cybersecurity

cross-posted from: https://lemmy.sdf.org/post/35083943

Archived

Advanced persistent threat (APT) groups with ties to China have become persistent players in the cyber espionage landscape, with a special emphasis on European governmental and industrial entities, according to a thorough disclosure from ESET’s APT Activity Report for Q4 2024 to Q1 2025.

The report, covering activities from October 2024 to March 2025, highlights the sophisticated tactics and tools employed by these threat actors to infiltrate sensitive networks.

[...]

These diverse and innovative techniques illustrate the persistent dedication of China-aligned APTs to espionage, often prioritizing long-term access over immediate financial returns.

The ESET report emphasizes that the highlighted operations are merely a snapshot of the broader threat landscape, with intelligence derived from proprietary telemetry data and verified by expert researchers.

The sustained focus on European targets by these APT groups signals a strategic intent to gather sensitive political and industrial intelligence, potentially influencing geopolitical dynamics.

[...]

This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.

Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.

This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

• AI media generation is a significant trend in how we use the Internet in 2025. Kling AI is a widely used platform, with 6 million users since its launch in June 2024.
• A threat actor mimicked Kling AI and drove traffic to a convincing fake website via counterfeit Facebook pages and paid ads.
• User submissions of a text prompt or image on this fake site produce a seemingly innocent media file whose filename uses Hangul Filler characters to conceal an executable.
• In some cases, the executable’s loader used .NET Native AOT compilation for stealth. Executing it installs an infostealer with monitoring capabilities.
• This campaign has a global reach, with victims reported across multiple regions, most notably in Asia.

A brief look at all things infostealers for the week 20, 2025 (12.05.2025–18.05.2025). This week observed updates from LummaC2, MonsterV2 and KatzStealer infostealers. Grabbed some numbers from marketplaces and some interesting news/articles.

cross-posted from: https://lemmy.sdf.org/post/34853591

Archived

The world is in a cyberwar in every sense except a legal one because no side has declared war, said Mart Noorma, director of the NATO Cooperative Cyber Defense Center of Excellence (CCDCOE) in Tallinn. Russian hackers' goal is to sow chaos and steal money, he said.

[...]

The avalanche of attacks from Russia is very intense. "The bad actors think they can attack as much as they can, limited only by how well countries can defend themselves and hold the criminals accountable," he told the show.

"The West constantly feels how hacker groups supported by the Russian authorities are carrying out attacks against us. By supporting hacker groups, the state can more easily create confusion. Then the state is not directly connected. Creating chaos has been a constant for Russia — their goal is to achieve geopolitical and cognitive effects so that people in democratic countries begin to doubt their values and governments. Even influencing presidential elections is of interest to the hackers," he explained.

"Quite often, Russian hackers also have financial motives — the proceeds are divided among state agencies," Noorma explained.

[...]

Archived

• In Operation RoundPress, the compromise vector is a spearphishing email leveraging an XSS vulnerability to inject malicious JavaScript code into the victim’s webmail page.
• In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra.
• For MDaemon, Sednit used a zero-day XSS vulnerability. We reported the vulnerability to the developers on November 1st, 2024 and it was patched in version 24.5.1.
• Most victims are governmental entities and defense companies in Eastern Europe, although we have observed governments in Africa, Europe, and South America being targeted as well.
• The report provides an analysis of the JavaScript payloads SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA.
• These payloads are able to steal webmail credentials, and exfiltrate contacts and email messages from the victim’s mailbox. Additionally, SpyPress.MDAEMON is able to set up a bypass for two-factor authentication.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

cross-posted from: https://lemmy.sdf.org/post/34652759

Archived

Cyber attacks were the most common form of hybrid threat faced by Australia in the last decade, but economic coercion and foreign interference are not far behind.

[...]

Analysts at the Australian Strategic Policy Institute have been tracking hybrid threats against Australia since March 2016, and between then and February 2025 have tracked 74 discrete activities targeting the country.

Given the growing state of digital connectivity across the globe, cyber security incidents and attacks make up approximately 35 per cent of all hybrid activity. Both private and public sector companies have been targeted by largely PRC-backed hackers, such as Naikon, APT40, APT27 and Aoqin Dragon, as well as critical infrastructure entities.

[...]

“The ASPI research into hybrid threats underscores a key trend observation that we have always expected would occur: nation-state aligned threat actors are prioritising cyber security as the foremost battleground in today’s modern, digital world. Whether it is cyber-espionage or targeting critical infrastructure for sabotage, this type of conflict is no longer relegated to complex stories found in television and movies,” Satnam Narang, senior staff research engineer at Tenable, told Defence Connect.

Economic coercion, foreign interference, and narrative & disinformation campaigns all make up about 20-25 per cent each targeted activity, and here again, China is highly active. China is thought to have engaged in efforts to sway debate toward far-right sources during the Voice to Parliament campaign, and its extensive Spamouflage network of fake social media accounts targeted an Australian rare earth mining company in recent years as well.

Journalists and members of the Chinese diaspora in Australia have also been targeted by Chinese influence and harassment campaigns.

China’s efforts to impact the Australian economy include tariffs and bans on Australian produce, trade restrictions, and even consumer boycotts

[...]

“Economic coercion involves actions that go beyond standard trade policy [such as tariffs], including: engaging in targeted boycotts; blocking access to essential resources; and imposing sanctions with the explicit goal of forcing political concessions.”

Military and paramilitary coercion only makes up about 15 per cent of hybrid activity, but as ASPI notes, such activity has increased in the last few years, and, again, China is the main culprit. Only recently, we have had the example of a Chinese naval flotilla performing firing drills in the Tasman Sea and aerial encounters between Chinese and Australian military aircraft in the South China Sea – all just in February 2025 alone.

[...]

Of course, while China is responsible for the bulk of hybrid activity targeting Australia, it is not alone. China is responsible for 69 per cent of such activity, with Russia the next most active nation at 11 per cent of activity, trailed closely by Iran, which makes up fully ten per cent of hybrid threat activity.

Other nations make up four per cent of activity, unidentified hackers responsible for five per cent of threat activity, and ideologically motivated violent extremism is one per cent.

[...]

cross-posted from: https://lemmy.sdf.org/post/34536054

Archived

China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures, according to a research.

In April 2025, China-nexus nation-state APTs (advanced persistent threat) launched high-temp exploitation campaigns against critical infrastructure networks by targeting SAP NetWeaver Visual Composer. Actors leveraged CVE-2025-31324 [...], an unauthenticated file upload vulnerability that enables remote code execution (RCE). This assessment is based on a publicly exposed directory (opendir) found on attacker-controlled infrastructure, which contained detailed event logs capturing operations across multiple compromised systems.

[...]

EclecticIQ analysts link observed SAP NetWeaver intrusions to Chinese cyber-espionage units including UNC5221 [...], UNC5174 [...], and CL-STA-0048 [...] based on threat actor tradecrafts patterns. Mandiant and Palo Alto researchers assess that these groups connect to China's Ministry of State Security (MSS) or affiliated private entities. These actors operate strategically to compromise critical infrastructures, exfiltrate sensitive data, and maintain persistent access across high-value networks worldwide.

[...]

Targets of the campaign were

• natural gas distribution networks, water and integrated waste management utilities in the United Kingdom,

• medical device manufacturing plants oil and gas exploration and production companies in the United States, and

• government ministries in Saudi Arabia that are responsible for investment strategy and financial regulation.

[...]

• The new class of vulnerabilities in Intel processors arises from speculative technologies that anticipate individual computing steps.
• Openings enable gradual reading of entire privilege memory contents of shared processor (CPU).
• All Intel processors from the last 6 years are affected, from PCs to servers in data centres.