Proofpoint and PwC Threat Intelligence have jointly identified a cyber espionage campaign, active since April 2022 through June, delivering the ScanBox exploitation framework to targets who visit a malicious domain posing as an Australian news website. The joint efforts of Proofpoint and PwC researchers provide a moderate confidence assessment that recent campaigns targeting the federal government, energy, and manufacturing sectors globally may represent recent efforts by TA423 / Red Ladon. Activity which overlaps with this threat actor has been publicly referred to in governmental indictments as “APT40” and “Leviathan.” This blog analyzes the structure and capabilities of the sample of ScanBox and the plugins identified in this campaign. It also correlates this campaign and its observed victimology with previous campaigns conducted by TA423 / Red Ladon which leveraged RTF template injection.  Read more about it : here

Chinese APT groups targeting India, Pakistan and more with Sophos firewall vulnerabilityChinese state-sponsored hackers are targeting organizations and governments in Afghanistan, Bhutan, India, Nepal, Pakistan and Sri Lanka with a now-patched zero-day vulnerability in Sophos Firewall, according to several different cybersecurity companies.This week, Volexity released a report on CVE-2022-1040 – a Sophos firewall authentication bypass vulnerability patched in March – and said a Chinese APT group they named “Drifting Cloud” was using it to install three open-source malware families, including PupyRAT, Pantegana and Sliver.Sophos published its own report on the activity and told Volexity that it has observed “organizations primarily in the South Asia region” being attacked. “At least 2 distinct suspected Chinese state-sponsored groups were identified exploiting CVE-2022-1040 prior to its discovery. “We also identified a newly observed cluster of activity exploiting the vulnerability which we are tracking under the temporary designator TAG-40. Read more about it: here

Threat actors have been distributing malicious applications under the guise of seemingly harmless shopping apps to target customers of eight Malaysian banks since at least November 2021. The attacks involved setting up fraudulent but legitimatelooking websites to trick users into downloading the apps, Slovak cybersecurity firm ESET said in a report shared with The Hacker News. The copycat websites impersonated cleaning services such as Maid4u, Grabmaid, Maria's Cleaning, Maid4u, YourMaid, Maideasy and MaidACall and a pet store named PetsMore, all of which are aimed at users in Malaysia. Read more about it here.

Google's Threat Analysis Group has warned multiple Gmail users that they were targeted in phishing attacks conducted by a Chinese backed hacking group tracked as APT31. The warnings came after Gmail's defenses automatically blocked all these phishing emails after tagging them as spam. "In February, we detected an APT31 phishing campaign targeting high profile Gmail users affiliated with the U.S. government," Google Threat Analysis Group's Director Shane Huntley revealed yesterday.   Read more about it here.