TA569 Suspected of Phishing Attack against Russia and Germany
maio 8, 2023
I. Overview On April 18, 2023, NSFOCUS Security Labs discovered a spear phishing attack against Russia during daily threat hunting. After correlation analysis of the event, NSFOCUS Security Labs confirmed that the attacker also launched a similar phishing attack against Germany. The active time of the attacker, the attack target, the type of tool used, […]
Bread Crumbs of Threat Actors (Feb 13 – 26, 2023)
março 10, 2023
From 13 to 26 February 2023, NSFOCUS Security Labs found activity clues from 66 APT groups, one malware family (CoinMiner), and 426 threat actors targeting critical infrastructure. APT Groups Among the 66 APT groups discovered, the APT28 affected the most significant number of hosts from 13 to 26 February. Number of hosts affected by APT […]
Bread Crumbs of Threat Actors (Dec 19, 2022 – Jan 1, 2023)
janeiro 12, 2023
From December 19, 2022 to Jan 1, 2023, NSFOCUS Security Labs found activity clues of 61 APT groups, 3 malware families (Zbot botnet, SpicyHotPot Trojan, and Banload Trojan), and 490 threat actors targeting critical infrastructure. APT Groups Among the 61 APT groups discovered, the APT28 affected the most significant number of hosts from December 19 […]
Analysis of Cyber Attack of APT Organization Confucius against Pakistan’s Intelligence-Based Operation
janeiro 12, 2023
Overview Affected by many factors, Pakistan has long suffered from serious local terrorism threats. The country has also taken counter-terrorism as an important national security strategy. In the second half of 2022, the Pakistani security forces carried out many intelligence-based operations (IBO) in Baluchistan, Khyber and North Waziristan, and killed many terrorists. Pakistan’s recent high-profile […]
APT Group Lazarus Distributing Korean Phishing Lures to Feel Out Cryptocurrency Users
abril 12, 2022
Overview Recently, NSFOCUS Security Labs captured a series of phishing documents containing specific Korean bait information. Most of these documents contain keywords such as “BTC”, “ETH”, “NFT”, and “account information”, which trick victims into opening them and then use remote template injection to implant malicious programs, thereby stealing host information. Analysis shows that these phishing […]
APT Lorec53 group launched a series of cyber attacks against Ukraine
fevereiro 21, 2022
Overview Recently, NSFOCUS Security Labs captured a large number of phishing files against Ukraine in format of pdf, doc, cpl, lnk and other types. After analysis, we confirmed that the series of phishing activities came from the APT group Lorec53. During the period from the end of 2021 to February 2022, this group used multiple […]
India’s National APT Organization SideWinder Launched Phishing Attacks
fevereiro 17, 2022
Overview Recently, NSFOCUS Labs discovered that the South Asian APT organization SideWinder launched phishing attacks with documents used Pakistan National Day-related content as the bait. The domain name of command and control (C2) server was forged as a Pakistani government website. Since SideWinder ‘s targets include Pakistan and China, it has always been considered an […]
Russian APT Group Gamaredon Launches Phishing Campaign against Ukrainian Ministry of Foreign Affairs
fevereiro 10, 2022
Recently, NSFOCUS Security Labs captured a fishing document with the theme “ПАРТНЕРИ КУЛЬТУРНОЇ ДИПЛОМАТІЇ МЗС УКРАЇНИ” (Cultural Diplomatic Partner of the Ukrainian Ministry of Foreign Affairs), and confirmed that the producer of the document was Gamaredon, a Russia-based advanced persistent threat group. The phishing document contains highly credible bait content, and uses a payload protection method […]
APT Retrospection: Lorec53, An Active Russian Hack Group Launched Phishing Attacks Against Georgian Government
fevereiro 8, 2022
Summary In July 2021, several phishing documents created in Georgian were discovered by NSFOCUS Security Labs. In these phishing documents, the attackers used current political hotspots in Georgia to create bait and deliver a secret stealing Trojan to specifically targeted victims aiming to steal various documents from their computers. Correlation analysis shows that this phishing […]
Overseas APT Organization Exploits Vulnerabilities to Breach Sangfor SSL VPNs and Deliver Malicious Code Threat Alert
abril 20, 2020
Overview
On April 6, Sangfor released an advisory, announcing that an overseas APT organization illegally took control of some of their SSL VPN devices and sent malicious files to clients by exploiting a client upgrade vulnerability. NSFOCUS has kept a close eye on this issue and conducted overall analysis. We advise related users to take precautions as soon as possible.
The vulnerability exists due to the defect of the upgrade module signature authentication mechanism of the Windows client of SSL VPN devices. The prerequisite for exploitation is that attackers must take control of SSL VPN privileges. According to Sangfor’s analysis, this vulnerability is difficult to exploit. Therefore, Sangfor estimates that there are only a limited number of affected VPN devices. According to the NSFOCUS security team, not many VPN devices have been compromised by the APT organization, but the affected versions are widely used in enterprises in China.