RL Blog
|

The Week in Cybersecurity: Cyber espionage operation fueled for months by targeted phishing attacks

Carolynn van Arsdale
Blog Author

Carolynn van Arsdale, Writer, ReversingLabs. Read More...

targeted-phishing

Welcome to the latest edition of The Week in Cybersecurity, which brings you the newest headlines from both the world and our team about the most pressing topics in cybersecurity. This week: a China-linked cyber espionage campaign targets critical entities in Australia and the South China Sea, password manager LastPass gets hacked (again), and more.     

This week’s top story

A cyber espionage operation has been underway for months thanks to the use of targeted phishing attacks

Security Affairs reports that a China-linked advanced persistent threat (APT) group known as TA423 (also known as Red Ladon) has pulled off a cyber espionage campaign from April to June of this year. They have primarily targeted Australian entities, such as government agencies and news media companies. Additionally, the group heavily targeted global heavy industry manufacturers that conduct the maintenance of wind turbines in the areas surrounding the South China Sea. 

Threat intelligence researchers from Proofpoint and PwC released a report sharing details of the operation this week. Researchers claim that TA423 utilized a fake Australian news website to deliver the ScanBox exploitation framework to victims. Multiple China-linked APT groups have served ScanBox in the past, including Stone Panda APT, TA413, and LuckyMouse. ScanBox allows a threat actor to harvest information on a victim’s network, making it a useful cyber espionage tool for threat actors. 

The sender of these suspicious emails posed as an employee of the “Australian Morning News,” a made-up media company. The emails also contained subjects like “sick leave,” “user research,” and “request cooperation.” The email then contained a malicious link that if clicked, would prompt the serving of ScanBox to a victim’s environment. 

TA423’s recent campaign shows that regardless of the cyber operation, whether it be a ransomware attack or cyber espionage, that targeted phishing attacks which utilize social engineering techniques are unfortunately a successful technique for threat actors. 

News roundup

Here are the stories we’re paying attention to this week… 

LastPass hacked (again): What devs can learn (develop.secure.software)

Bad actors stole source code and other secrets from the huge password-manager firm’s dev environment. But not, it stresses, anyone’s passwords — as far as it can tell. The moral of the story? Devs should never rely on security by obscurity. 

Hackers hide malware in stunning images taken by James Webb Space Telescope (The Hacker News)

A persistent Golang-based malware campaign dubbed GO#WEBBFUSCATOR has leveraged the deep field image taken from NASA's James Webb Space Telescope (JWST) as a lure to deploy malicious payloads on infected systems.

WordPress 6.0.2 patches vulnerability that could impact millions of legacy sites (Security Week)

Identified in the WordPress Link functionality, previously known as ‘Bookmarks’, the issue only impacts older installations, as the capability is disabled by default on new installations. However, the functionality might still be enabled on millions of legacy WordPress sites even if they are running newer versions of the CMS.

Student loan breach exposes 2.5 million records (ThreatPost)

EdFinancial and the Oklahoma Student Loan Authority (OSLA) are notifying over 2.5 million loanees that their personal data was exposed in a data breach.

1.4 million users install Chrome extensions that inject code into eCommerce sites (Security Week)

With a total install base of over 1.4 million, the extensions can modify cookies on eCommerce websites so that their creator receives affiliate payments for the purchased items, without the victim’s knowledge.

Tentacles of 'Oktapus' threat group victimize 130 firms (ThreatPost)

Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that resulted in 9,931 accounts at over 130 organizations being compromised. The campaigns are tied to focused abuse of identity and access management firm Okta, which gained the threat actors the 0ktapus moniker, by researchers.

Malicious plugins found on 25,000 WordPress websites (Security Week)

An analysis of nightly backups of more than 400,000 unique web servers has revealed the existence of more than 47,000 malicious plugins installed on nearly 25,000 unique WordPress websites. More than 94% of these plugins (over 44,000) continue to be in use today.

More Blog Posts

Do More With Your SOAR

Do More With Your SOAR

Running an SOC is complex — and running without the best tools makes it more difficult. Learn how RL File Enrichment can automate and bolster your SOC.
Read More