• Geopolitical Cybernews Digest: Cyber Threats from Russia, North Korea, U.S., Saudi Arabia, France, Philippines, Ukraine, Belarus, and Colombia

    This week’s cybersecurity landscape highlights the growing intersection between geopolitical conflict and cyberattacks. 

    North Korean and Russian-linked threat actors continue to push boundaries, exploiting vulnerabilities, infiltrating critical infrastructure, and targeting unsuspecting victims across the globe.

    Significant ransom payment by major Iranian IT firm underway

    Iranian IT vendor Tosan has been making installment payments to the IRLeaks cybercriminal group following a major cyberattack that compromised data from nearly 70% of Iran’s active credit entities.  The government denies the breach, but we don’t need a phd in security to assume the contrary. Tosan has already sent around $561,000 in Bitcoin, with weekly payments continuing until the full amount is reached. As far as we know,  negotiations began in August. Source

    Chinese Hackers Exploit VS Code in Southeast Asia Cyberattacks

    China-linked APT group Mustang Panda has recently weaponized Visual Studio Code’s reverse shell feature. The group was targeting Southeast Asian government entities. 

    This relatively new technique, first seen in September 2023, enables the group to infiltrate networks and deploy additional payloads. Unit 42 said the Mustang Panda actor used the feature to deliver malware, perform reconnaissance, and exfiltrate sensitive data. Furthermore, the attacker is said to have used OpenSSH to execute commands, transfer files, and spread across the network. 

    We can only imagine how large of a data breach this is, specially because they have seen to collaborate with other threat actors on this large scale attack.

    Source

    Blind Eagle Hits Colombian Insurance Sector with Custom Quasar RAT

    Ever since June 2024, the Blind Eagle APT group has been targeting Colombia’s insurance sector with a custom version of the Quasar RAT. 

    These attacks, are usually initiated through phishing emails posing as the Colombian tax authority, direct victims to malicious links within PDF attachments or the email body. The payload, named BlotchyQuasar, includes enhanced obfuscation and is designed for data theft, including keylogging. 

    The group uses compromised routers and VPN nodes to conceal its infrastructure, that resides primarily within Colombia.

    Source

    Russia & Belarus targeted by hacktivist attacks

    In another news related to Kremlin, Russia-linked GRU Unit 29155 has been behind global cyber operations that was targeting critical infrastructure since 2020. This includes espionage, sabotage, and influence campaigns.

    The FBI, NSA, and CISA have linked these activities to junior GRU officers gaining experience under senior leadership, often collaborating with cybercriminals.

    One notable action is using WhisperGate wiper against Ukrainian organizations in 2022. Unit 29155 exploits vulnerabilities in internet-facing systems, leveraging tools like Raspberry Robin and SaintBot to infiltrate critical sectors.

    Source

    North Korean Hackers Target Developers with Malicious npm Packages

    Traveling to North Korea, we find threat actors that have been observed publishing malicious npm packages. This attack occurred between August 12-27 2024, and in it, web developers were targeted. 

    The attack, part of the “Contagious Interview” campaign, involves tricking developers into downloading fake npm packages or video conferencing software, eventually deploying the Python malware InvisibleFerret

    InvisibleFerret exfiltrates sensitive data from cryptocurrency wallet extensions and uses tools like AnyDesk for persistence.

    Source