CyberSecurity news
FlagThis - #cyberespionage
|
sila.ozeren@picussecurity.com (Sıla@Resources-2
//
References:
Resources-2
, securityonline.info
A new report has revealed that the Silver Fox APT group, a China-based state-sponsored actor active since 2024, is targeting the public sector through trojanized medical software. The group, also known as Void Arachne or The Great Thief of Valley, is known for cyber espionage, data theft, and financially motivated intrusions, targeting healthcare organizations, government entities, and critical infrastructure. Their campaigns involve a custom remote access trojan called Winos 4.0 (ValleyRAT), derived from the Gh0st RAT malware family.
The Silver Fox APT employs a multi-stage campaign that utilizes backdoored medical software and cloud infrastructure to deploy remote access tools, disable antivirus software, and exfiltrate data from healthcare and public sector targets. One confirmed case involves a trojanized MediaViewerLauncher.exe, disguised as a Philips DICOM Viewer. This trojanized binary acts as a first-stage loader, initiating the malware chain. The group also exploits popular applications like Chrome, VPN clients, deepfake tools, and voice changers with backdoored installers, distributed through phishing or poisoned search results. Once executed, the malware reaches out to an Alibaba Cloud Object Storage bucket to retrieve an encrypted configuration file (i.dat), containing URLs and filenames for second-stage payloads disguised as benign media files (e.g., a.gif, s.jpeg). These payloads then deploy DLL loaders, anti-virus evasion logic, and a vulnerable driver (TrueSightKiller) to disable security software. The group also uses PowerShell exclusions to suppress Defender scans and employs RPC-based task creation and BYOVD techniques to terminate processes like MsMpEng.exe (Windows Defender). In a separate campaign, Silver Fox is also targeting Taiwan via phishing emails with malware families HoldingHands RAT and Gh0stCringe, using fake tax lures and PDF documents. Recommended read:
References :
rulesbot@community.emergingthreats.net
//
References:
community.emergingthreats.net
Emerging Threats has released a significant ruleset update, v10950, aimed at bolstering network security and threat detection. The update includes 73 new open rules and 136 new pro rules, totaling 209 enhancements to the existing security framework. These rules are designed to address a wide spectrum of threats, ranging from general malware to web application-specific vulnerabilities and hunting activities, enabling organizations to strengthen their defenses against an evolving threat landscape. The release date for this update is June 13, 2025.
Among the key targets of this update is the Predator spyware, which remains a persistent threat despite US sanctions. The ruleset includes specific signatures to detect DNS queries associated with Predator spyware domains, such as gilfonts .com, zipzone .io, and numerous others. This highlights the ongoing efforts to identify and neutralize the infrastructure used by Intellexa, the maker of Predator, even as they attempt to evade detection through new servers and domains. This focus underscores the importance of continuous monitoring and adaptation in the face of sophisticated surveillance tools. In addition to addressing the Predator spyware, the ruleset update also tackles a critical vulnerability in Fortinet Admin APIs, specifically a Stack-based Buffer Overflow in the AuthHash Cookie, identified as CVE-2025-32756. This rule aims to protect against potential exploits targeting this weakness in Fortinet systems. Furthermore, the update incorporates rules for hunting SQL Database Version Discovery, enhancing the ability to proactively identify and address potential vulnerabilities within network environments. This comprehensive approach ensures a multi-layered defense against various attack vectors. Recommended read:
References :
Cynthia B@Metacurity
//
Despite US sanctions, Intellexa's Predator spyware continues to operate, adapting to setbacks and surfacing in new locations with innovative techniques to evade detection. Security firm Recorded Future revealed they had linked Intellexa infrastructure to new locations. Their findings suggest Intellexa, also known as the Intellexa Consortium, is actively responding to the challenges posed by sanctions and public exposure and is likely to continue adapting its methods. This highlights the ongoing struggle to effectively curb the proliferation of sophisticated surveillance tools.
Recorded Future's Insikt Group has identified a previously unknown customer in Mozambique, a connection to a Czech entity, and activity linked to an Eastern European country. The Eastern European activity, though brief, suggests possible development or testing of the spyware. The discovery of the Mozambique customer is consistent with the already known high level of Predator activity across Africa. Intellexa has also adopted strategies such as using fake websites, including counterfeit login pages and sites claiming association with conferences, to mask its operations. Julian-Ferdinand Vögele, a threat researcher with Recorded Future, stated that “Intellexa’s Predator remains active and adaptive, relying on a vast network of vendors, subsidiaries, and other companies.” While Predator activity has declined since sanctions and public exposure, the spyware maker is still finding ways to keep the spyware active and available to customers. The report from Recorded Future warns that "Sanctions and other pressures are likely to drive efforts to increase the complexity of corporate structures, making operations harder to trace and disrupt," emphasizing the importance of continued vigilance and proactive measures to counter the evolving threat posed by Predator. Recommended read:
References :
Kaspersky@Securelist
//
References:
Securelist
, Catalin Cimpanu
The Librarian Ghouls APT group, also known as Rare Werewolf, is actively targeting Russian entities, with additional victims reported in Belarus and Kazakhstan. According to a recent report by Kaspersky, this sophisticated threat actor employs a range of techniques to compromise systems, including the use of RAR archives and BAT scripts. The group leverages legitimate software and multiple communication channels like email, Facebook, and Telegram to deliver malicious payloads, often operating during night hours to minimize detection. The APT has been consistently targeting Russian companies, with attacks continuing almost unabated since 2024, with a slight decline in December followed by a new wave of attacks.
The primary initial infection vector for Librarian Ghouls involves targeted phishing emails containing password-protected archives with executable files inside. These malicious emails are typically disguised as messages from legitimate organizations, containing attachments that appear to be official documents or payment orders. Once the victim opens the archive and extracts the files, the infection process begins. The group's objective is to establish remote access to compromised hosts, steal credentials, and deploy the XMRig cryptocurrency miner. Rare Werewolf stands out for its preference for legitimate third-party software over developing its own malicious binaries. For example, in some attacks, a legitimate tool called 4t Tray Minimizer is used. The malicious functionality is implemented through command files and PowerShell scripts. A salient aspect of their tactics is launching a PowerShell script that wakes up the victim system at 1 a.m. local time and allows the attackers remote access to it for a four-hour window via AnyDesk, before shutting down the machine at 5 a.m. Recommended read:
References :
Eric Geller@cybersecuritydive.com
//
SentinelOne, a cybersecurity firm, has revealed that it was the target of a year-long reconnaissance campaign by China-linked espionage groups, identified as APT15 and UNC5174. This campaign, dubbed "PurpleHaze," involved network reconnaissance and intrusion attempts, ultimately aiming to gather strategic intelligence and potentially establish access for future conflicts. SentinelOne discovered the campaign when the suspected Chinese spies tried to break into the security vendor's own servers in October 2024. The attempted intrusion on SentinelOne's systems failed, but it prompted a deeper investigation into the broader campaign and the malware being used.
The investigation revealed that over 70 organizations across multiple sectors globally were targeted, including a South Asian government entity and a European media organization. The attacks spanned from July 2024 to March 2025 and involved the use of ShadowPad malware and post-exploitation espionage activity. These targeted sectors include manufacturing, government, finance, telecommunications, and research. The coordinated attacks are believed to be connected to Chinese government spying programs. SentinelOne has expressed high confidence that the PurpleHaze and ShadowPad activity clusters can be attributed to China-nexus threat actors. This incident underscores the persistent threat that Chinese cyber espionage actors pose to global industries and public sector organizations. The attack on SentinelOne also highlights that cybersecurity vendors themselves are prime targets for these groups, given their deep visibility into client environments and ability to disrupt adversary operations. SentinelOne recommends that more proactive steps are taken to prevent future attacks. Recommended read:
References :
Rescana@Rescana
//
Void Blizzard, a cyber threat actor with ties to Russia, has been identified as conducting extensive cyberespionage operations targeting critical sectors across Europe and North America. These operations, active since at least April 2024 and escalating in 2025, are aimed at gathering intelligence crucial to Russian governmental objectives. The targeted sectors include government, defense, transportation, media, NGOs, and healthcare, reflecting a broad scope of interest. Void Blizzard, also known as LAUNDRY BEAR, employs various techniques to infiltrate organizations and steal sensitive data.
Spear phishing and credential theft are among the primary methods used by Void Blizzard. The group has been observed using stolen credentials sourced from infostealer ecosystems and launching spear phishing campaigns with typosquatted domains to mimic authentication portals. They also utilize adversary-in-the-middle (AitM) tactics with tools like Evilginx to intercept credentials. A notable campaign in April 2025 targeted over 20 NGOs with a spear phishing attack using a typosquatted domain resembling a Microsoft Entra authentication page. Their post-compromise activities include cloud service abuse, leveraging legitimate cloud APIs for data enumeration and exfiltration, and automating the collection of emails and files from cloud services like Exchange Online and SharePoint. Meanwhile, security researchers at ESET have uncovered a separate but related cyberespionage campaign dubbed "BladedFeline" targeting Iraqi and Kurdish officials. This operation, linked to OilRig, an Iran-based APT group, utilizes malicious tools such as Whisper, PrimeCache, and Shahmaran to gain unauthorized access to computer systems. The attackers primarily compromise webmail servers to deploy Whisper, a tool designed for data exfiltration and command execution. PrimeCache, a backdoor Internet Information Services (IIS) module, allows persistent covert access to targeted servers. The campaign also highlights the continued use of the Shahmaran backdoor, previously associated with attacks targeting Kurdish diplomatic officials, indicating a sustained interest in intelligence gathering related to Kurdish affairs. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
OpenAI is facing scrutiny over its ChatGPT user logs due to a recent court order mandating the indefinite retention of all chat data, including deleted conversations. This directive stems from a lawsuit filed by The New York Times and other news organizations, who allege that ChatGPT has been used to generate copyrighted news articles. The plaintiffs believe that even deleted chats could contain evidence of infringing outputs. OpenAI, while complying with the order, is appealing the decision, citing concerns about user privacy and potential conflicts with data privacy regulations like the EU's GDPR. The company emphasizes that this retention policy does not affect ChatGPT Enterprise or ChatGPT Edu customers, nor users with a Zero Data Retention agreement.
Sam Altman, CEO of OpenAI, has advocated for what he terms "AI privilege," suggesting that interactions with AI should be afforded the same privacy protections as communications with professionals like lawyers or doctors. This stance comes as OpenAI faces criticism for not disclosing to users that deleted and temporary chat logs were being preserved since mid-May in response to the court order. Altman argues that retaining user chats compromises their privacy, which OpenAI considers a core principle. He fears that this legal precedent could lead to a future where all AI conversations are recorded and accessible, potentially chilling free expression and innovation. In addition to privacy concerns, OpenAI has identified and addressed malicious campaigns leveraging ChatGPT for nefarious purposes. These activities include the creation of fake IT worker resumes, the dissemination of misinformation, and assistance in cyber operations. OpenAI has banned accounts linked to ten such campaigns, including those potentially associated with North Korean IT worker schemes, Beijing-backed cyber operatives, and Russian malware distributors. These malicious actors utilized ChatGPT to craft application materials, auto-generate resumes, and even develop multi-stage malware. OpenAI is actively working to combat these abuses and safeguard its platform from being exploited for malicious activities. Recommended read:
References :
iHLS News@iHLS
//
OpenAI has revealed that state-linked groups are increasingly experimenting with artificial intelligence for covert online operations, including influence campaigns and cyber support. A newly released report by OpenAI highlights how these groups, originating from countries like China, Russia, and Cambodia, are misusing generative AI technologies, such as ChatGPT, to manipulate content and spread disinformation. The company's latest report outlines examples of AI misuse and abuse, emphasizing a steady evolution in how AI is being integrated into covert digital strategies.
OpenAI has uncovered several international operations where its AI models were misused for cyberattacks, political influence, and even employment scams. For example, Chinese operations have been identified posting comments on geopolitical topics to discredit critics, while others used fake media accounts to collect information on Western targets. In one instance, ChatGPT was used to draft job recruitment messages in multiple languages, promising victims unrealistic payouts for simply liking social media posts, a scheme discovered accidentally by an OpenAI investigator. Furthermore, OpenAI shut down a Russian influence campaign that utilized ChatGPT to produce German-language content ahead of Germany's 2025 federal election. This campaign, dubbed "Operation Helgoland Bite," operated through social media channels, attacking the US and NATO while promoting a right-wing political party. While the detected efforts across these various campaigns were limited in scale, the report underscores the critical need for collective detection efforts and increased vigilance against the weaponization of AI. Recommended read:
References :
@therecord.media
//
ESET researchers have revealed a long-running cyber espionage campaign conducted by an Iranian APT group named BladedFeline. The group has been actively targeting government and telecom networks in Kurdistan, Iraq, and Uzbekistan since at least 2017. BladedFeline is believed to be a subgroup of OilRig, a well-documented Iranian state-backed actor, and has managed to stay undetected within these networks for approximately eight years, continually expanding its cyber espionage capabilities.
BladedFeline utilizes a variety of malicious tools for maintaining and expanding access within targeted organizations. Notable malware includes Shahmaran, a simple backdoor used against Kurdish diplomatic officials, and more sophisticated tools like Whisper and PrimeCache. Whisper communicates with attackers through email attachments sent via compromised Microsoft Exchange webmail accounts, while PrimeCache bears similarities to RDAT, a backdoor previously associated with OilRig. Researchers suggest that BladedFeline may have initially gained access to Iraqi government systems by exploiting vulnerabilities in internet-facing servers, using a webshell called Flog to maintain control. The group's targeting reflects Iran's strategic interests in the Middle East. The Kurdistan Regional Government's diplomatic relationships and oil reserves make it an attractive target for espionage, while the focus on Iraqi governmental circles suggests an attempt to counter Western influence. ESET warns that BladedFeline is likely to continue developing its malware arsenal to retain access to compromised systems for cyber espionage purposes. The discovery highlights the persistent threat posed by Iranian APT groups and the need for robust cybersecurity measures to protect critical infrastructure and sensitive government data. Recommended read:
References :
@www.microsoft.com
//
References:
www.microsoft.com
Microsoft is aggressively integrating artificial intelligence across its products and services, striving to revolutionize the user experience. The company is focused on developing agentic systems that can work independently, proactively identify problems, suggest solutions, and maintain context across interactions. Microsoft envisions a future where AI agents will augment and amplify organizational capabilities, leading to significant transformations in various fields. To facilitate secure and flexible interactions, Microsoft is employing Model Context Protocol (MCP) to enable AI models to interact with external services.
As AI agents become more sophisticated and integrated into business processes, Microsoft recognizes the importance of evolving identity standards. The company is actively working on robust mechanisms to ensure agents can securely access data and act across connected systems, including APIs, code repositories, and enterprise systems. Microsoft emphasizes that industry collaboration on identity standards is crucial for the safe and effective deployment of AI agents. To aid organizations in safely adopting AI, Microsoft Deputy CISO Yonatan Zunger shares guidance for efficient implementation and defense against evolving identity attack techniques. Microsoft CVP Charles Lamanna offers an AI adoption playbook, emphasizing the importance of "customer obsession" and "extreme ownership" for both startups and large enterprises navigating the age of AI. Lamanna suggests focusing on a few high-impact AI projects instead of spreading resources thinly across numerous pilots. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
The Czech Republic has formally accused China of orchestrating a "malicious cyber campaign" targeting an unclassified communication network within its Ministry of Foreign Affairs. The attacks, attributed to the China-linked APT31 hacking group, are believed to have been ongoing since 2022. This action represents a significant escalation in tensions between the two nations regarding cyber espionage. In response to the detected activity, the Czech government summoned the Chinese ambassador to express its strong condemnation of these hostile actions and to convey the damaging impact on bilateral relations. The European Union has voiced its solidarity with Prague following this announcement, further highlighting the international implications of the cyberattack.
The Czech government, in a formal statement, identified the People's Republic of China as responsible for the cyber campaign. The government believes with a high degree of certainty that APT31, also known as Judgement Panda, Bronze Vinewood or RedBravo, a cyber-espionage group linked to China's Ministry of State Security, was behind the attacks. This group has a history of targeting government and defense supply chains. Czech authorities said the malicious activity “affected an institution designated as Czech critical infrastructure,” and targeted one of the Ministry of Foreign Affairs’ unclassified networks. The Czech Republic asserts that the cyberattacks violate responsible state behavior in cyberspace, as endorsed by members of the United Nations, and undermine the credibility of China. The government is demanding that China adhere to these norms and refrain from similar activities in the future. The Czech Foreign Affairs Minister stated that the attribution was intended to expose China, “which has long been working to undermine our resilience and democracy". The detection of the attackers during the operation allowed for the implementation of a new communication system for the ministry, significantly strengthening its security. Recommended read:
References :
@cyble.com
//
References:
securityaffairs.com
, ciso2ciso.com
,
A China-linked Advanced Persistent Threat (APT) group, known as UNC5221, has been actively exploiting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software. Researchers from EclecticIQ have observed this group chaining two specific flaws, identified as CVE-2025-4427 and CVE-2025-4428, to target organizations across Europe, North America, and the Asia-Pacific region. These vulnerabilities allow for unauthenticated remote code execution, potentially granting the attackers deep access to compromised systems.
The targeted sectors include critical infrastructure such as telecommunications, healthcare, government, defense, finance, and aviation. The exploitation of these flaws began shortly after their disclosure, highlighting the speed at which UNC5221 moved to take advantage of the vulnerabilities. CISA has added the Ivanti EPMM flaw, among others, to its Known Exploited Vulnerabilities catalog, emphasizing the severity of the risk and urging organizations to apply necessary patches. The attacks facilitate further intrusion and data exfiltration, potentially leading to significant breaches and compromise of sensitive information. This campaign underscores the ongoing threat posed by state-sponsored cyberespionage and the importance of proactive security measures to defend against such attacks. Recommended read:
References :
@www.helpnetsecurity.com
//
A newly identified Russian cyber-espionage group, known as Laundry Bear by Dutch intelligence and Void Blizzard by Microsoft, has been actively targeting Western organizations since at least April 2024. This group is believed to be backed by the Russian government and is primarily focused on gathering intelligence to support Russian strategic interests. Laundry Bear's targets include government entities, defense contractors, aerospace firms, and high-tech businesses in Europe and North America, particularly those supporting Ukraine. The group's activities suggest an interest in sensitive information related to military goods, weapons deliveries, and advanced technologies that are difficult for Russia to acquire due to Western sanctions.
The primary objective of Laundry Bear is to steal sensitive emails and files from compromised systems. They achieve this by targeting cloud-based email environments, specifically Microsoft Exchange. The group employs a range of techniques, including pass-the-cookie attacks, password spraying, and spear phishing aimed at credential theft. Notably, the Dutch intelligence services identified Laundry Bear during an investigation into a credential-stealing attack against the Dutch National Police in September 2024. During this attack, Laundry Bear gained access to an account belonging to a Dutch police employee by using a stolen session cookie to obtain work-related contact information of other police employees. Microsoft has also observed Laundry Bear targeting critical sectors such as government, defense, transportation, media, NGOs, and healthcare, with a focus on organizations in Europe, North America, NATO member states, and Ukraine. The group frequently gains access by using stolen credentials, likely purchased from online marketplaces. Despite employing relatively simple attack methods and readily available tools, Laundry Bear has achieved a high success rate due to quick-paced cyber operations and efficient automation. Microsoft recommends organizations implement robust security measures to defend against such threats. Recommended read:
References :
Ddos@securityonline.info
//
A new cyber-espionage campaign has been uncovered, targeting public sector organizations in Tajikistan. The threat actor behind this campaign is TAG-110, a group linked to Russia and also known as UAC-0063 and APT28 (BlueDelta). Recorded Future’s Insikt Group discovered that TAG-110 is using macro-enabled Microsoft Word templates (.dotm files) to gain access to and exfiltrate intelligence from Tajik government, educational, and research institutions, particularly those involved in military affairs or electoral processes. This campaign reflects Russia’s strategic interest in Central Asia through intelligence-gathering operations.
These malicious Word templates are deployed through phishing lures disguised as official Tajik government documents. The templates are saved in the Microsoft Word STARTUP folder, ensuring automatic execution each time Word is launched. This tactic represents a shift from TAG-110’s previous use of HTA-based payloads like HATVIBE. The two malicious documents identified are themed around radiation safety for Tajikistan’s armed forces and election schedules in Dushanbe. Upon execution, the embedded VBA macros collect system metadata such as username, computer name, language, and resolution. This data is then sent to a hardcoded command-and-control (C2) server. The macros also establish persistence by copying themselves to the %APPDATA%\Microsoft\Word\STARTUP\ directory. Researchers state that this evolution highlights a tactical shift prioritizing persistence. The use of .dotm files and VBA macros allows TAG-110 to maintain a stealthy presence and collect data from compromised systems, turning them into surveillance nodes. Recommended read:
References :
@industrialcyber.co
//
References:
www.esecurityplanet.com
, Industrial Cyber
A joint cybersecurity advisory has been issued by intelligence and cybersecurity agencies from multiple Western nations, including the United States, the United Kingdom, Germany, and France, warning of an aggressive cyber espionage campaign orchestrated by a Russian military cyber unit. The advisory directly implicates the Russian General Staff Main Intelligence Directorate (GRU) unit 26165, also known as APT28, Fancy Bear, and Forest Blizzard. This group has been actively targeting logistics and technology companies that are involved in providing aid to Ukraine. Their operations, ongoing for over two years, involve infiltrating networks to spy on arms shipments and logistics operations.
The GRU hackers are targeting a range of entities critical to the supply chain supporting Ukraine, including defense contractors, transport hubs like airports and ports, air traffic control systems, maritime operators, and IT service providers. Affected countries include the United States, Germany, Poland, France, Romania, Ukraine, the Netherlands, and others. The attackers not only infiltrate the main target company but also go after partners and connected firms, abusing trust relationships to spread deeper. In one instance, hackers stole credentials, gaining access to sensitive information on shipments, such as train schedules and shipping manifests. The Russian hackers are employing a mix of both established and novel tactics to breach security. These tactics include credential guessing, brute-force attacks, and spearphishing emails disguised as legitimate login pages from Western email platforms. The GRU unit is also known for exploiting IP cameras in Ukraine and bordering NATO countries, likely to gather intelligence and monitor activities. Cybersecurity agencies urge logistics entities and technology companies to enhance monitoring, proactively hunt for known tactics and indicators of compromise, and fortify their network defenses, presuming they are targets. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Chinese-speaking hackers have exploited a zero-day vulnerability, CVE-2025-0994, in Trimble Cityworks software to breach multiple local governing bodies across the United States. This vulnerability, a remote code execution flaw, has been actively exploited since January 2025 by a threat actor tracked as UAT-6382. The attackers targeted enterprise networks of local governing bodies, conducting reconnaissance and deploying web shells and custom-made malware to maintain long-term access, with a particular interest in systems related to utilities management.
UAT-6382 utilized a variety of tools and techniques in their attacks. They rapidly deployed web shells such as AntSword and chinatso/Chopper on the underlying IIS web servers. Additionally, they employed Rust-based loaders, known as TetraLoader, to deliver Cobalt Strike and VShell malware, ensuring persistent access to compromised systems. The TetraLoader was built using MaLoader, a malware building framework written in Simplified Chinese, further indicating the origin of the threat actor. Cisco Talos researchers have assessed with high confidence that UAT-6382 is a Chinese-speaking threat actor, based on tooling, TTPs, hands-on-keyboard activity, and victimology. Indicators of compromise (IOCs) related to these intrusions overlap with those listed in Trimble’s advisory. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0994 to its Known Exploited Vulnerabilities (KEV) catalog in February 2025. The exploitation of this flaw highlights the risk of nation-state actors targeting critical infrastructure software used by U.S. local governments and utilities. Recommended read:
References :
@industrialcyber.co
//
A Russian state-sponsored cyber espionage campaign, attributed to the GRU's APT28 (also known as Fancy Bear or Forest Blizzard), has been actively targeting Western logistics entities and technology companies since 2022. This campaign focuses on organizations involved in the coordination, transport, and delivery of foreign assistance to Ukraine. The goal is to gain access to sensitive information and disrupt operations, presenting a serious risk to these targeted organizations and sectors across more than a dozen countries.
These Russian cyber actors have been using a mix of previously disclosed tactics, techniques, and procedures (TTPs), including credential brute force attacks, spear-phishing using multilingual lures, and malware delivery via malicious archives exploiting vulnerabilities. They've also been observed hacking into IP cameras at Ukrainian border crossings to monitor and track aid shipments. The GRU unit, known as military unit 26165, has been linked to compromising a wide array of entities, spanning air, sea, and rail transportation modes. To defend against these threats, organizations are urged to familiarize themselves with the identified TTPs and indicators of compromise (IOCs), increase monitoring and threat hunting, and strengthen their network defenses. The attacks have targeted companies and government organizations in numerous countries, including Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States. The advisory is co-signed by over 20 agencies from multiple countries, underscoring the global nature of this threat. Recommended read:
References :
Field Effect@Blog
//
References:
Virus Bulletin
, www.scworld.com
,
A Russia-aligned espionage operation, dubbed Operation RoundPress, has been discovered by ESET researchers. The operation targets webmail software to steal secrets from email accounts, primarily those belonging to governmental organizations in Ukraine and defense contractors in the EU. The Sednit group, also known as APT28 and Fancy Bear, is suspected to be behind the attacks, leveraging spear-phishing emails that exploit XSS vulnerabilities to inject malicious JavaScript code into targeted webmail pages.
The attackers initially targeted Roundcube, but later expanded their reach to include other webmail software such as Horde, MDaemon, and Zimbra. The operation exploits security holes in webmail software to target Ukrainian governmental entities and defense companies in Eastern Europe. Some attacks have even circumvented two-factor authentication, demonstrating the sophistication of the operation and the challenges it poses to threat detection and response mechanisms. While most of the victims are currently based overseas, security experts suggest that North American entities, particularly those in government, defense, and critical infrastructure sectors, could also be targeted. The group's ability to exploit both known and zero-day vulnerabilities across multiple platforms, coupled with the ability to adapt payloads to specific targets, underscores the need for organizations using vulnerable webmail platforms to remain vigilant. According to experts the hackers are able to steal credentials, emails and contacts without persistent malware installation. Recommended read:
References :
|