At a glance.
- Commodity Android spyware.
- Chinese APT uses new Trojan.
- ToddyCat targets Exchange Servers.
- Risk surface assessment.
Commodity Android spyware.
Researchers at Lookout have discovered Android spyware allegedly used by the government of Kazakhstan. The spyware is distributed via text messages that impersonate telecommunications companies or smartphone manufacturers. The researchers noted, “Based on our analysis, the spyware, which we named Hermit,’ is likely developed by Italian spyware vendor RCS Lab S.p.A and Tykelab Srl, a telecommunications solutions company we suspect to be operating as a front company.”
“Our analysis suggests that Hermit has not only been deployed to Kazakhstan, but that an entity of the national government is likely behind the campaign. To our knowledge, this marks the first time that a current customer of RCS Lab’s mobile malware has been identified.
“We first detected samples from this campaign in April 2022. They were titled ‘oppo.service’ and impersonated Chinese electronic manufacturer Oppo. The website the malware used to mask its malicious activity is an official Oppo support page (http://oppo-kz.custhelp[.]com) in the Kazakh language that has since gone offline. We also found samples that impersonate Samsung and Vivo.”
Chinese APT uses new Trojan.
Researchers at Palo Alto Networks’ Unit 42 are tracking a new remote access Trojan named “PingPull” that’s being used by the Chinese APT GALLIUM. Unit 42 states, “Over the past year, this group has extended its targeting beyond telecommunication companies to also include financial institutions and government entities. During this period, we have identified several connections between GALLIUM infrastructure and targeted entities across Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam.”
ToddyCat targets Exchange Servers.
Kaspersky describes a newly discovered threat actor dubbed “ToddyCat” that’s using the ProxyLogon vulnerability to target Microsoft Exchange Servers belonging to organizations in Europe and Asia:
“The group started its activities in December 2020, compromising selected Exchange servers in Taiwan and Vietnam using an unknown exploit that led to the creation of a well-known China Chopper web shell, which was in turn used to initiate a multi-stage infection chain. In that chain we observed a number of components that include custom loaders used to stage the final execution of the passive backdoor Samurai.
“During the first period, between December 2020 and February 2021, the group targeted a very limited number of servers in Taiwan and Vietnam, related to three organizations. From February 26 until early March, we observed a quick escalation and the attacker abusing the ProxyLogon vulnerability to compromise multiple organizations across Europe and Asia.”
The researchers don’t attribute the activity to any previously observed threat actor, but they note that ToddyCat’s “victims are related to countries and sectors usually targeted by multiple Chinese-speaking groups.”
Risk surface assessment.
RiskRecon and Cyentia have published a report on risk surface assessment, finding that organizations that are “cloud-first” are 85% more likely to be a top performer in risk management: “When we take a look at the cloud adoption rates of the top and bottom performers, we start to see some very clear separation…. Every 10% increase in host cloud concentration, results in a 2.5% increase in the probability of being a top performer.” The researchers add that “Choosing to go majority cloud with one of the ‘big three’ cloud providers, namely AWS, Azure, or GCP, has inconsequential effects rather than being simply cloud-first.”