[ad_1]
By the CyberWire staff
At a glance.
This week’s activities in cyber gangland.Trends in ransomware.Rackspace works to remediate a ransomware incident.Blind spots in air-gapped networks.Updates on hybrid war activity.Third-party incidents in New Zealand and Belgium.Data breach at Amnesty International Canada linked to China.
This week’s activities in cyber gangland.
Mobile security firm Zimperium has discovered an Android threat, the Schoolyard Bully Trojan. The Trojan has been active since 2018 and primarily targets Vietnamese readers. The Trojan has the ability to steal credentials from the Facebook accounts of victims, including email, phone number, password, ID, and name. For more on Schoolyard Bully, see CyberWire Pro.
Bitdefender has published a report describing a Chinese cyberespionage operation targeting telecom providers in the Middle East. The threat actor gained initial access by exploiting the ProxyShell vulnerability in Microsoft Exchange Server. After gaining access, the threat actor deployed multiple tools to establish persistence, move laterally, and escalate privileges. These included the Irafau and Quarian backdoors and the Pinkman Agent. Bitdefender suspects BackdoorDiplomacy, a China-linked APT discovered last year by researchers at ESET. ESET noted that the group primarily targets Ministries of Foreign Affairs in the Middle East and Africa, and less frequently, telecommunication companies. Bitdefender attributes this campaign to BackdoorDiplomacy based on the domains used for command-and-control. For more on BackdoorDiplomacy, see CyberWire Pro.
Secureworks Counter Threat Unit researchers investigated the Drokbk malware, found to be operated by a subgroup of Iran’s government-sponsored COBALT MIRAGE threat group, known as Cluster B. The malware uses GitHub as a dead drop resolver to locate its command and control (C2) infrastructure. GitHub allows for these threat actors to fly under the radar more easily. “The use of Github as a…
..
[ad_2]
