România Cyber Center’s Post

The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel. The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader

"Reptile Rootkit: A Sophisticated Linux Malware Targeting Systems in South Korea" In recent events, threat actors have been observed utilizing an open-source #rootkit named "#Reptile" to target Linux-based systems in South Korea. According to a report published by the #AhnLab Security Emergency Response Center (#ASEC), Reptile distinguishes itself from other rootkit #malware by offering an additional capability - a reverse shell, which allows the attackers to assume control over the compromised systems. One noteworthy feature employed by Reptile is "port knocking," a technique where the malware opens a specific port on the infected system and enters a standby mode. Subsequently, when the threat actors transmit a special "magic packet" to the system, it serves as a trigger to establish a connection with the Command and Control (C&C) #server. #Rootkits are malicious software programs specifically designed to grant unauthorized and privileged access to a machine at the root level while effectively concealing their existence from detection. Since 2022, Reptile has been associated with at least four distinct campaigns, highlighting its growing prevalence and significance in cyber threats targeting Linux environments in South Korea. #cybersharks #itnews #informationsecurity #cybernews #hacker #ethicalhacker source: https://lnkd.in/dZjmvwVm

A Russia-linked threat group known as Turla has infected a European non-governmental organization (NGO) with a backdoor called TinyTurla-NG. The attack occurred in October 2023, with data exfiltration taking place in January 2024.The same malware was previously used in a cyber attack on a Polish NGO, indicating highly targeted activity. Turla used various techniques, such as creating exclusions in antivirus products and utilizing the Chisel tunneling software, to evade detection and maintain persistence. The exact method of intrusion is still under investigation #soc #socanalyst #securityoperationscenter #cybersecurityanalyst #cybersecuritynews #malware #cyberattacks #micorsoft #vulnerability #securityawareness #Cisco #redteam #blueteam #applenews #googlecybersecurity #google #apple #ios #osint

The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel. The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader... Read more on the following blog article!

The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel. The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader

🛑 The infamous Russian hacking collective, known as APT28, is now using a legitimate Microsoft Windows feature to deploy infostealers and other malware to their victims. A new paper from IBM’s cybersecurity arm, X-Force claims the campaign has been active between November last year, and February this year. As per the report, the attackers (also known as Fancy Bear, Forest Blizzard, or ITG05) are impersonating government and NGO organizations in Europe, South Caucasus, Central Asia, and North and South America, reaching out to their victims via email. The emails contain weaponized PDF files. The PDFs come with URLs that lead to compromised websites, which can abuse the “search-ms:” URI protocol handler, as well as the “search:” application protocol. The handler allows apps and HTML links to launch custom local searches on a device, whale the protocol serves as a mechanism for calling the desktop search application on Windows. As a result, the victims end up performing searches on an attacker-controlled server, and coming up with malware displayed in Windows Explorer. This malware is disguised as a PDF file, which the victims are invited to download and run. The malware is hosted on WebDAV servers which themselves are most likely hosted on compromised Ubiquiti routers. These routers were part of a botnet what was apparently taken down by the U.S. government last month, The Hacker News reports. We don’t know who the victims are, but it’s safe to assume they’re from the same countries as the government and NGO agencies being impersonated in the attacks: Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S. #russian #hackers #microsoft #windows #cybersecurity #malware

Iranian State-Sponsored OilRig Group Deploys 3 New Malware Downloaders: The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel. The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader

"The infamous Russian hacking collective, known as APT28, is now using a legitimate Microsoft Windows feature to deploy infostealers and other malware to their victims.  The attackers (also known as Fancy Bear, Forest Blizzard, or ITG05) are impersonating government and NGO organizations in Europe, South Caucasus, Central Asia, and North and South America, reaching out to their victims via email. The emails contain weaponized PDF files." It's critical that you arm your employees - and your security team - with the tools they need to STOP phishing attacks before they happen. It's time for PhishCloud Inc. PhishCloud arms employees with the tools they need to clearly spot and avoid #phishingattacks, across all digital platforms – not just email – letting them Click with Confidence.   PhishCloud gives your security team the real-time visibility and control they need to see and block #phishing attacks your employees see. And with real-time metrics, you no longer need to rely on simulations and reporting to understand your phishing risk. And PhishCloud delivers reality-based training that imparts real knowledge, not just awareness. Sound too good to be true? Let us show you the power of PhishCloud Inc. Book a 15-minute demo at PhishCloud Inc.   #technology #innovation #informationsecurity #phishingattackprevention https://lnkd.in/eus2Sjc4

Targets located in Azerbaijan have been singled out as part of a new campaign that's designed to deploy Rust-based malware on compromised systems. Cybersecurity firm Deep Instinct is tracking the operation under the name Operation Rusty Flag. It has not been associated with any known threat actor or group. "The operation has at least two different initial access vectors," security researchers... Read more on the following blog article!

Carderbee Attacks: Hong Kong Organizations Targeted via Malicious Software Updates An attack on a software supply chain that targeted businesses primarily in Hong Kong and other parts of Asia has been linked to a previously unreported threat cluster. Under the insect-themed alias Carderbee, the Broadcom subsidiary Symantec Threat Hunter Team is monitoring the behavior. According to the cybersecurity company, the assaults use a trojanized version of the legitimate program EsafeNet Cobra DocGuard Client to install PlugX (also known as Korplug), a known backdoor, on the target networks. Reference from https://lnkd.in/djraXDeM #hongkong #cyberattack #threathunting #trojan Cyber Sleuths Cyber Security Association of India #backdoor #networking