FlagThis

The China-based Winnti Group (aka APT41) is targeting Japanese organizations in the manufacturing, materials, and energy sectors with a new malware campaign dubbed RevivalStone. The campaign employs a novel version of the Winnti malware with enhanced capabilities and evasion techniques.

The North Korea-linked APT group Kimsuky, also known as Emerald Sleet, is using a new tactic to compromise its traditional espionage targets. The group is tricking targets into running PowerShell as an administrator and executing malicious code. They build rapport with targets before sending a spear-phishing email with an attached PDF. The registration link has instructions to open PowerShell as an administrator and paste code provided by Emerald Sleet. If the target runs the code as an administrator, the code downloads and installs a browser-based remote desktop tool. This allows the threat actor to access the device and carry out data exfiltration.

Ransomware attacks surged to a record high in December 2024, with 574 incidents reported. FunkSec, a newly identified group combining hacktivism and cybercrime, accounted for over 100 attacks, making it the most active group that month. The attacks targeted the industrial sector and used a variety of ransomware techniques. This highlights a surge of cyberattacks.

The European Union has sanctioned three Russian nationals, identified as Nikolay Alexandrovich Korchagin, Vitaly Shevchenko, and Yuriy Fedorovich Denisov, for their involvement in cyber attacks targeting Estonia’s key ministries in 2020. These individuals are members of the GRU Unit 29155, a Russian military intelligence unit known for its cyber operations. These sanctions highlight the ongoing geopolitical tensions and the attribution of state-sponsored cyber activities. The EU’s action underscores the international effort to hold nation-state actors accountable for their malicious cyber activities, aiming to deter future attacks and ensure the security of digital infrastructure.

Multiple reports indicate a surge in cyberattacks targeting Taiwan amidst rising tensions with China and also a Russian Malware Campaign which is hitting Central Asian Diplomatic Files. It has been observed that Russian State aligned APT groups are also increasingly deploying ransomware. These attacks involve malware and other techniques. Diplomatic organizations and critical infrastructure in the targeted regions should increase their security posture and keep an eye for suspicious activities.

The Winnti hacking group is using a new PHP backdoor called ‘Glutton’. This backdoor is being used in attacks targeting organizations in both China and the United States. Additionally, Winnti is also targeting other cybercriminals, indicating a shift in their focus and tactics. The use of the Glutton backdoor is a concerning development as it demonstrates the group’s ability to adapt and create new tools for their operations.

The Romanian presidential election was annulled following allegations of Russian interference, involving 25,000 fake accounts and 85,000 cyberattacks on election systems. The interference involved coordinated disinformation campaigns and social media manipulation. The EU is tightening its control over TikTok as a consequence of this event. The incident highlights the increasing risk of foreign interference in democratic processes using digital platforms and cyberattacks. This shows how election systems can be manipulated to affect the outcome of elections.