apt group trends 0ct
APT_Groups_of_Oct-2023

Here are some of the most active APT Group trends in Sept-2023:

Week 40: Oct. 2, 2023 to Oct. 8, 2023

1. RedHotel: 5th Oct 2023

Since at least 2019, the Chinese government has funded the RedHotel APT Group, an advanced persistent threat (APT) organization. The gang is well-known for carrying out intricate attacks against international governments, corporations, and academic institutions.

Origin Country: China

Read RedHotel in detail: https://hack2interesting.com/apt-group-trends-in-sept-2023/

Source: https://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia#a8

2. Unknown actor: 4th Oct 2023

The potential for unknown individuals to employ cutting-edge tactics that security software is unable to identify makes them every bit as hazardous as known threat actors. Unknown actors may also be operating from nations not well-known for their involvement in cybercrime, which makes it more challenging to find and prosecute them.

Industries Targeted: Software Development

Risk: Supply chain attack

Source: https://www.reversinglabs.com/blog/r77-rootkit-typosquatting-npm-threat-research

Week 41: Oct. 9, 2023 to Oct. 15, 2023

1. Vulnerabilities and Misconfigurations Linked to Ransomware: 12th Oct 2023

Vulnerabilities and misconfigurations are two of the most common ways that ransomware actors gain access to victim networks

Vulnerabilities are flaws in hardware or software that an attacker could use to enter a system without authorization. Some common weaknesses are as follows:

  • Unpatched programs
  • Protocol for Remote Desktop (RDP)
  • Block Message Server (SMB)
  • Protocol for File Transfer (FTP)

Misconfigurations are errors in the configuration of software or hardware that can be exploited by attackers to gain unauthorized access to a system. Common misconfigurations include:

  • Default credentials
  • Weak passwords
  • Disabled security features

Source: https://www.cisa.gov/stopransomware/misconfigurations-and-weaknesses-known-be-used-ransomware-campaigns

Source: https://www.cisa.gov/news-events/news/ransomware-vulnerability-warning-pilot-updates-now-one-stop-resource-known-exploited-vulnerabilities

2. Stayin’ Alive: 11th Oct 2023

Since at least 2021, the cyberespionage campaign Stayin’ Alive has been aimed at prominent government and telecom organizations in Asia. The ad is thought to be connected to ToddyCat, an APT outfit with Chinese ties.

Spear-phishing emails are used in the Stayin’ Alive campaign to distribute archived files that are infected with DLLs. To remain persistent on the compromised system, these DLLs are side-loaded into authentic Windows programs, including Audinate’s Dante Discovery program.

The malware can steal confidential information, including documents, passwords, and network credentials, once it has been deployed. Additionally, the software gives the attackers complete control over the device by allowing it to run arbitrary commands on the compromised system.

Industries Targeted:

  • telecom
  • government sectors

Countries targeted:

  • Vietnam
  • Uzbekistan
  • Pakistan
  • Kazakhstan

Source: https://blog.checkpoint.com/security/unveiling-stayin-alive-a-closer-look-at-an-ongoing-campaign-in-asia-targeting-telecom-and-governmental-entities/?utm_source=bambu-unpaid&utm_medium=social-media&blaid=5174381

3. Grayling: 11th Oct 2023

First discovered by Symantec in 2023, the Grayling APT group is an advanced persistent threat (APT) group that was previously undisclosed. Organizations in Taiwan, the US, Vietnam, and the Pacific Islands have been the group’s targets.

The Grayling APT group is renowned for employing a range of methods, such as the following, to obtain access to victim systems:

  1. email attachments that are harmful and spear-phishing
  2. utilizing software’s acknowledged vulnerabilities
  3. obtaining sensitive information from victims by deceiving them with social engineering tactics

Industries Targeted:

  • Manufacturing
  • IT
  • biomedical sectors
  • Government

Source: https://cyware.com/news/a-new-threat-on-the-horizon-the-grayling-apt-group-202a589d

4. ToddyCat: 13th Oct 2023

Since 2020, ToddyCat is an advanced persistent threat (APT) group with ties to China. The gang has mostly targeted government and telecom organizations in Europe and Asia.

ToddyCat has a reputation for breaking into victim systems and stealing confidential information by employing a range of clever strategies. The gang has been seen tricking victims into disclosing critical information using spear-phishing emails, taking advantage of software flaws that are well-known, and other social engineering tactics.

Origin Country: China

Source: https://www.csoonline.com/article/655709/chinese-apt-group-toddycat-launches-new-cyber-espionage-campaigns.html

Week 42: Oct. 16, 2023 to Oct. 22, 2023

1. Russian and Chinease APTs exploiting Winrar CVE-2023-38831: Oct 18, 2023

According to Google’s Threat Analysis Group (TAG), threat actors with ties to China and Russia are taking advantage of a high-severity vulnerability in WinRAR. Attackers can use the vulnerability, CVE-2023-38831, to conceal harmful scripts in archive files that pretend to be text documents or pictures that seem innocent.

TAG has discovered that threat actors from China and Russia are utilizing the WinRAR vulnerability to distribute a range of malware payloads, such as ransomware, information stealers, and remote access trojans. The infected archive files are being distributed by the attackers via a number of techniques, including as spear-phishing emails, hacked websites, and social media.

Industries Targeted: energy sector

Targeted Vulnerability: CVE-2023-38831

Source: https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/

2. Diamond Sleet: October 19, 2023

Active since at least 2017, Diamond Sleet is an advanced persistent threat (APT) group linked with North Korea. The gang is well-known for their highly skilled assaults and devious tactics.

The groups that Diamond Sleet has targeted include financial institutions, governments, and tech firms. The organization has been seen employing a range of strategies to break into victim systems and pilfer private information.

Targeted Vulnerability: CVE-2023-42793

Risk:

  • Software Supply Chain
  • Targeted Software

3. OilRig, APT34: October 19, 2023

OilRig, also known as APT34, Helix Kitten, and Chrysene, is an Iranian-backed advanced persistent threat (APT) group that has been active since at least 2014. The group has targeted a wide range of organizations, including governments, financial institutions, and energy companies.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government