APT28 – Page 4 – WindowsTechs.com

How an NSA researcher plans to allow everyone to guard against firmware attacks

Posted on August 22, 2019 by Shannon Vavra

A years-long project from researchers at the National Security Agency that could better protect machines from firmware attacks will soon be available to the public, the lead NSA researcher on the project tells CyberScoop. The project will increase security in machines essentially by placing a machine’s firmware in a container to isolate it from would-be attackers. A layer of protection is being added to the System Management Interrupt (SMI) handler — code that allows a machine to make adjustments on the hardware level — as part of the open source firmware platform Coreboot. Eugene Myers, who works in the National Security Agency’s Trusted Systems Research Group, told CyberScoop that the end product — known as an SMI Transfer Monitor with protected execution (STM-PE) — will work with x86 processors that run Coreboot. Attackers are increasingly targeting firmware in order to run malicious attacks. Just last year, the first-ever documented UEFI rootkit was deployed in the wild, according […]

The post How an NSA researcher plans to allow everyone to guard against firmware attacks appeared first on CyberScoop.

Continue reading How an NSA researcher plans to allow everyone to guard against firmware attacks→

Russian government hackers used office technology to try to breach privileged accounts

Posted on August 5, 2019 by Shannon Vavra

Early this spring, Russian government-linked hackers used three popular internet of things devices with weak security to access several Microsoft customers’ networks, then tried infiltrating more privileged accounts, researchers announced Monday. The company’s Threat Intelligence center said the STRONTIUM group, also known as APT 28 and Fancy Bear, leveraged weak security in an office printer, video decoders and voice over IP, or VOIP, phone to access wider systems. The attacks occurred as recently as April, Microsoft said, adding that hackers used insecure IoT devices as a means to attempt to break into valuable accounts where they would have found more sensitive data. Microsoft disclosed neither the affected devices, nor which of its customers were impacted. “While much of the industry focuses on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives,” Microsoft researchers wrote in their […]

The post Russian government hackers used office technology to try to breach privileged accounts appeared first on CyberScoop.

Continue reading Russian government hackers used office technology to try to breach privileged accounts→

10,000 Microsoft customers targeted by nation-state attacks in the last year

Posted on July 17, 2019 by Shannon Vavra

Microsoft has notified 10,000 customers in the past year that they have been the brunt of nation-state cyberattacks — some of which were successful — from Iran, North Korea, and Russia, Microsoft announced Wednesday. “This data demonstrates the significant extent to which nation-states continue to rely on cyberattacks as a tool to gain intelligence, influence geopolitics or achieve other objectives,” Tom Burt, corporate vice president of customer security & trust at Microsoft, wrote in a blog post on the matter. Microsoft has linked the attacks with a group linked with Iran broadly known as APT 33, with a group from North Korea known as APT 38, as well as two groups linked with Russia, APT 28 and APT 29, which Microsoft dubs Strontium and Yttrium respectively. APT 28 was behind the intrusions at the Democratic National Committee. Some of the attacks observed appear to be related to U.S. politics and […]

The post 10,000 Microsoft customers targeted by nation-state attacks in the last year appeared first on CyberScoop.

Continue reading 10,000 Microsoft customers targeted by nation-state attacks in the last year→

Researchers are still using lessons from VPNFilter to track threats one year later

Posted on May 23, 2019 by Sean Lyngaas

It’s a been a year since private security researchers worked with the FBI to dismantle a 500,000-router-strong botnet that loomed over Ukraine. Now, lessons learned in that takedown of the “VPNFilter” botnet are still reverberating today in the cybersecurity community, informing defenders about other sets of malicious activity, said Martin Lee, a manager at Cisco Talos, the threat intelligence team that helped uncover the botnet. Lee pointed to the so-called Sea Turtle domain name system hijacking campaign, which Talos detailed last month. Like VPNFilter, the Sea Turtle activity was an example of a state-sponsored attacker abusing internet infrastructure at scale to steal credentials. Data gathered from the VPNFilter investigation, combined with the lesson that state-sponsored actors are wiling to subvert core internet infrastructure, has driven home the fact that attackers can exploit critical devices at scale in a way that few people had fully appreciated. “Essentially, [the Sea Turtle perpetrator] is a threat actor trying to do […]

The post Researchers are still using lessons from VPNFilter to track threats one year later appeared first on CyberScoop.

Continue reading Researchers are still using lessons from VPNFilter to track threats one year later→

Cyber Command’s latest VirusTotal upload has been linked to an active attack

Posted on May 21, 2019 by Shannon Vavra

The malware sample that U.S. Cyber Command uploaded to VirusTotal last week is still involved in active attacks, multiple security researchers tell CyberScoop. Researchers from Kaspersky Lab and ZoneAlarm, a software security company run by Check Point Technologies, tell CyberScoop they have linked the malware with APT28, the same hacking group that breached the Democratic National Committee during the 2016 election cycle. A variant of the malware is being used in ongoing attacks, hitting targets as recently this month. The targets include Central Asian nations, as well as diplomatic and foreign affairs organizations, Kaspersky Lab’s principal security researcher Kurt Baumgartner tells CyberScoop. While ZoneAlarm can’t confirm the targets the attack is focused on, the company detected the specific malware hash in an active attack in the Czech Republic last week, Lotem Finkelsteen, ZoneAlarm’s Threat Intelligence Group Manager, tells CyberScoop. “Although we cannot confirm such an attack, Finkelsteen said, referring to the […]

The post Cyber Command’s latest VirusTotal upload has been linked to an active attack appeared first on CyberScoop.

Continue reading Cyber Command’s latest VirusTotal upload has been linked to an active attack→

As Europe prepares to vote, Microsoft warns of Fancy Bear attacks on democratic think tanks

Posted on February 20, 2019 by Sean Lyngaas

Three months before parliamentary elections in Europe, Microsoft says it has detected hacking attempts on democracy-focused think tanks from the Russian hacking group that breached the Democratic National Committee in 2016. From September to December 2018, hackers conducted cyberattacks on employees of the Aspen Institutes in Europe, the German Council on Foreign Relations, and the German Marshall Fund, Microsoft said late Tuesday. Microsoft said it was “confident” the hacking group it calls Strontium, more commonly known as Fancy Bear or APT28, was responsible for many of the attacks. Western officials have attributed the group to Russia’s military intelligence directorate. The malicious cyber activity concentrated on 104 accounts of think tank employees based in Belgium, France, Germany, Poland, Romania, and Serbia. Two of the affected organizations contacted by CyberScoop indicated the hacking attempts were unsuccessful. Andrew Kolb, a German Marshall Fund spokesman, told CyberScoop that there was no evidence his organization’s systems were compromised. Tyson Barker, […]

The post As Europe prepares to vote, Microsoft warns of Fancy Bear attacks on democratic think tanks appeared first on CyberScoop.

Continue reading As Europe prepares to vote, Microsoft warns of Fancy Bear attacks on democratic think tanks→

For foreign hackers, 2018 was all about subtlety, CrowdStrike says

Posted on February 19, 2019 by Jeff Stone

Nation-state hackers from China, Russia and elsewhere spent last year updating their tradecraft and tightening their focus on espionage targets, according to a new CrowdStrike report examining the evolution of cyber-espionage in 2018. The year didn’t see a suspected state-sponsored cyberattack on the scale of 2017’s NotPetya or WannaCry ransomware campaigns, which researchers have suggested were the work of Russian and North Korean hackers, respectively. But in the absence of another headline-grabbing crime spree, international hackers sought to advance their boss’ interests in more subtle ways: by more carefully determining who to hack and moving more quickly once inside, CrowdStrike said. Chinese actors re-ignited their attacks against American targets amid a trade war with the U.S. Russia continued their reconnaissance efforts, while North Korea used digital techniques to generate cryptocurrency that would help Pyongyang avoid sanctions. Meanwhile, in Iran, state-sponsored hackers focused on domestic targets and rivals in the Middle […]

The post For foreign hackers, 2018 was all about subtlety, CrowdStrike says appeared first on CyberScoop.

Continue reading For foreign hackers, 2018 was all about subtlety, CrowdStrike says→

Two suspected Russian hacking groups share tools and techniques, Kaspersky says

Posted on January 24, 2019 by Jeff Stone

Multiple groups of suspected Russian hackers have a relationship with one another that includes sharing malicious software code and hacking techniques, according to new research. The Moscow-based security vendor Kaspersky Lab on Thursday released findings tying the espionage group GreyEnergy with Zebrocy. Zebrocy is the name researchers have given to a group affiliated with suspected Russian military hackers known as Sofacy (or Fancy Bear, or APT 28), the alleged perpetrator in the hacking the Democratic National Committee in 2016. Both groups used the same command-and-control servers — the infrastructure that allows hackers to maintain communications with compromised machines — to simultaneously to target the same organization, according to Kaspersky. They also sent similar phishing emails disguised as messages from the Ministry of the Republic of Kazakhstan within one week. Our research confirms #GreyEnergy and #Zebrocy shared the C2 server infrastructure and both targeted the same organization almost at the same time. It […]

The post Two suspected Russian hacking groups share tools and techniques, Kaspersky says appeared first on CyberScoop.

Continue reading Two suspected Russian hacking groups share tools and techniques, Kaspersky says→

Germany sought NSA help after breach exposed lawmakers’ data

Posted on January 7, 2019 by Jeff Stone

German security officials contacted the National Security Agency following a data breach that resulted in private data about many German politicians, including Chancellor Angela Merkel, being publicly published, according to German media outlets. Germany sought help from the NSA after a Twitter account began distributing phone numbers, addressees, chat histories and vacation photos belonging to politicians, journalists and celebrities, German newspaper Bild reported. Germany asked the NSA to pressure Twitter to shut down accounts that were spreading the hacked information, arguing the NSA had jurisdiction because some U.S. citizens also had their information exposed in the data dump. Outreach to the NSA is not the only example of international cooperation. Hamburg, the German city-state, is working with the Irish Data Protection Commissioner to stop the spread of hacked information, according to the news outlet RTE. When reached by CyberScoop Monday, an NSA spokesman said the agency, if asked, would help an ally […]

The post Germany sought NSA help after breach exposed lawmakers’ data appeared first on CyberScoop.

Continue reading Germany sought NSA help after breach exposed lawmakers’ data→

APT28-linked trojan being developed in multiple programming languages, research shows

Posted on December 18, 2018 by Zaid Shoorbajee

An elite Russia-linked hacking group is creating multiple versions of one of its go-to malicious tools in an apparent attempt to make its activity harder to detect, according to research published Tuesday by Palo Alto Networks. The company’s Unit42 threat intelligence team says that the hacker group Sofacy, also known as APT28, Fancy Bear and many other names, has been spotted using a version of the Zebrocy trojan written in the “Go” programming language in multiple phishing campaigns. The findings add to a list of Zebrocy variants written in different types of code. Researchers and Western governments have largely attributed APT28 to Russian intelligence services. “The use of a different programming language to create a functionally similar Trojan is not new to this group, as past Zebrocy variants have been developed in AutoIt, Delphi, VB.NET, C# and Visual C++,” the researchers wrote. “While we cannot be certain the impetus for this, […]

The post APT28-linked trojan being developed in multiple programming languages, research shows appeared first on CyberScoop.

Continue reading APT28-linked trojan being developed in multiple programming languages, research shows→