Warning: Undefined variable $comments_html in /home/u319666691/domains/cybersecurityboard.com/public_html/_template.php on line 527

Turla APT Group Attacking European Ministry of Foreign Affairs

LunarWeb and LunarMail were used to compromise a European MFA and its diplomatic missions.
Analyzers don't know the password, but the file sizes match the Stage 1 loader and Stage 2 blob with the LunarWeb backdoor.
Execution T1047 Windows Management Instrumentation LunarWeb obtains system information by using WMI queries.
T1547 Boot or Logon Autostart Execution A LunarWeb loader is persisted as a Group Policy extension.
T1574 Hijack Execution Flow A LunarWeb loader is persisted by replacing the system DLL tapiperf.
Defense Evasion T1027 Obfuscated Files or Information LunarWeb and LunarMail are AES-256 encrypted on disk.
005 Masquerading: Match Legitimate Name or Location Filenames used by LunarWeb and LunarMail loading chains mimic legitimate files.
004 Indicator Removal: File Deletion LunarWeb and LunarMail can uninstall themselves by deleting their loading chain.
T1140 Deobfuscate/Decode Files or Information LunarWeb and LunarMail decrypt their strings using RC4. T1480.
T1620 Reflective Code Loading LunarWeb and LunarMail are executed using a reflective loader.
T1082 System Information Discovery LunarWeb retrieves system information such as OS version, BIOS version, domain name, and environment variables.
001 Software Discovery: Security Software Discovery LunarWeb discovers installed security solutions via the WMI query wmic /Namespace:rootSecurityCenter2 Path AntiVirusProduct Get *. Collection T1005 LunarWeb and LunarMail use a statically linked Zlib library for compression of collected data.
002 Archive Collected Data: Archive via Library LunarWeb and LunarMail use a statically linked Zlib library for the compression of collected data.
002 Data Obfuscation: Steganography LunarWeb can receive commands hidden in JPG or GIF images.
003 Data Obfuscation: Protocol Impersonation LunarWeb impersonates legitimate domains in C&C communications by using a fake Host header and known URIs.
001 Data Encoding: Standard Encoding LunarWeb may receive base64-encoded data from the C&C server.
002 Encrypted Channel: Asymmetric Cryptography LunarWeb and LunarMail encrypt the AES key used in C&C communications using RSA-4096.
Exfiltration T1020 Automated Exfiltration LunarWeb and LunarMail automatically exfiltrate collected data to the C&C server.
T1030 Data Transfer Size Limits LunarWeb splits exfiltrated data above 1.33 MB into multiple smaller chunks.
T1041 Exfiltration Over C2 Channel LunarWeb and LunarMail exfiltrate data over the C&C channel.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 15 May 2024 13:40:04 +0000

Cyber News related to Turla APT Group Attacking European Ministry of Foreign Affairs

Palo Alto Reveals New Features in Russian APT Turla's Kazuar Backdoor - The latest version of the Kazuar backdoor could be more sophisticated than previously imagined, according to Palo Alto Networks. The Kazuar backdoor was used by the Russian hacking group Turla to target the Ukrainian defense sector in July 2023, the ...
1 year ago Infosecurity-magazine.com Turla

Russian APT Turla Wields Novel Backdoor Malware Against Polish NGOs - Russia-sponsored advanced persistent threat group Turla is now targeting Polish NGOs in a cyberespionage campaign that uses a freshly developed backdoor with modular capabilities, signaling an expansion of the scope of its attacks against supporters ...
1 year ago Darkreading.com Turla

In Other News: MediSecure Hack, Scattered Spider Targeted by FBI, New Wi-Fi Attack - SecurityWeek's cybersecurity news roundup provides a concise compilation of noteworthy stories that might have slipped under the radar. Each week, we curate and present a collection of noteworthy developments, ranging from the latest vulnerability ...
1 year ago Securityweek.com CVE-2023-52424 Scattered Spider Turla LockBit

State-Sponsored APT Groups Use Ransomware Tactics for Intelligence Gathering and Sabotage - State-sponsored threat groups are increasingly using ransomware-like tactics to hide more insidious activities. Russian APT group Sandworm has used ransomware programs to destroy data multiple times in the past six months, while North Korea's Lazarus ...
2 years ago Csoonline.com Andariel APT3 APT37 APT38 Kimsuky Lazarus Group BianLian

What is an advanced persistent threat? - An advanced persistent threat is a prolonged and targeted cyber attack in which an intruder gains access to a network and remains undetected for an extended period. APT attacks are initiated to steal highly sensitive data rather than cause damage to ...
1 year ago Techtarget.com Cozy Bear APT29

European firms urge China to give more clarity on data transfer laws - AP Moeller - Maersk A/S Siemens AG BEIJING, Nov 15 - European firms "Urgently" need China to give clearer definitions of key terms in its cross-border data transfer rules, a European business lobby group said on Wednesday, warning firms also stood to ...
1 year ago Reuters.com

iSoon's Secret APT Status Exposes China's Foreign Hacking Machination - A trove of leaked documents has revealed the Chinese government works with private sector hackers to spy on foreign governments and companies, domestic dissidents, ethnic minorities, and more. On Feb. 16, an anonymous individual with unknown motives ...
1 year ago Darkreading.com Aquatic Panda

Microsoft Cloud Users Store Personal Data In Europe - In effort to resolve privacy worries, Microsoft is to allow its cloud customers to store all personal data within EU. Microsoft has confirmed that it will allow cloud customers to store all their personal data within the European Union, in an effort ...
1 year ago Silicon.co.uk

Beijing fosters foreign influencers to spread its propaganda The Register - China is offering foreign influencers access to its vast market in return for content that sings its praises and helps to spreads Beijing's desired narratives more widely around the world, according to think tank the Australian Strategic Policy ...
1 year ago Theregister.com

Key Group uses leaked builders of ransomware and wipers | Securelist - The first discovered sample of Key Group, the Xorist ransomware, established persistence in the system by changing file extension associations. The .huis_bn extension added to encrypted files in the early versions of Key Group samples, Xorist and ...
11 months ago Securelist.com

Thai officials restore Ministry of Labor website after hack, defacement | The Record from Recorded Future News - The website for Thailand’s Ministry of Labor has been restored after hackers defaced the site and allegedly stole government data. When the group defaced the Ministry of Labor website, they claimed to have been active in the organization’s ...
1 month ago Therecord.media Dragonforce Ransomhub Qilin

Turla APT Group Attacking European Ministry of Foreign Affairs - LunarWeb and LunarMail were used to compromise a European MFA and its diplomatic missions. Analyzers don't know the password, but the file sizes match the Stage 1 loader and Stage 2 blob with the LunarWeb backdoor. Execution T1047 Windows Management ...
1 year ago Cybersecuritynews.com

North Korea-linked APT Kimsuky targeted German defense firm Diehl Defence - North Korea-linked APT group Kimsuky has been linked to a cyberattack on Diehl Defence, a defense firm specializing in the production of advanced military systems. “Researchers from Mandiant, a Google subsidiary, uncovered and analyzed a ...
11 months ago Securityaffairs.com Kimsuky

Latvia confirms phishing attack on Ministry of Defense, linking it to Russian hacking group - The Russian cyber-espionage group known as Gamaredon may have been behind a phishing attack on Latvia's Ministry of Defense last week, the ministry told The Record on Friday. Hackers sent malicious emails to several employees of the ministry, ...
2 years ago Therecord.media

7th Cybersecurity Forum: Power grids cybersecurity ascending to prominence — ENISA - 7th Cybersecurity Forum: Power grids cybersecurity ascending to prominence The Association of European Distribution System Operators (E.DSO), the European Energy Information Sharing and Analysis Centre (EE-ISAC), the European Network for Cyber ...
11 months ago Enisa.europa.eu

Russian military hackers target NATO fast reaction corps - Russian APT28 military hackers used Microsoft Outlook zero-day exploits to target multiple European NATO member countries, including a NATO Rapid Deployable Corps. Researchers from Palo Alto Networks' Unit 42 have observed them exploiting the ...
1 year ago Bleepingcomputer.com CVE-2023-23397 Fancy Bear APT28

The who, where, and how of APT attacks - This week, ESET experts released several research publications that shone the spotlight on a number of notable attacks and broader developments on the threat landscape. First, their new APT Activity Report reviewed the key aspects of sophisticated ...
1 year ago Welivesecurity.com Turla

APT Hackers Attacking Maritime and Shipping Industry to Launch Ransomware Attacks - The Turla/Tomiris group has particularly refined this approach, utilizing infected USB drives containing industrial espionage tools that eventually deploy ransomware across entire fleet management networks, effectively holding maritime operations ...
1 month ago Cybersecuritynews.com Mustang Panda CVE-2022-22707 APT41 Turla

Chinese hacking documents offer glimpse into state surveillance - Chinese police are investigating an unauthorized and highly unusual online dump of documents from a private security contractor linked to the nation's top policing agency and other parts of its government - a trove that catalogs apparent hacking ...
1 year ago Apnews.com

China Reportedly Admits Their Role in Cyber Attacks Against U.S. Infrastructure - During a high-level meeting in Geneva with American officials, representatives from China’s Ministry of Foreign Affairs indirectly linked years of computer network breaches at U.S. ports, water utilities, airports, and other critical targets to ...
4 months ago Cybersecuritynews.com Volt Typhoon

EU Takes a Leap Forward with Cybersecurity Certification Scheme - The EUCC, or EU cybersecurity certification scheme, has an implementing rule that was adopted by the European Commission. The result is consistent with the cybersecurity certification methodology under consideration on EUCC, which was created by ...
1 year ago Cysecurity.news

Third Of European Businesses Have Adopted AI, AWS - AWS finds AI already adopted at sizeable number of European businesses, resulting in increased revenues, productivity. An insight into the adoption rate of artificial intelligence within the business community has been offered in a new report from ...
1 year ago Silicon.co.uk

New backdoors on a European government's network appear to be Russian - Two previously unknown backdoors likely deployed by a Russian state hacking group have been discovered compromising the foreign affairs ministry of a European country. Researchers with the Slovak cybersecurity firm ESET published a technical analysis ...
1 year ago Therecord.media Turla

SideCopy APT Hackers Mimic as Government Personnel to Deploy Open-Source XenoRAT Tool - One notable email address, “[email protected],” was created on January 10, 2025, in UAE and remained active until February 28, 2025, mimicking a legitimate National Informatics Centre email address ...
4 months ago Cybersecuritynews.com SideCopy

Warning: Undefined array key "host" in /home/u319666691/domains/cybersecurityboard.com/public_html/_template.php on line 364

Warning: Undefined variable $domain_html in /home/u319666691/domains/cybersecurityboard.com/public_html/_template.php on line 466

CVE-2022-48895 - In the Linux kernel, the following vulnerability has been resolved: ...
8 months ago