Cyber security weekly summary 3 - 9 April

Prior to the first historic meeting between US President Donald Trump, and his Chinese counterpart Xi Jinping, which also dealt with the matter of cybersecurity, several new campaigns by the APT10 Chinese government hacking group were uncovered. The APT has been known to the security community since 2009 after it attacked the US defence industry.

The report of the Fidelis security firm, published on April 5, describes that the espionage was realised via a compromised web page of the Washington-based National Foreign Trade Council ( This lobby group associates many influential people from the financial sector. The short campaign, uncovered in February 2017, was using automatic javascript known as Scanbox, which was triggered by links placed by the attackers on several pages of the organisation. Scanbox then provided information about visitors' computers, which may be used as a basis for further attacks.

At the same time security companies PwC and BAE Systems in cooperation with the British National Cyber Security Center described another string of attacks by the APT10. This campaign included phishing and specialized malware attacks on managed service providers (MSP) such as cloud platforms, and their clients. The attackers were thus able to obtain large number of sensitive information across wide variety of industries. PwC also documented the third campaign led exclusively against Japanese organisations, in which the APT pretended to be a local government authority.

According to experts, the number of cases of Chinese economic espionage declined - which is often ascribed to the "cyber agreement" between China and the US - nevertheless, persisting campaigns are more targeted and sophisticated. As far as the APT10 goes, its is estimated that during the past three years the group considerably strengthened both personally and logistically, and the unveiled campaigns are considered to be a mere fraction of its operations.

On April 4 security company Kaspersky Lab informed about the case during which unknown hackers completely took control over all online operations of a major undisclosed Brazilian bank. During the incident on 22 October 2016 the attackers managed to alter bank's DNS registration addresses, so visitors of its regular web pages were for more than five hours redirected to meticulously crafted phishing sites, using authentic security certificates. Hundred of thousands computers were infected by the malware, which recorded their login and e-mail credentials as well as other data. Prior to the operation a months-long preparation phase took place, which comprised the bank's DNS provider Researchers at Kaspersky Lab believe that the perpetrators also redirected to their servers all the transactions from ATM and POS systems, allowing them to obtain clients' credit card information.

WikiLeaks continued its Vault 7 initiative, releasing documents that include alleged cyber tools and techniques used by the CIA. On April 7 the server published a new batch of files named as "Grasshopper", following the last archive called Marble that was published on March 31. The Grasshopper contains the description of a platform designed to compile and distribute adaptable malware that can be tuned to the specifics of an infected system. This enables long-term exploration of compromised infrastructures and its exploitation. According to WikiLeaks, the described tools were undetectable, even by top notch antivirus products from Kaspersky, Symantec, and Microsoft.

While analyzing the files, published by WikiLeaks, researchers from Symantec noticed that the details in the leaked materials, such as cryptographic protocols and obfuscation techniques, are consistent with the practice of the Longhorn APT group, active at least since 2011. The APT is known for using zero-day vulnerabilities and sophisticated malware. Longhorn is typically interested in governments and international organizations, with special emphasis on the financial sector, telecommunications, energy, aviation and other strategically important industries. So far at least 40 such entities in 16 countries across the Middle East, Europe, Asia and Africa were attacked (none of its campaign has ever targeted North America).

About author: Roman Šulc


Tento web používá k analýze návštěvnosti soubory cookie. Používáním tohoto webu s tím souhlasíte. Další informace