430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

APT

Large phishing campaign targets EMEA and APAC governments

Security researchers uncovered a large phishing campaign targeting multiple government departments in APAC and EMEA countries.  Researchers from cybersecurity firm Cyjax uncovered a large phishing campaign targeting multiple government departments in APAC and EMEA countries.  The phishing campaign has been ongoing since spring 2020 when the domains were first transferred to their current host. At […]

phishing attacks

Security researchers uncovered a large phishing campaign targeting multiple government departments in APAC and EMEA countries. 

Researchers from cybersecurity firm Cyjax uncovered a large phishing campaign targeting multiple government departments in APAC and EMEA countries. 

The phishing campaign has been ongoing since spring 2020 when the domains were first transferred to their current host. At the time of discovery, experts noticed that 15 phishing pages were still active and targeting the governments of Kyrgyzstan, Belarus, Georgia, Turkmenistan, Ukraine, Uzbekistan, and Pakistan.

“The domains in this campaign typically began with “mail.” and often contained the targeted government department’s real domain in full as a hostname on the attacker’s domain. Only five domains were registered by the attackers in this campaign: either through Tucows or PublicDomainRegistry; using either OVH SAS or VDSINA to host the sites.” reads the analysis published by the experts.

The domain names typically started with “mail.” and contained the name of the targeted government department’s domain and a hostname.

The phishing pages were crafted to appear legitimate sites of various ministries within the targeted country’s governments, including departments of energy, finance, and foreign affairs. Other pages analyzed by the researchers posed as the Pakistan Navy, the Main Intelligence Directorate of Ukraine, and the Mail.ru email service.

Ministries of Foreign Affairs were the primary target, making up one-quarter of domains.

phishing attacks

Experts speculate that the main target of this campaign were Belarus, Ukraine, and Uzbekistan, due to the greater number of phishing pages targeted these countries.

The nature of the target and the attackers’ TTPs suggest that the phishing campaign was orchestrated by a nation-state threat actor.

The experts observed that many of the countries targeted are Russian satellites or Russia itself, but these countries are usually not targeted by cybercrime groups to prevent the response of local police. 

The analysis of one of the OVH IP addresses (145.239.23.7) used by the threat actors revealed a potential link to the Operation TrickyMouse launched against Ukraine by Sandworm during the COVID-19 pandemic.

“The targeting more generally suggests that this could be the work of an advanced persistent threat (APT) working on behalf of a nation-state. While it is, however, possible that this could be a cybercriminal campaign looking to serve as an access broker on underground forums, many of the countries targeted are Russian satellites or Russia itself, countries that many cybercriminals do not target to prevent attention from local law enforcement.” concludes the analysis. “Considering the narrow targeting and lack of immediate financial benefit, therefore, we believe this activity is more aligned to a state-sponsored APT campaign.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]