nGuard

Call us p. 704.583.4088
Client PortalSpeak to An Expert

apt

Foreign Cyber Threats Risk National Security

Over the last week there have been several major stories in the international community involving Russia, Iran and China. Russian code was discovered in in the U.S. Army and CDC applications; Iranian hackers used Log4Shell to compromise a U.S. Federal agency; the China-based APT group, Billbug, was able to compromise a Certificate Authority (CA) as part of an espionage campaign. Check out each story below for more detail.

Russian Company Pushwoosh Code Found in U.S. Army & CDC Applications
The company Pushwoosh, an organization that offers data processing for applications, has been disguising itself as a U.S. organization based out of Washington, D.C. and Maryland. However, Reuters has discovered Pushwoosh is, in fact, a Russian backed company whose HQ is based out of Novosibirsk, Siberia. Since it is a company registered to the Russian government and pays taxes to the Russian government, they must comply with the laws of Russia. This would require sharing data when and if requested by the Russian government. Pushwoosh code has been implemented in a U.S. Army application that is used as an information portal for the National Training Center. The code was removed earlier in the year with the reason stated as “security issues.” The CDC was using Pushwoosh code within many public-facing applications but has since removed the code. In addition to the U.S. Army and the CDC, Pushwoosh code is used in over 8,000 applications in the iOS App store and the Google Play store including the likes of UEFA, Deloitte, Coca-Cola, McDonald’s and Unilever. Max Konev, the founder of Pushwoosh, is claiming his company “has no connection with the Russian government of any kind” and that all data is stored in either the US or Germany. At this time, evidence has not been brought forward showing Pushwoosh has shared any data with the Russian Government, but that does not mean they have not or could not in the future.

Iranian Hackers Used Log4Shell to Compromise a U.S. Federal Agency
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has credited an Iranian-sponsored group for compromising an unpatched VMWare Horizon server owned by a U.S. Federal agency using the Log4Shell vulnerability. CISA responded to the incident over the summer and discovered crypto mining software was installed on the server. The attackers pivoted through the network to compromised credentials and the domain controllers (DC), then installed reverse proxies in order to maintain their persistent access. CISA believes the original compromise happened in February of 2022. Once the group had access, they added a rule within Windows Defender to the allow list on the C:\ drive. This led to the ability to download PowerShell scripts, execute malicious code like PSExec and Mimikatz, which aided in furthering the attack. Additionally, the attackers changed the password for a local administrator account.

nGuard detailed the Log4Shell vulnerability back in January. If you feel Log4Shell is still an issue within your organization nGuard offers Log4j scanning, consulting services, log management and event collection and penetration testing services

Billbug, a China-Based APT Compromised a Certificate Authority
Billbug, a state-sponsored APT group, was able to compromise an unknown Certificate Authority as a part of an espionage campaign. If the attackers could successfully gain access to the certificates, they could use them to sign their own malware in order to bypass security checks and intercept and successfully decrypt HTTPS traffic. The Symantec Threat Hunting team was able to make this discovery and report it to the affected Certificate Authority. At this time there is no evidence or indication that Billbug was able to compromise or gain access to any digital certificates.

TWiC | This Week in Cybersecurity – Let’s Go Phishing 🎣

Over the past week there have been many hot topics in cybersecurity. This edition of This Week in Cybersecurity includes stories focused on the latest in phishing campaigns tactics, techniques, procedures, common use cases, and infrastructure being used. Check out the details below.

  • Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands

    The number of phishing attempts that misuse the Microsoft brand jumped 266 percent in the first quarter of 2022 compared to the same period last year, according to a report by researchers at Vade. In the same period of time, fake Facebook messages increased by 177% in the second quarter of 2022. In Q1 2022 compared to the previous year, there were 266 percent more instances of phishing assaults using the Microsoft name. As opposed to the previous year, hackers are ramping up their use of false messages that abuse well-known companies, bringing back the bloom of phishing attempts. According to the phishing research Microsoft, Facebook, and the French bank Crédit Agricole are the three most frequently impersonated companies in attacks.  Crédit Agricole, WhatsApp, and the French telecommunications provider Orange are some of the other top names that are misused in phishing attempts. Other well-known brands included Apple, Google, and PayPal.
  • DUCKTAIL Malware Targeting HR Professionals Through LinkedIn Spear-phishing Campaign

    Cybersecurity research has recently learned of an ongoing operation known as DUCKTAIL. This strategy aims to gain control of a company’s Facebook business account that handle its advertising. DUCKTAIL uses a malware component that steals information to hack Facebook Business accounts. This sets DUCKTAIL apart from other malware campaigns that used Facebook as a base of operations in the past. The malware is able to access the victim’s Facebook account by stealing cookies from the victim’s browser and utilizing authentication cookies during authenticated Facebook sessions. This has allowed hackers to access every Facebook Business account that the victim has access to, even ones with restricted access. DUCKTAIL has been using LinkedIn to identify potential targets for these campaigns.
  • 1,000s of Phishing Attacks Blast Off from InterPlanetary File System

    The InterPlanetary File System (IPFS), a distributed peer-to-peer file system, has become a hotbed of phishing-site storage. Thousands of emails containing phishing URLs are showing up in corporate inboxes. IPFS uses peer-to-peer (P2P) connections for file and service-sharing instead of a static resource demarked by a host and path. Phishers may start using even more sophisticated methods for replicating sites, such as using distributed hash tables. According to an anti-phishing expert, security admins need to educate themselves and their staff about how IPFS works.
  • Evilnum APT Hackers Group Attack Windows Using Weaponized Word Documents

    The APT threat actor, Evilnum, has been targeting European banking and investment organizations. Recently their tactics, techniques, and procedures have included spear-phishing emails with attachments like Microsoft Word, ISO, and Windows Shortcut (LNK) files.  Researchers discovered other variations of the campaign in late 2022, including ones that employed financial bribes to get victims to open malicious ZIP folders that were coupled with malicious .LNK files. In the middle of 2022, the methodology that was being used to distribute Word documents was altered once more to incorporate a mechanism that tries to connect to an attacker-controlled domain and obtain a remote template.

Stop Phishing
nGuard has been conducting social engineering assessments for almost 2 decades and has the experience and expertise to assess your users against phishing campaigns using a variety of attack methods. Using emails, phone calls, text messages, multi-factor prompt bombing attacks,  fake websites, and more, nGuard can thoroughly test your security awareness training program efficacy. Contact your Account Executive or Security Consultant to learn more about how nGuard can help.