New TetrisPhantom hackers steal data from secure USB drives on govt systems

A new sophisticated threat tracked as 'TetrisPhantom' has been using compromised secure USB drives to target government systems in the Asia-Pacific region. Secure USB drives store files in an encrypted part of the device and are used to safely transfer data between systems, including those in an air-gapped environment. Access to the protected partition is possible through custom software that decrypts the contents based on a user-provided password. Exe, which is bundled on an unencrypted part of the USB drive. Security researchers discovered trojanized versions of the UTetris application deployed on secure USB devices in an attack campaign that has been running for at least a few years and targeting governments in the APAC region. According to the latest Kaspersky's report on APT trends, TetrisPhantom uses various tools, commands, and malware components that indicate a sophisticated and well-resourced threat group. "The attack comprises sophisticated tools and techniques, including virtualization-based software obfuscation for malware components, low-level communication with the USB drive using direct SCSI commands, self-replication through connected secure USB drives to propagate to other air-gapped systems and injection of code into a legitimate access management program on the USB drive which acts as a loader for the malware on a new machine." - Kaspersky. Kaspersky shared additional details with BleepingComputer, explaining that the attack with the trojanized Utetris app starts with executing on the target machine a payload called AcroShell. AcroShell establishes a communication line with the attacker's command and control server and can fetch and run additional payloads to steal documents and sensitive files, and collect specific details about the USB drives used by the target. The threat actors also use the information gathered this way for research and development of another malware called XMKR and the trojanized UTetris. "The XMKR module is deployed on a Windows machine and is responsible for compromising secure USB drives connected to the system to spread the attack to potentially air-gapped systems" - Kaspersky. XMKR's capabilities on the device include stealing files for espionage purposes and the data is written on the USB drives. The information on the compromised USB is then exfiltrated to the attacker's server when the storage device plugs into an internet-connected computer infected with AcroShell. Kaspersky retrieved and analyzed two malicious Utetris executable variants, one used between September and October 2022 and another deployed in government networks from October 2022 until now. Kaspersky says these attacks have been ongoing for at least a few years now, with espionage being TetrisPhantom's constant focus. The researchers observed a small number of infections on government networks, indicating a targeted operation. Discord still a hotbed of malware activity - Now APTs join the fun. New AtlasCross hackers use American Red Cross as phishing lure. Evasive Gelsemium hackers spotted in attack against Asian govt. Ragnar Locker ransomware developer arrested in France.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000


Cyber News related to New TetrisPhantom hackers steal data from secure USB drives on govt systems

New TetrisPhantom hackers steal data from secure USB drives on govt systems - A new sophisticated threat tracked as 'TetrisPhantom' has been using compromised secure USB drives to target government systems in the Asia-Pacific region. Secure USB drives store files in an encrypted part of the device and are used to safely ...
10 months ago Bleepingcomputer.com
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
1 week ago Aws.amazon.com
Gamaredon's LittleDrifter USB malware spreads beyond Ukraine - A recently discovered worm that researchers call LittleDrifter has been spreading over USB drives infecting systems in multiple countries as part of a campaign from the Gamaredon state-sponsored espionage group. Malware researchers saw indications of ...
10 months ago Bleepingcomputer.com
Persistent Espionage Campaign Targets APAC Governments - Cybersecurity experts at Kaspersky have unveiled a covert and highly advanced espionage campaign, codenamed "TetrisPhantom." The persistent operation has specifically targeted government institutions in the Asia-Pacific region, utilizing a unique ...
10 months ago Infosecurity-magazine.com
CVE-2023-52528 - In the Linux kernel, the following vulnerability has been resolved: ...
7 months ago
CVE-2023-52742 - In the Linux kernel, the following vulnerability has been resolved: net: USB: Fix wrong-direction WARNING in plusb.c The syzbot fuzzer detected a bug in the plusb network driver: A zero-length control-OUT transfer was treated as a read instead of a ...
4 months ago Tenable.com
Optimizing Cybersecurity: How Hackers Use Golang Source Code Interpreter to Evade Detection - Hackers have been upping the stakes when it comes to executing cyberattacks, and an increasingly popular tool in their arsenal is the Golang source code interpreter. Reportedly, the interpreter is used to obfuscate code, thus making it harder for ...
1 year ago Bleepingcomputer.com
New Microsoft Purview features use AI to help secure and govern all your data - More than 90% of organizations use multiple cloud infrastructures, platforms, and services to run their business, adding complexity to securing all data.1Microsoft Purview can help you secure and govern your entire data estate in this complex and ...
10 months ago Microsoft.com
How Hackers Interrupted GTA 5 Online Gameplay on PC - Recently, a cyber-attack on Grand Theft Auto 5 Online on PC caused an interruption to thousands of players’ gameplays. The game was completely taken offline and players couldn’t even access the main gameplay menu. The attack caused an uproar ...
1 year ago Hackread.com
The Embedded Systems and The Internet of Things - The Internet of Things is a quite new concept dealing with the devices being connected to each other and communicating through the web environment. This concept is gaining its popularity amongst the embedded systems that exist - let's say - 10 or ...
9 months ago Cyberdefensemagazine.com
Creating a New Market for Post-Quantum Cryptography - A day in the busy life of any systems integrator includes many actions that revolve around the lifeblood of its business - its customers. Systems integrators help solve evolving customer business challenges, which in turn adds partner value. It's a ...
9 months ago Securityboulevard.com
CVE-2024-38565 - In the Linux kernel, the following vulnerability has been resolved: wifi: ar5523: enable proper endpoint verification Syzkaller reports [1] hitting a warning about an endpoint in use not having an expected type to it. Fix the issue by checking for ...
3 months ago Tenable.com
Zero Trust Security: How to Secure Critical Infrastructure - Zero trust security is a critical component of any organization's security strategy that enables organizations to protect their data and systems from malicious actors, cyber threats, and unauthorized access. With the ever-evolving cyber threats ...
1 year ago Csoonline.com
Holiday Hackers: How to Safeguard Your Service Desk - Hackers really don't take holidays, but they will take advantage of them. Many of these cyberattacks will zero in on the service or help desk to gain entry into network systems. Recovering accounts because of forgotten passwords is one of the ...
10 months ago Bleepingcomputer.com
IT and OT cybersecurity: A holistic approach - In comparison, OT refers to the specialized systems that control physical processes and industrial operations. OT Technologies include industrial control systems, SCADA systems and programmable logic controllers that directly control physical ...
9 months ago Securityintelligence.com
Google: Hackers exploited Zimbra zero-day in attacks on govt orgs - Google's Threat Analysis Group has discovered that threat actors exploited a zero-day vulnerability in Zimbra Collaboration email server to steal sensitive data from government systems in multiple countries. Hackers leveraged a medium-severity ...
10 months ago Bleepingcomputer.com
Boost Your Computer Security: How PlugX Malware Hides On USB Devices - In recent weeks, a malicious piece of malware called PlugX has been detected on USB thumb drives. This malware hides itself on USB devices, so that when a new Windows-hosts is plugged into the device, it can infect the host. This makes PlugX a ...
1 year ago Bleepingcomputer.com
Secure Workload and Secure Firewall: The recipe for a robust zero trust cybersecurity strategy - You hear a lot about zero trust microsegmentation these days and rightly so. While a host-based enforcement approach is immensely powerful because it provides access to rich telemetry in terms of processes, packages, and CVEs running on the ...
9 months ago Feedpress.me
Penetration Testing for Sensitive Data Exposure in Enterprise Networks: Everything You Need to Know! - The amount of data enterprises store is much bigger than SMBs. A lot of this data includes sensitive information of customers and clients such as bank details, social security numbers, emails, contact numbers, etc. For those new to data security, ...
9 months ago Securityboulevard.com
CISA orders agencies impacted by Microsoft hack to mitigate risks - CISA has issued a new emergency directive ordering U.S. federal agencies to address risks resulting from the breach of multiple Microsoft corporate email accounts by the Russian APT29 hacking group. It requires them to investigate potentially ...
5 months ago Bleepingcomputer.com
CVE-2021-47472 - In the Linux kernel, the following vulnerability has been resolved: net: mdiobus: Fix memory leak in __mdiobus_register Once device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it will cause memory leak. ...
4 months ago Tenable.com
North Korean Hackers Use Fake Job Offers & Salary Bumps as Lure for Crypto Theft - Recent investigations have uncovered a massive operation carried out by North Korean hackers looking to steal cryptocurrency through fake job offers and salary bumps. According to recent reports, hackers have been able to trace the malicious ...
1 year ago Therecord.media
Top 10 Endpoint Security Best Practices That Help Prevent Cyberattacks - Endpoints are one of the hackers` favorite gates to attacking organizations` networks. Setting foot into only one of the connected devices can open the way for threat actors to deploy malware, launch phishing attacks, and steal data. Antiviruses are ...
1 year ago Heimdalsecurity.com
Beyond DLP: Embracing a Multi-Layered Strategy for Personal Data Security - Data, especially personal data, drives the digital world. While digital systems continuously gather and use personal data to enhance user experience, there is a significant issue. The alarming frequency of data breaches indicates that the methods ...
9 months ago Securityboulevard.com
Preparing for Q-Day as NIST nears approval of PQC standards - Q-Day-the day when a cryptographically relevant quantum computer can break most forms of modern encryption-is fast approaching, leaving the complex systems our societies rely on vulnerable to a new wave of cyberattacks. While estimates just a few ...
3 months ago Helpnetsecurity.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)