrict the export of AI models, and their data to countries it deemed hostile to U.S. interests, such as Russia, China, North Korea and Iran. The Chinese Embassy labeled the action as economic coercion and unilateral bullying. Earlier in February, Microsoft reported observing Chinese, Russian, North Korean and Iranian threat actors' attempting to leverage AI tools from big tech AI companies like OpenAI for their campaigns. The report indicated that Chinese threat actors used AI tools to boost their technical prowess such as the development of tools and phishing content, while the Russian threat actors were observed researching  satellite and radar technologies possibly related to the war in Ukraine. With the regulatory efforts aimed at restricting proprietary/closed-source AI models, researchers theorize that this campaign is likely an attempt by a China-affiliated actor to harvest generative AI secrets via cyber theft before the policies are enacted. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Researchers recently uncovered two new backdoors implanted within the infrastructure of a European Ministry of Foreign Affairs (MFA) and its diplomatic missions. Slovakian cybersecurity firm ESET who found these two new backdoors dubbed “LunarWeb” and “LunarMail,” attributed them to the Turla cyberespionage group believed to be aligned with Russian interests. Turla has operated since at least 2004, possibly starting in the late 1990s. Linked to the Russian FSB, Turla primarily targets high-profile entities like governments and diplomatic organizations in Europe, Central Asia and the Middle East. Notably, they have breached significant organizations such as the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014. Researchers believe the Lunar toolset that has been used since at least 2020 is an addition to the arsenal of Russia-aligned cyberespionage group Turla based on the similarities between the tools’ tactics, techniques, and procedures (TTPs) and past activities.

LunarWeb Backd: Used to Navigate the Digital Terrain

LunarWeb backdoor stealthily infiltrates servers, establishing its foothold within the targeted infrastructure. Operating covertly, it communicates via HTTP(S) while mirroring legitimate traffic patterns to obfuscate its presence. Concealment is key in LunarWeb's playbook. For this the backdoor used steganography technique. This backdoor covertly embeds commands within innocuous images, effectively evading detection mechanisms. LunarWeb's loader, aptly named LunarLoader, showcases remarkable versatility, the researchers noted. Whether masquerading as trojanized open-source software or operating in standalone form, this entry point demonstrates the adaptability of the adversary's tactics.

LunarMail: Used to Infiltrate Individual Workstations

LunarMail takes a different approach as compared to LunarWeb. It embeds itself within Outlook workstations. Leveraging the familiar environment of email communications, this backdoor carries out its spying activities remaining hidden amidst the daily deluge of digital correspondence that its victims receive on their workstations. [caption id="attachment_68881" align="aligncenter" width="1024"] LunarMail Operation (credit: ESET)[/caption] On first run, the LunarMail backdoor collects information on the environment variables, and email addresses of all outgoing email messages. It then communicates with the command and control server through the  Outlook Messaging API to receive further instructions. LunarMail is capable of writing files, setting email addresses for C&C communication, create arbitrary processes and execute them, take screenshots and more. Similar to its counterpart, LunarMail harnesses the power of steganography albeit within the confines of email attachments. By concealing commands within image files, it perpetuates its covert communication channels undetected. LunarMail's integration with Outlook extends beyond mere infiltration. It manipulates email attachments, seamlessly embedding encrypted payloads within image files or PDF documents which facilitates unsuspicious data exfiltration.

Initial Access and Discovery

The initial access vectors of the Turla hackers, though not definitively confirmed, point towards the exploitation of vulnerabilities or spearphishing campaigns. The abuse of Zabbix network monitoring software is also a potential avenue of compromise, the researchers said. The compromised entities were primarily affiliated with a European MFA, which meant the intrusion was of a strategic nature. The investigation first began with the detection of a loader decrypting and running a payload from an external file, on an unidentified server. This was a previously unknown backdoor, which the researchers named LunarWeb. A similar attack chain with LunarWeb was then found deployed at a diplomatic institution of a European MFA but with a second backdoor – named LunarMail. In another attack, researchers spotted simultaneous deployments of a chain with LunarWeb at three diplomatic institutions of this MFA in the Middle East, occurring within minutes of each other. “The attacker probably had prior access to the domain controller of the MFA and utilized it for lateral movement to machines of related institutions in the same network,” the researchers noted. The threat actors displayed varying degrees of sophistication in the compromises. The coding errors and different coding styles used to develop the backdoors suggested that “multiple individuals were likely involved in the development and operation of these tools.”

Russian State Hackers Biggest Cyber Threat

Recently, Google-owned Mandiant in a detailed report stated with “high confidence” that Russian state-sponsored cyber threat activity poses the greatest risk to elections in regions with Russian interest including the European Union, the United Kingdom and the United States. Russia’s approach to election interference is multifaceted, blending cyber intrusion activities with information operations aimed at influencing public perceptions and sowing discord. Russian state-aligned cyber threat actors target election-related infrastructure for various reasons including applying pressure on foreign governments, amplifying issues aligned with Russia’s national interests, and retaliating against perceived adversaries. Groups like APT28 and UNC4057 conduct cyber espionage and information operations to achieve these objectives, Mandiant said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A state or state-sponsored actor orchestrated the "sophisticated" cyberattacks against the British Columbia government networks, revealed the head of B.C.’s public service on Friday. Shannon Salter, deputy minister to the premier, disclosed to the press that the threat actor made three separate attempts over the past month to breach government systems and that the government was aware of the breach, at the time, before finally making it public on May 8. Premier David Eby first announced that multiple cybersecurity incidents were observed on government networks on Wednesday, adding that the Canadian Centre for Cyber Security (CCCS) and other agencies were involved in the investigation. Salter in her Friday technical briefing refrained from confirming if the hack was related to last month’s security breach of Microsoft’s systems, which was attributed to Russian state-backed hackers and resulted in the disclosure of email correspondence between U.S. government agencies. However, she reiterated Eby's comments that there's no evidence suggesting sensitive personal information was compromised.

British Columbia Cyberattacks' Timeline

The B.C. government first detected a potential cyberattack on April 10. Government security experts initiated an investigation and confirmed the cyberattack on April 11. The incident was then reported to the Canadian Centre for Cyber Security, a federal agency, which engaged Microsoft’s Diagnostics and Recovery Toolset (DaRT) due to the sophistication of the attack, according to Salter. Premier David Eby was briefed about the cyberattack on April 17. On April 29, government cybersecurity experts discovered evidence of another hacking attempt by the same “threat actor,” Salter said. The same day, provincial employees were instructed to immediately change their passwords to 14 characters long. B.C.’s Office of the Chief Information Officer (OCIO) described it as part of the government's routine security updates. Considering the ongoing nature of the investigation, the OCIO did not confirm if the password reset was actually linked to the British Columbia  government cyberattack but said, "Our office has been in contact with government about these incidents, and that they have committed to keeping us informed as more information and analysis becomes available."

Another cyberattack was identified on May 6, with Salter saying the same threat actor was responsible for all three incidents.

The cyberattacks were not disclosed to the public until Wednesday late evening when people were busy watching an ice hockey game, prompting accusations from B.C. United MLAs that the government was attempting to conceal the attack.

“How much sensitive personal information was compromised, and why did the premier wait eight days to issue a discreet statement during a Canucks game to disclose this very serious breach to British Columbians?”the Opposition MLA Todd Stone asked. Salter clarified that the cybersecurity centre advised against public disclosure to prevent other hackers from exploiting vulnerabilities in government networks. She revealed three separate cybersecurity incidents, all involving efforts by the hackers to conceal their activities. Following a briefing of the B.C. NDP cabinet on May 8, the cyber centre concurred that the public could be notified. Salter said that over 40 terabytes of data was being analyzed but she did not specify if the hackers targeted specific areas of government records such as health data, auto insurance or social services. The province stores the personal data of millions of British Columbians, including social insurance numbers, addresses and phone numbers. Public Safety Minister and Solicitor General Mike Farnworth told reporters Friday that no ransom demands were received, making the motivation behind the multiple cyberattacks unclear.

Farnworth said that the CCCS believes a state-sponsored actor is behind the attack based on the sophistication of the attempted breaches.

"Being able to do what we are seeing, and covering up their tracks, is the hallmarks of a state actor or a state-sponsored actor." - Farnworth

Government sources told CTV News that various government ministries and agencies, and their respective websites, networks and servers, face approximately 1.5 billion “unauthorized access” or hacking attempts daily. The number has increased over the last few years and the reason why the province budgets millions of dollars per year to cybersecurity. Salter confirmed the government spends more than $25 million a year to fortify its defenses and added that previous investments in B.C.'s cybersecurity infrastructure helped detect the multiple attacks last month. Microsoft last month alerted several U.S. federal agencies that Russia-backed hackers might have pilfered emails sent by the company to those agencies, including sensitive information like usernames and passwords. However, Salter did not confirm if Russian-backed hackers are associated with the B.C. security breach. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Dell has issued a warning to its customers regarding a data breach following claims by a threat actor of pilfering information for roughly 49 million customers. In an email sent to customers, the computer manufacturer disclosed that a Dell portal containing customer data associated with purchases had been compromised. "We are presently investigating an incident involving a Dell portal, housing a database containing limited types of customer information linked to Dell purchases," stated a Dell data breach notification. Dell clarified that the accessed information encompassed:

• Names
• Physical addresses
• Dell hardware and order details, comprising service tags, item descriptions, order dates, and relevant warranty information

The company said the stolen data did not encompass financial or payment data, email addresses or phone numbers. Dell assured customers that they are collaborating with law enforcement and a third-party forensics firm to probe the matter. [caption id="attachment_67595" align="aligncenter" width="687"] Dell data breach notification[/caption] Dell Technologies is a publicly traded company that operates in 180 countries and is headquartered in Round Rock, Texas. Dell is the third-largest personal computer vendor in the world by unit sales, behind Lenovo and HP and serves more than 10 million small and medium-sized businesses and receives 500 million annual eCommerce visits. The tech giant generated a revenue of $102.3 billion in 2023 and has over 500,000 commercial customers and 2,500 enterprise accounts.

Dell Data Breach Set Appeared on Dark Web

Despite Dell's reassurances, the breach data was purportedly put up for sale on an underground hacker forum by a threat actor named “Menelik” on April 28. The threat actor claimed this data set contained an up-to-date details of registered Dell servers including vital personal and company information such as full names, addresses, cities, provinces, postal codes, countries, unique 7-digit service tags of systems, system shipment dates (warranty start), warranty plans, serial numbers (for monitors), Dell customer numbers and Dell order numbers. The threat actor asserted that he was the sole possessor of this data that entailed approximately 7 million records of individual/personal purchases, while 11 million belong to consumer segment companies. The remaining data pertained to enterprise, partners, schools or unidentified entities. The threat actor also highlighted the top five countries with the most systems represented in the database, which included the United States, China, India, Australia and Canada. The data, claimed to be sourced from Dell and containing 49 million customers and other systems details between 2017 and 2024, aligned with the details outlined in Dell's breach notification. However, The Cyber Express could not confirm if the two data sets are the same as Dell did not immediately respond to our request for confirmation. Although the sale of the database appears to have ceased, the possibility of further exploitation remains. Although Dell refrained from disclosing the specific impact of the breach, it remains vigilant about potential risks associated with the stolen information. While the compromised data lacks email addresses, threat actors could exploit it for targeted phishing and smishing attacks against Dell customers. They could contact Dell customers as fake customer service executives and lead them into downloading malware or infostealers as is seen in many previous campaigns. Dell advises customers to exercise caution regarding any communications purportedly from Dell, especially those urging software installations, password changes or other risky actions and encourages customers to verify the legitimacy of such communications directly with Dell. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.