@BushidoToken Threat Intel

  Legitimate third-party Platform-as-a-Service (PaaS) providers are becoming increasingly leveraged by threat actors for phishing and malware deployment. PaaS providers such as cloud instances, marketing platforms, content delivery networks (CDN), and dynamic DNS servers have been weaponised for a range of malicious activities. One of the key benefits is that they can be used to  evade detection systems. This is due to the decreased likelihood of these being pre-emptively blocked because of established levels of trust and legitimate usage.  Many of these types of malware and phishing campaigns also combine the use of multiple platforms simultaneously, making these particularly difficult for human analysts and automated systems to identify and malicious activity. The research in this blog details how cybercriminals l everage these systems as credential harvesting pages, payload hosting sites, redirector links, C&C servers, "dead drop resolvers", and for data exfiltrati...

  A “dead drop” is a well-known espionage tactic of passing items or information between two parties using secret locations. The two parties never meet and any sign of communication is concealed. This tactic is commonly used by intelligence officers to interact with their assets in the field to avoid any suspicious meetings or either caught talking to each other. For decades, intelligence agencies have used dead drops. Two infamous double agents from the CIA and FBI - Aldrich Ames and Robert Hanssen respectively - both used dead drops to supply information to their handlers from the Soviet Union. Cyber adversaries have also come to adapt this technique into their espionage campaigns. However, instead of a human source, state-backed computer network operations (CNOs) have leveraged legitimate services for covert communications or so-called “dead drop resolvers”.  In October 2019, ESET Research disclosed a report on Operation Ghost Dukes which detailed the activities of an APT...

  Malicious Word doucments titled “Pyongyang stores low on foreign goods amid North Korean COVID-19 paranoia.doc” were recently uploaded to malware submission sites such as ANY.RUN, VMRay, and VirusTotal: Analysis of the Word documents revealed that a VBA macro is used to drop a secondary payload and connects the infected device to the adversary’s command and control (C&C) server. The malware used in this attack is detected as the Amadey Trojan, a commodity tool used for credential harvesting and remote control by threat actors of all skill levels. The payload is hosted on a compromised website and is retrieved by the Amadey Trojan once the malicious macros are enabled. VirusTotal campaign graph: Analysis: Commodity malware, such as the Amadey Trojan, is a concern because it does not require its operator to have any development capability, only the capacity to deploy it. This increases the number of potential attackers in the ecosystem. Furthermore, commodit...

  Sophisticated computer security breaches in some of the most heavily defended networks around the world have been orchestrated by so-called Advanced Persistent Threats (APT) groups. Many of these APTs operate on behalf of a nation state’s intelligence agency or military. They can even be private sector hacking groups, hired for specific operations. An APT group specialises in gaining access, maintaining it, and executing post-exploitative activities while remaining undiscovered. There are also many types of APT attack campaigns. This can include, but is not limited to, intelligence gathering operations, intellectual property theft, sabotage and data destruction, and exploitation for financial gain. Intelligence gathering, cyber-espionage One such APT that exemplifies this type of behaviour is known as the Naikon APT group. In May 2020, Check Point disclosed new evidence of an ongoing cyber-espionage campaign against several national government entities in the Asia Pacific (APAC) ...

“Cyber espionage is a form of cyber attack that steals classified, sensitive data or intellectual property to gain an advantage over a competitive company or government entity.”  - VMWare Carbon Black Recent news surrounding cyber espionage acts attributed to the US and China have reinvigorated my interest in the state of cyber relations between the two superpowers.  It all started with APT1’s disclosure by Mandiant back in 2004. Ever since Chinese cyber espionage campaigns have been waged against the US and Western world. It is now well-documented that the Chinese government has state-sponsored hacking groups to infiltrate companies with some of the most valuable intellectual property out there. China may justify this how it chooses, the fact remains the government is still targeting private enterprises to steal sensitive information and industrial secrets. However, the US has also partaken in its fair share of cyber espionage directly against Chinese gove...