attribution – WindowsTechs.com

Chinese researchers accuse NSA of being behind a powerful exploit

Posted on February 23, 2022 by Tonya Riley

A Chinese cybersecurity firm released a report Wednesday that revealed a decade-old exploit allegedly created by a covert hacking group associated with the U.S. National Security Agency. The report is the first time that a Chinese cybersecurity firm has both attributed a cyberattack to a U.S. hacking group and included technical indicators of compromise. “It’s a completely different type of report here that that seems to mimic Western name-and-shame,” said Winnona DeSombre, fellow at the Atlantic Council and Harvard’s Belfer Center. Pangu Lab researchers said they first discovered the backdoor in 2013 during an “in-depth forensic investigation of a host in a key domestic department.” The researchers were later able to tie it to the “The Equation Group,” a group of hackers said to be affiliated with the NSA, after NSA documents leaked by a group known as the “The Shadow Brokers” published hacking files that allegedly belonged to the […]

The post Chinese researchers accuse NSA of being behind a powerful exploit appeared first on CyberScoop.

Continue reading Chinese researchers accuse NSA of being behind a powerful exploit→

Russia-linked Sandworm reportedly has retooled with ‘Cyclops Blink’

Posted on February 23, 2022 by Joe Warminsky

A long-running hacking group associated with Russian intelligence has developed a new set of tools to replace malware that was disrupted in 2018, according to an alert Wednesday from the U.S. and U.K. cybersecurity and law enforcement agencies. The advanced persistent threat group, known primarily as Sandworm, is now using a “large-scale modular malware framework” that the agencies call Cyclops Blink. Western governments have blamed Sandworm for major incidents such as the disruption of Ukraine’s electricity grid in 2015, the the NotPetya attacks in 2017 and breaches of the Winter Olympics in 2018. Cyclops Blink has largely replaced the VPNFilter malware in Sandworm’s activities since at least June 2019, said the joint alert from the U.K.’s National Cyber Security Centre (NCSC), and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, National Security Agency and FBI in the U.S. The NCSC also issued a separate analysis paper on Cyclops Blink. […]

The post Russia-linked Sandworm reportedly has retooled with ‘Cyclops Blink’ appeared first on CyberScoop.

Continue reading Russia-linked Sandworm reportedly has retooled with ‘Cyclops Blink’→

Nation-State Attacker of Telecommunications Networks

Posted on October 22, 2021 by Bruce Schneier

Someone has been hacking telecommunications networks around the world:

LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures.
Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata.
…

Continue reading Nation-State Attacker of Telecommunications Networks→

Chinese hackers posed as Iranians to breach Israeli targets, FireEye says

Posted on August 10, 2021 by Sean Lyngaas

Suspected Chinese spies masqueraded as Iranian hackers in a two-year campaign to break into government and telecommunication networks in Israel, security firm FireEye said Tuesday. The alleged Chinese intruders used a hacking tool previously associated with Iranian operatives, and embedded some of their malicious code with Farsi, the predominant language in Iran. It was part of a broader campaign to gather intelligence at organizations in other Middle East and Central Asian countries that has continued this year, according to FireEye. The findings show how spies plant digital evidence in an effort to throw off investigators in the high-stakes world of espionage. The revelations come amid a period of heightened scrutiny of Chinese cyber activity: The U.S. and its European allies in July condemned China’s alleged exploitation of Microsoft software and said that it enabled ransomware attacks. John Hultquist, vice president of threat intelligence at Mandiant FireEye, said the targeting at […]

The post Chinese hackers posed as Iranians to breach Israeli targets, FireEye says appeared first on CyberScoop.

Continue reading Chinese hackers posed as Iranians to breach Israeli targets, FireEye says→

Security researchers suggest naming state-harbored hackers ‘privateers’

Posted on May 26, 2021 by Sean Lyngaas

The ransomware-induced disruption of Colonial Pipeline, which supplies 45% of fuel consumed on the East Coast, has already forced big changes to U.S. government policies on pipeline security and brought heightened scrutiny of organizations’ decisions to pay hackers ransoms. Now, the incident has factored into one prominent security firm’s decision to change how it publicly classifies the relationship between criminal hacking groups and the governments that host them. Talos, the threat intelligence unit of Cisco, said Wednesday that it would begin using the term “privateers” to describe hacking groups that aren’t controlled by governments but which “benefit from government decisions to turn a blind eye toward their activities.” Other cybersecurity executives have compared the safe havens that some governments provide cybercriminals today with 17th century piracy. “If it were the 17th century, and pirates harassing the English merchant fleet were ducking into Dutch harbors, at what point would the Dutch […]

The post Security researchers suggest naming state-harbored hackers ‘privateers’ appeared first on CyberScoop.

Continue reading Security researchers suggest naming state-harbored hackers ‘privateers’→

More SolarWinds News

Posted on February 3, 2021 by Bruce Schneier

Microsoft analyzed details of the SolarWinds attack:

Microsoft and FireEye only detected the Sunburst or Solorigate malware in December, but Crowdstrike reported this month that another related piece of malware, Sunspot, was deployed in September 2019… Continue reading More SolarWinds News→

Postcards From The Rus

Posted on January 14, 2021 by Marc Handelman

Reuters reporter Christopher Bing has reported a new ‘probe’ instantiated by the United States Federal Bureau of Investigation targeting a Rus-linked postcard (of-all-things) sent to FireEye, Inc. Chief Executive Officer Kevin Mandia after the informa… Continue reading Postcards From The Rus→

SolarWinds Hack Potentially Linked to Turla APT

Posted on January 11, 2021 by Tara Seals

Researchers have spotted notable code overlap between the Sunburst backdoor and a known Turla weapon. Continue reading SolarWinds Hack Potentially Linked to Turla APT→

Robert M. Lee’s & Jeff Haas’ Little Bobby Comics – From The Archive – ‘WEEK 111’

Posted on January 3, 2021 by Marc Handelman

via the respected information security capabilities of Robert M. Lee & the superlative illustration talents of Jeff Haas at Little Bobby Comics! From the Little Bobby Archive’s and Originally Published March 12, 2017.

Permalink
The post Robert M…. Continue reading Robert M. Lee’s & Jeff Haas’ Little Bobby Comics – From The Archive – ‘WEEK 111’→

Simplifying Proactive Defense With Threat Playbooks

Posted on December 21, 2020 by Lindsey O'Donnell

FortiGuard Labs’ Derek Manky talks about how threat playbooks can equip defense teams with the tools they need to fight back against evolving attacker TTPs. Continue reading Simplifying Proactive Defense With Threat Playbooks→