Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

India and Pakistan hit by state-sponsored cyber espionage campaign

The security firm Symantec has discovered another cyber espionage campaign against India and Pakistan which is likely to be state-sponsored. Security experts at Symantec have uncovered a sustained cyber spying campaign against Indian and Pakistani entities involved in regional security issues. The nature of the targets and the threat actors’ techniques suggest it is a […]

Trigona ransomware

The security firm Symantec has discovered another cyber espionage campaign against India and Pakistan which is likely to be state-sponsored.

Security experts at Symantec have uncovered a sustained cyber spying campaign against Indian and Pakistani entities involved in regional security issues.

The nature of the targets and the threat actors’ techniques suggest it is a state-sponsored campaign likely powered by several groups of hackers.

“The campaign appeared to be the work of several groups, but tactics and techniques used suggest that the groups were operating with “similar goals or under the same sponsor”, probably a nation state, according to the threat report, which was reviewed by Reuters. It did not name a state.” reported the Reuters.

According to a threat intelligence report, Symantec sent to clients in July, the cyber espionage campaign dated back to October 2016.

The experts speculate the involvement of several groups that shared TTPs operating with “similar goals or under the same sponsor.”

The cyber espionage campaign was uncovered while tensions in the region are raising.

India’s military is intensifying operational readiness along the border with China following a face-off in Bhutan near their disputed frontier, at the same time tensions are rising between India and Pakistan over the disputed Kashmir region.

The threat actors appear focused on governments and militaries with operations in South Asia and interests in regional security issues. Attackers leverage the “Ehdoor” backdoor to gain control over infected machines.
Backdoor.Ehdoor is a Trojan horse first spotted in September 2016, it was initially used to target government, military and military-affiliated entities in the Middle East and elsewhere.
The Ehdoor backdoor opens a back door, steals information, and downloads potentially malicious files onto the compromised computer.

“There was a similar campaign that targeted Qatar using programs called Spynote and Revokery,” said a security expert, who requested anonymity. “They were backdoors just like Ehdoor, which is a targeted effort for South Asia.”

According to the Symantec report, attackers used decoy documents related to security issues in South Asia in to deliver the malware. The attackers was also being used to target Android devices.

“The documents included reports from Reuters, Zee News, and the Hindu, and were related to military issues, Kashmir, and an Indian secessionist movement.” states the Reuters.

“The malware allows spies to upload and download files, carry out processes, log keystrokes, identify the target’s location, steal personal data, and take screenshots, Symantec said, adding that the malware was also being used to target Android devices.”

India cyber espionage

Gulshan Rai, the director general of CERT-In, hasn’t commented the cyber espionage campaign, but he said: “We took prompt action when we discovered a backdoor last October after a group in Singapore alerted us.”

According to malware researchers at Symantec, the backdoor was continuously improved over the time to implement “additional capabilities” for spying operations.

“A senior official with Pakistan’s Federal Investigation Agency said it had not received any reports of malware incidents from government information technology departments. He asked not to be named due to the sensitivity of the matter.” continues the Reuters.

“A spokesman for FireEye, another cybersecurity company, said that based on an initial review of the malware, it had concluded that an internet protocol address in Pakistan had submitted the malware to a testing service. The spokesman requested anonymity, citing company policy.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – backdoor, India)

[adrotate banner=”12″]