Tag Archive for: hackers

Chinese Hackers Indicted in New York for Targeting Government


(TNS) — A band of hackers sent a years-long barrage of malicious e-mails to U.S. politicians, government officials, and private companies as part of a Chinese espionage and intelligence operation, federal prosecutors in Brooklyn said.

The feds on Monday announced the indictment of seven members of a Chinese state-run hacking operation, known in the cyber security community as Advanced Persistent Threat 31, running out of Wuhan since 2010. The indicted suspects all live in China, and have not been arrested by U.S. law enforcement agents.

The group sent tens of thousands of phishing e-mails to government and political officials in the U.S., as well as their family members and other contacts, usually pretending to be from prominent American journalists, according to the indictment.


The e-mails had links to what looked like real news articles, but opening the e-mail would activate a tracking link, sending location, device and network data back to a server controlled by the hackers.

They’d then use that info to target home routers and electronic devices, the feds allege.

“This case serves as a reminder of the ends to which the Chinese government is willing to go to target and intimidate its critics, including launching malicious cyber operations aimed at threatening the national security of the United States and our allies,” Attorney General Merrick Garland said Monday.

The targets included White House officials and their spouses, officials with the departments of Justice, Commerce, Treasury and State, and senators from both parties across 10 states. The hackers also tried their e-mail schemes on defense contractors, political strategists, commentators and advocates, according to the feds.

In May 2020, the hackers targeted staffers for a presidential campaign — the indictment wouldn’t say which campaign — and sent out tracking e-mails to more political campaigns that November, the feds allege.

Dissidents critical of the Chinese government and their supporters also found themselves in the hackers’ crosshairs, the feds said.

They also used custom malware and “zero-day exploits,” so named because they take…

Source…

U.S. and UK Impose Sanctions on APT 31 Chinese Hackers


In a significant move to counter cyber threats, the United States and the United Kingdom have imposed sanctions on a group of China-linked hackers accused of targeting critical infrastructure in the U.S.

The coordinated action includes indictments, sanctions, and a rewards program aimed at curtailing the activities of these cyber operatives.

The U.S. Department of Justice has unsealed indictments against Zhao Guangzong, Ni Gaobin, and five other individuals for their involvement in a series of cyber attacks.

These individuals are believed to be connected to the Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), which is allegedly a front for the Chinese Ministry of State Security (MSS).

The Office of Foreign Assets Control (OFAC) of the Department of the Treasury has sanctioned Wuhan XRZ and the two Chinese nationals, Zhao Guangzong and Ni Gaobin, for their roles in the cyber operations.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

These operations have targeted entities within the U.S. critical infrastructure sectors, posing a direct threat to national security.

APT 31: A Chinese Malicious Cyber Group

The hackers are affiliated with the state-sponsored Advanced Persistent Threat group 31 (APT 31), which is known for its sophisticated cyber espionage campaigns.

OFAC’s sanctions are pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757, which targets individuals and entities responsible for or complicit in cyber-enabled activities that threaten the U.S.

This action represents a collaborative effort involving the U.S. Department of Justice, the Federal Bureau of Investigation (FBI), the Department of State, and the UK Foreign,…

Source…

Russian Hackers Use ‘WINELOADER’ Malware to Target German Political Parties


Mar 23, 2024NewsroomCyber Espionage / Cyber Warfare

Malware

The WINELOADER backdoor used in recent cyber attacks targeting diplomatic entities with wine-tasting phishing lures has been attributed as the handiwork of a hacking group with links to Russia’s Foreign Intelligence Service (SVR), which was responsible for breaching SolarWinds and Microsoft.

The findings come from Mandiant, which said Midnight Blizzard (aka APT29, BlueBravo, or Cozy Bear) used the malware to target German political parties with phishing emails bearing a logo from the Christian Democratic Union (CDU) around February 26, 2024.

“This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions,” researchers Luke Jenkins and Dan Black said.

Cybersecurity

WINELOADER was first disclosed by Zscaler ThreatLabz last month as part of a cyber espionage campaign that’s believed to have been ongoing since at least July 2023. It attributed the activity to a cluster dubbed SPIKEDWINE.

Attack chains leverage phishing emails with German-language lure content that purports to be an invite for a dinner reception to trick recipients into clicking on a phony link and downloading a rogue HTML Application (HTA) file, a first-stage dropper called ROOTSAW (aka EnvyScout) that acts as a conduit to deliver WINELOADER from a remote server.

“The German-language lure document contains a phishing link directing victims to a malicious ZIP file containing a ROOTSAW dropper hosted on an actor-controlled compromised website,” the researchers said. “ROOTSAW delivered a second-stage CDU-themed lure document and a next stage WINELOADER payload.”

WINELOADER, invoked via a technique called DLL side-loading using the legitimate sqldumper.exe, comes equipped with abilities to contact an actor-controlled server and fetch additional modules for execution on the compromised hosts.

It’s said to share similarities with known APT29 malware families like BURNTBATTER, MUSKYBEAT, and BEATDROP, suggesting the work of a common developer.

WINELOADER, per the Google Cloud subsidiary, has also been employed in an operation targeting diplomatic…

Source…

Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds


When thousands of security researchers descend on Las Vegas every August for what’s come to be known as “hacker summer camp,” the back-to-back Black Hat and Defcon hacker conferences, it’s a given that some of them will experiment with hacking the infrastructure of Vegas itself, the city’s elaborate array of casino and hospitality technology. But at one private event in 2022, a select group of researchers were actually invited to hack a Vegas hotel room, competing in a suite crowded with their laptops and cans of Red Bull to find digital vulnerabilities in every one of the room’s gadgets, from its TV to its bedside VoIP phone.

One team of hackers spent those days focused on the lock on the room’s door, perhaps its most sensitive piece of technology of all. Now, more than a year and a half later, they’re finally bringing to light the results of that work: a technique they discovered that would allow an intruder to open any of millions of hotel rooms worldwide in seconds, with just two taps.

Today, Ian Carroll, Lennert Wouters, and a team of other security researchers are revealing a hotel keycard hacking technique they call Unsaflok. The technique is a collection of security vulnerabilities that would allow a hacker to almost instantly open several models of Saflok-brand RFID-based keycard locks sold by the Swiss lock maker Dormakaba. The Saflok systems are installed on 3 million doors worldwide, inside 13,000 properties in 131 countries.

By exploiting weaknesses in both Dormakaba’s encryption and the underlying RFID system Dormakaba uses, known as MIFARE Classic, Carroll and Wouters have demonstrated just how easily they can open a Saflok keycard lock. Their technique starts with obtaining any keycard from a target hotel—say, by booking a room there or grabbing a keycard out of a box of used ones—then reading a certain code from that card with a $300 RFID read-write device, and finally writing two keycards of their own. When they merely tap those two cards on a lock, the first rewrites a certain piece of the lock’s data, and the second opens it.

“Two quick taps and we open the door,” says Wouters, a researcher in the Computer Security and Industrial Cryptography group at…

Source…