Cyber security weekly summary 1 - 7 May

The cyber security related events in the last week were dominated by a massive leak of internal information of Emmanuel Macron's movement En Marche!, which occurred on May 5. Based on initial analyses, some of the documents dated up to April 24 contained metadata, indicating that they were at some point opened by a computer with Russian-language software settings. This may be both a case of Russian hackers, who purportedly stole them (as the act bears typical traits of their information operations) or someone, who was trying to impersonate such actors.

Russian culpability has also been implied by Commander of the U.S. Cyber Command Michael Rogers, who on May 9 stated that the American security community was aware that Russian hackers sought to penetrate French computer infrastructure and gave their French counterparts a heads up. Rogers added, that in such cases Washington also collaborates with the United Kingdom and Germany.

On May 3 Palo Alto Networks published a report about newly found espionage malware called Kazuar. The researchers are suspecting that Kazuar is a new tool of the Russia-connected APT group, known as Turla, which have been infiltrating embassies, defence contractors, and research organisations around the globe for decades. Based on the analysis of the source code, Kazuar is believed to have also versions for operation systems Mac OS and UNIX. Aside of modularity, support for various communication protocols and other typical functions the malware is specific by its ability to set up a web server on infected machines, which enables to instruct the malware in more flexible manner while lowering the risk of its detection.

According to security company Proofpoint the newly founded vulnerability in Microsoft Office (CVE-2017-0199) was used by Chinese APT group TA459 to attack financial analyst from Russia and neighbouring states, specialised in the telecommunications industry. Russia, Belarus, Mongolia are the typical targets of the group, known for its earlier espionage against military organisations and telecommunication. To advance its goals TA459 uses various tools including PlugX, NetTraveler, Saker, Netbot, DarkStRat and ZeroT. The recent campaign which exploits the said vulnerability with spyware-delivering MS Word document is considered being a part of the espionage operations lasting from 2015.

On May 4 GuardiCore Labs informed about a new botnet of 15 thousand compromised servers that are currently used for cryptocurrency mining. Actors behind the so-called Bondnet, which was firstly discovered in January 2017, are primarily interested in Monero and other less famous currencies. The targeted computers on Windows server platform, are breached via a variety of exploits as well as brute force attacks. Machines are subsequently installed with a trojan which deploys a currency mining software. So far Bondnet serves only for digital currency generation, but it may be also used as a platform for cyber espionage and DDoS attacks.

About author: Roman Šulc

Partners

Tento web používá k analýze návštěvnosti soubory cookie. Používáním tohoto webu s tím souhlasíte. Další informace