Chinese state-sponsored actors have been caught red-handed trying to extract intelligence from Russians via a guard camp close to their border.
The post State-backed hacking group from China is targeting the Russian military appeared first on Malwarebytes Labs.

In an unexpected turn of events, research has surfaced about a Chinese APT (advanced persistent threat) group targeting the Russian military in recent cyberattacks.

Tracked as Bronze President, Mustang Panda, RedDelta, and TA416, the group has focused mainly on Southeast Asian targets—and more recently, European diplomats—and turned their attention towards Russia and started targeting the country’s military situated close to the Chinese border.

Dell SecureWorks retrieved a file named _Blagoveshchensk – Blagoveshchensk Border Detachment_, which bears the icon of a PDF file but is actually an executable file.

From the report:

> “Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment. This connection suggests that the filename was chosen to target officials or military personnel familiar with the region.”

Once the supposed document is “opened,” the executable downloads four files, including a clean document file used as a decoy (screenshot below), from a server Mustang Panda is known to use.

_Although the file name is aimed at Russian recipients, it throws one off when they see the decoy document written in English. (Source: Dell SecureWorks)_

The document appears like a formal report from the European Commission, and it details the refugee and migrant status pressuring countries bordering Belarus.

The three additional files are required for Mustang Panda to use DLL search order hijacking to install a variant of PlugX, an old remote access tool (RAT), onto target systems. This allows threat actors to secretly load a malicious DLL, thus avoiding detection from security solutions software.

PlugX is capable of stealing sensitive information from target machines. Although this, as a whole, is a benign attack that involves intelligence gathering, it is interesting to note the shifting targets, presumably based on the political situation in Europe and what’s happening in Ukraine. Suffice to say, China continues to look out for itself and its interests, even if it involves countries it considers “strategic partners of coordination”.

State-backed hacking group from China is targeting the Russian military

A vulnerability in the HCI Modbus TCP COMPONENT of Hitachi Energy RTU500 series CMU Firmware that is caused by the validation error in the length information carried in MBAP header allows an ATTACKER to reboot the device by sending a special crafted message. This issue affects: Hitachi Energy RTU500 series CMU Firmware 12.0.*; 12.2.*; 12.4.*; 12.6.*; 12.7.*; 13.2.*.

%PDF-1.7 %���� 1 0 obj <>/Metadata 426 0 R/ViewerPreferences 427 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 595.32 842.04\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��\\\[o�~��0�I�x'�\]y�5P�\*�\`�Au���T}�/��3�H��N�h5�!?��wgs�����ow��������ݧ��:|��==??}�����\_��r���������Շ���.�����l���~����}y��AȨ�@F"cl��ՠ��������0<^^�Qf��UJ�):|�ryq����N7O�{�G\\\`x��.��|��� ���w�&��\] �1FS�CNr�l0�Y���.~��'5��vyAl{��J����/N�P2�ty��.7o(c�3�Iµ)~b{�����k��5�>�8���߼< 6����xkѾwZ��ݱ��(�#Q���M�0�x�r��)xm���!A�$d�/�h �R�L�qb�@����E\]��$zm���By��"\*��M\]2ֱn?����?~wG��(X\[7�X��ʂ�����\[,���W�f� �i��6W,�k8ݟ�\\.V�l~Ѝ�~aȈ���&r<�q#J�����l\_�Y�H�j1�M�k9��wo���k\[�c2Z��Y\*7�bmI�\]J& +"�T��KyW|��(۲\*����� N-��.�U� �9�38����\*�.Q>���;�yR ����a\[�<���?�����TBDm�l���e��$H�5�+���2g�8e#� i}�iUs�z&�� ��Z�h>�RI�Y̸+Z �/�z%5 Kțz��l\*h�ծ֚�Tw�$��r�;m�ń\_ƽ�r A�q9�Dʅ^7\*:�Nx��f�wkPf�Q��w �S� �����5IwUn\`��۟���J��S�2E�-�E�)��������I��\[�U��i�� ��7�� ����bC!���9���M�\`�TH�����5�VE��qϊ��І��4F�-H�V���G� �\`(����~��2��&f�x\]��|?�IC�-/Jy�O\_3�c�$���V��6�I�qBG1��c��㣠��� �Y�2\[�z���5�2�GS��ٔ���7g�i�vm�z�0���B��2�k���;VfD�A�Lw�|�u��r�p�H�;��Շ�w�����盁\\����a������>�xlc(ǒ��j��ꂇ�渕~���q�#p�큒9Ji�4!�9z�&O�"U�ѱj��Rg3��"as�06A��ˤjI3T�\*ngEQ�s�JI��<�X�B�e6�.Qy}I�O>�0� �\\�-�3%F�W��������B�1wy�\`N,�Igt�:wl��- A�H֤���Q�o�^��Π�\`YBB��f�p��xS�ԛI2L��R4��&dY��u��΄���$1�-n��e1M!u߬pǋm�HW�rW�\\ίC���Gù� yZon���F�P��kd~��Y��\*x��,�L�8��פ �%�3Z��(:A�s�+o��T����ܓ����� �%���Qt9��,�z��}۹9a�+$��������Ֆ��WIk �hm����;�3�b�1�y����\[bf���70��\]U\`�U�(W8T��h����Rnk���տ��>'ni�h�ܜ��a\[���%��hV �RX盎�\`ڣ�\\F$�c�������Ā��G9�L����>�� L�Q���f� ߜ�Gbi㓀�?��#������9V� =�c���+�,y�ǩ�Z��(U�����ir�T���#u:\*���^�}��@)��e�\_%���6�ؒ��<}�/v���ޘ�{y���� -4�\[4ВIc�7�v�v�� �F�|ʷ�\\{N�{f�N���+����ϡ\\+In(\`��u�}����n����'�^����r�\[�n8$u�\`�۳�\]N76�eޯP�\[ӭ:�:�A����c��A&Qq�&��#���,}�� YCd1F���HX�l(��ۓa�+����Fش鏹M�ە@\]k�:�� "��̣��~��ͩ�;Ƭ��{�T둮�΋��b'��p'�Κx�f�lR�k�oY����9�+�����XDc��e�Q���hv����k��j!�D��A�2��N'�Ѧ�R�LX�1�Qn���μѦ�#�B�!P��$�4��l���\\�l |vw�\`9��٢}ޣH�#�v������5YD�i�U�=�kH2�Y�q1"��<.ٱ�6 Ge%��P�Ë�dP@������X��:{I1�<�{��)�Bt�+�\`$����Őx��xڎ��5���d͔��I-O�tHs�oܪj�$�ղI7%cR,P�y�T(�#b ��b6�;���u x�HTo�qjk^WtŭTh�;�3�m �'� V��ӛFA�I�����nCce�O��p�y����w\[F=��\*jƁ�~adIC!�a��g��48G%͹)I2�E�?��-�c BYR���j���'>�dy(���iG���<"$.D�b�P��E0Z5�{y&Ǹ�͉�᳤�1ň$M��R������9e�9�KC�,�&\*u�F78ϔW,�$/M��R�����z=�γp���h���$�^pq��fLI�y��)Q� oX����yH����G����J��9�E���bW��+&s�nɒa����B\\-e��/����X���b� ~e�X��b����H�2Pa� v �.�$��d���t6���D��H\*R��| ���Ȃ g��e���KUTQ"����r2�M�M�\`���\`�횘�m�A��t�K�3�R�����Z�Fd�L�̄K�A3���;���4j�8��AMâ0S�k�\`��g�����}�l����1�Dd%�\\��e�^�j\\�Ny��,�s%�E�(��=6T^�R�?�nB�W%N�����l�'�J�8���ӾA^k( �U{'E\[ 7a��ⶹXaH!���A�q^�'yD�a�;�o����\[u�\]�y�s�� ��:����̿$)ZL�E��?$�s����Ѣm�II񑸣��mţsg7�R�A�gs��F�M��G�7qG�&�ݾ �1��T5��Y�֊��CC�צ1��\\a^\\F�:�O�����6��N�>�\_����x��M�'x����W�L�x�� x�rz��s�cv�� endstream endobj 5 0 obj <> stream x�mYM�#+ܿ�w�����<1��fT U��ݙ�� �'�� o�������Oz�(�\*��S�������x�w���\_I��?=�x\]:3�\\{��)�ы�)���k��'�Qb�oY盨<¡(5�S�Ap1 ����jZO�\_�'�����\_��D- ?EZӟ.UB����\\�%�H}��dˊ>mU�=JQ��􊠃���S��\\��@��3��#zw���s�F�eq'\\��'���i���t\`�=ݧ�$�4@���� �;V�\`�\[�ϸ��3ͮg�}~\\E~G)U���H�ު��z��VԜh}��/���%qr 1�aI8 �t�-yS�\\:�:m��N,�?Y�ȓ�D�����:qD�P���<�\]O�K�ܐ�s��n:{�um�m}s1͹��>?�?�q�9O�-�V)���57�TM���<�!����\\Ǟ�$�-�Tu=u?�)�&fO�N.BOr��L:ڻ>�:\`��)R�MW��D8�:����IL�s��4�zz��4��p������;Vd$��}�L�%�l!$\]ګ�Ƙ�uF"��E��":��� �57��\`�1�KV+��Z8��s8�����4Λ�m����s�\_�I�T\_J/\\���rx�� ��g��V5 �ߗrk\\�r�������tOI�f�=��$��6��cXj�&f��h�|ὠ�C�\_x���Ol��=���/�\*�#��Q'BfU���K�\]�/b��#·��{��"��S�/����%�����\\�A~��ϱ���PT���k���W{�Ȼ�)�״�Sf���Ǖjz�R�"�f9��Pg�7����LQ�uK�D=o �s'�B\]�����h��\\� �Π�"t+l{:+K\\�; 9�"�'��U,\\-�8� A��m�F�h؎N�(��i��u<��\`��숥�.20,�x�%9�-�u�Q�����P��ʢ���"�X� "����VNH+G�d &�$�0�sa��9��5ԅhrK+%���,Mw (�ӿ��@���k����=�?$�Sw����H����I'j��X�WQSm�����ߒ�z$���1RJ��D��hT��cly|�,r���z����0�Wv��J�b�OB��D�rBR��u�e��d��m䱾�p=}2?NQ��A�7srF��,�:ڶO�ۀ��q#,�d��.U��d��:dm�@�PǊ�͝�� ):�����x���s55M��!;�P��h��6b�O&Q�@����ǆ�rg�a�ht������ù�%����d/���Q�o��ܕ�S��|<�������/lW���S�D�(�vx ��~�NW3G�f��Mq��@0��Ԫj\*.x�f�SK�pdM�!\]��{��2��R�^���\_b-�X�X;1���ꉗ���\_�V���I�3�\_�.E�2~�(��8�1␋�4�ob>.ɬ���Uw�6��Ѭ��w�(�$k��"<�7O~�އǝ&���ij�yi/�^��)nG��xUq ���t��"p�"7�Ņ�ʺ\`E���.�${�$�&�#��M{��\*�5}��8�.(Z�b����������<��%��~Xoh\]�N��ХVxh�M�����1Z�d�J�ҲUt�\\�\`$>F0�b��P�~�ҏ^�U#��>���EL�U���w��'��>��2� ~N��/�{h�g�=�{���o�M���Z��q3�1�cx�g��r�%\_OU���S�N���։��O�-�t��(��������mhM�|ǵ�%�ny�; �EjR����/�u8������c�>�6و�CJ9��������x�>���Q�0�Je+�3������؉t.��} O��.th�b���;�qb��'�P(R\\�G��� --dv��6�f��GE�/2f9��"\\�j\*u�/=��2��������,��ky#:\`s�h���\_�z&�1?$����r�s�}�;+\\�Ϳf�+����i�� f~��6�J�O����c��6�n� ����b��Y������a�t ����,��&k���l%,K�����h~�pB�D�@��i���u!s�U����P��ܭCZ�s�%�\`�Y�)0{��m�������B���Ef���lE� �A^�GN�E�7��wE endstream endobj 6 0 obj <> endobj 7 0 obj <> endobj 8 0 obj \[ 9 0 R\] endobj 9 0 obj <> endobj 10 0 obj <> endobj 11 0 obj <> endobj 12 0 obj <> endobj 13 0 obj <> endobj 14 0 obj <> endobj 15 0 obj <> endobj 16 0 obj \[ 17 0 R\] endobj 17 0 obj <> endobj 18 0 obj <> endobj 19 0 obj <> endobj 20 0 obj <> stream x����Wٿ������<��}p�9��䞵�YǀYQQAT0���bu0 f���̀�sÈ:�\`Ā�HTE��d%y�?���W��\*�&�����r!T��Uս?��+|�p����ӧO�����ů32���iBBnNNIq��I&���sCCC\[�@����L2#\]�\[�UXXh����l�^�zդ�ZYb+�&o%�U���WUU�eט��$'\_��ٷgϒ��qc�������������rٲ�o^���͛���f/����u�V��A ���sss��Z��vΜ!~~���;nYֱ�GM��q�z�Bg�hRk�,���4�\`�?�^Ո��؛7ݲk�������(95i������a�8+�;t�ӳ����熆^���TWW7u�r��\_6ֽ}��ʖ7�AZb:��-\[��Z��f�Ӟ��o��eY?����/Z���ZYb+i������X�pa�j�=s�\[v�����pt���Sݸw��{�>Xo��?����ƺׯ\_\[Y��%��Z�"SZ�dʓ'O|lRm\];w~��\[���"$ڢ7N\*o�- ��I��gϜ�����$2� dJ+�LY�ti3\*\\�x�O�ܲ���Bg�l�M1?,,11ѴId �AȔV.�2%77���V��\`\_߄���Nmm���W}�ܡC�l Y�?��Ǐ���F��Li��0S�?߱m\[����{�������i��y{4(d� ��OϞM�����Vl�A�����)�\\fJzZڈ��f�٣kW�S� H�\]�x�b��o��Ac�HW�֭������y���Cjj��+Wvn�>20�W���?����۷N\_6d �9�ؙr����M-3�M���e��焆6�ri��^?��g�8ӯ˷o�&�м�r����}����&��/��鲪��n޸1)8ثcG+5/ ���ê�����3�������޽�߬����/�Q�z�\_Yi��˒aȺ5k���a�v��S���l�Ue��Ȼw�TZ;Y�&;;{�5\]:u2��w�WcbVB�䏝)��ӯ��R�%�32\\\\�͑Ç��2qbAA���@�id8���2g$�V�Xa� =��ӧ�X�ښ�EZ�9��L<��j�L��˛

CVE-2022-28613

%PDF-1.7 %���� 1 0 obj <>/Metadata 426 0 R/ViewerPreferences 427 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 595.32 842.04\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��\\Ko$����@�d�3��q��Y9,|Pֲ���6��b�=dk4�1ֆ�Q7��Xϯ�=�\\{���������r��r��\_� /7�//�\_~����ׇ˿�?~~����t���|�K��症o�հ��.����������LRJ�(��r�6J���o�g����t~Ɖ���%#���Sl��������˽n����\\\`�}�k\`�{������\`��-�Xk�áFE��Aus�߲A�Qw���1�\]�Dk9X� sw\`:

Emmanuel Tacheau of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 
Cisco Talos recently discovered two new vulnerabilities in Accusoft ImageGear. 
The ImageGear library is a document-imaging developer toolkit that allows users to create, edit, annotate and convert...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_Emmanuel Tacheau of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw._ 

Cisco Talos recently discovered two new vulnerabilities in Accusoft ImageGear. 

The ImageGear library is a document-imaging developer toolkit that allows users to create, edit, annotate and convert various images. It supports more than 100 file formats such as DICOM, PDF and Microsoft Office. 

One vulnerability, TALOS-2022-1465 (CVE-2022-23400) could allow an attacker to cause a denial-of-service condition inside the application by overflowing the stack buffer. In a very specific scenario, this buffer overflow could also lead to a memory leak of one byte.

Another, TALOS-2022-1449 (CVE-2022-22137), could allow an adversary to corrupt memory on the application and cause an arbitrary use-after-free condition. 

In adherence to Cisco’s vulnerability disclosure policy, Accusoft patched these issues and released an update for ImageGear. Additionally, the company also fixed several other vulnerabilities Talos disclosed in February that previously did not have a patch. 

Talos tested and confirmed Accusoft ImageGear, version 19.10, is affected by the vulnerabilities disclosed in this post. 

The following SNORTⓇ rules will detect exploitation attempts against this vulnerability: 58947, 58948, 59030 and 59031. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Two vulnerabilities in Accusoft ImageGear could lead to DoS, arbitrary free

Aamir Lakhani, global security strategist and researcher at FortiGuard Labs, zeroes in on how adversaries are targeting 'remote everything'.

Aamir Lakhani, global security strategist and researcher at FortiGuard Labs, zeroes in on how adversaries are targeting ‘remote everything’.

The rise of remote work and learning opened new opportunities for many people – as we’ve seen by the number of people who have moved to new places or adapted to “workcations.” Cybercriminals are taking advantage of the same opportunities – just in a different way. Evaluating the prevalence of malware variants by region reveals a sustained interest by cyber adversaries in maximizing the remote work and learning attack vector.

****What Malware Trends are Showing****

Our FortiGuard Labs research team dug into the prevalence of malware variants by region for the second half of 2021. What they found shows a sustained interest by cyber adversaries in maximizing the remote work and learning attack vector. The team found that various forms of browser-based malware were prevalent. Often, this takes the form of phishing lures or scripts that inject code or redirect users to malicious sites.

Detections vary across regions, of course, but can be largely grouped into three broad distribution mechanisms: Microsoft Office executables (MSExcel/, MSOffice/), PDF files and browser scripts (HTML/, JS/). Files packed with the Microsoft Intermediate Language (MSIL) are another common feature.

It’s worthy of note that some kinds of browser-based malware occupy the top spots in all regions. Such techniques have gained prominence recently as a way to exploit peoples’ desire for the latest news about COVID-19, politics, sports or any current headline. And since many are browsing from their home networks these days, there are fewer layers of protection between such malware and would-be victims (e.g., no corporate web filters).

****The Rise of Exploit Kits****

The use of exploit kits (EKs) is one element that has clearly helped cybercriminals in their efforts to execute malware. These kits are automated programs attackers use to exploit systems or applications. What makes an exploit kit very dangerous is its ability to identify victims while they browse the web. After they target a potential victim’s vulnerabilities, attackers can download and execute their malware of choice.

Exploit kits work automatically and silently as they look for vulnerabilities on a user’s machine while they browse the web. Currently, exploit kits are the preferred method for the distribution of remote access tools (RATs) or mass malware by cybercriminals, especially those seeking to profit financially from an exploit.

What’s especially insidious is that EKs don’t require victims to download a file or attachment. The victim need only browse on a compromised website, and then that site pulls in hidden code that attacks vulnerabilities in the user’s browser.

Currently, older kits are available to the public. Attackers have been taking these older kits and modifying them, making them more resilient to newer security detection strategies. Also, many of these kits are being advertised for sale online. Attackers offer these kits for rent on these sites and offer support and update contracts to guarantee they work against future updates.

****Addressing the Remote Everything Security Problem****

As hybrid work and learning become embedded paradigms in our culture, there are fewer layers of protection between malware and would-be victims. And bad actors are gaining access to more tools to help them pull off their nefarious deeds – like exploit kits. At the same time, the attack surface has rapidly expanded and continues to do so.

That means enterprises must take a work-from-anywhere approach to their security. They need to deploy solutions capable of following, enabling and protecting users no matter where they are located. They need security on the endpoint (EDR) combined with zero trust network access (ZTNA) approaches.

Another vital component and best practice of modern security strategy is the development of a holistic security mesh, wherein fully integrated security, services and threat intelligence seamlessly follow users on the road, at home or in the office to provide enterprise-grade protection and productivity across the extended network.

This simplifies and satisfies the demands of today’s three most common WFA scenarios: the corporate office, the home office and the mobile worker. Enterprises must secure mission-critical applications, so securing access to those applications, the networks to connect to those applications, and the devices that run those applications remain a vital component of a layered defense – even when working from a traditional location.

In the home office, risk lurks in the home networks that are often poorly secured with retail wireless routers and contain vulnerable IoT devices, which can be a pathway for hacker to gain access. And mobile workers regularly rely on untrusted and unsecured networks to access critical business resources. This can introduce unique threats, enabling cybercriminals to launch attacks against inadequately protected devices or intercept exposed communications.

A holistic integration of endpoint security, network security and ZTA/ZTNA addresses the challenges that WFA presents.

Criminals will make the most of any possible threat scenario, and the past two years have provided many opportunities for network attack. Malware trends and the rise of exploit kits have proven this point, and it’s now incumbent upon IT security teams to re-evaluate their security posture and adjust as needed. A comprehensive, integrated security mesh that accounts for all work possibilities is a best practice.

**_Aamir Lakhani is cybersecurity researcher and practitioner at FortiGuard Labs_.**

**_Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite._**

Bad Actors Are Maximizing Remote Everything

Ubuntu Security Notice 5396-1 - It was discovered that Ghostscript incorrectly handled certain PostScript files. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use this issue to access arbitrary files, execute arbitrary code, or cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5396-1April 28, 2022ghostscript vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:Ghostscript could be made to crash, access files, or run programs if itopened a specially crafted file.Software Description:- ghostscript: PostScript and PDF interpreterDetails:It was discovered that Ghostscript incorrectly handled certain PostScriptfiles. If a user or automated system were tricked into processing aspecially crafted file, a remote attacker could possibly use this issue toaccess arbitrary files, execute arbitrary code, or cause a denial ofservice.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS:  ghostscript                     9.26~dfsg+0-0ubuntu0.18.04.16  libgs9                          9.26~dfsg+0-0ubuntu0.18.04.16In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5396-1  CVE-2019-25059Package Information:  https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.18.04.16

Ubuntu Security Notice USN-5396-1

We take a look at a report which indicates younger generations are struggling with being able to spot scams, and why that might be.
The post Why you should be taking security advice from your grandmother appeared first on Malwarebytes Labs.

We tend to accept that younger folks are supposed to be more tech savvy, given they’ve grown up with computers and the Internet pretty much their whole lives. If you go back about 15 or so years, a lot of security advice focused on the “warning your grandmother away from scams” routine.

The default assumption was that people over a certain age simply did not know about computers and the threats that come with them. Grandparents were the short-hand, go-to frame of reference for examples in posts about scams or fraud: Watch out for grandfather this; your grandmother will fall for that.

**Your grandfather knows what he’s doing**

Crude, age-based categorisations were always dubious, and they are looking more and more baseless as the years tick by. Tech has now been around for a long time, whether it had some Internet bouncing around inside it or not. The oldest gamers playing on machines like Binatones in the 1970s might now be approaching 70 years of age themselves. Many studies have come and gone in the last couple of years declaring certain age groups to be at risk at one time or another. The interesting part is that more and more are declaring that younger age groups are at the greatest risk.

Older folks are dodging COVID-19 scams and all sorts of other shenanigans. Meanwhile, the news is definitely not as good the lower down the age slide we go.

Over here, Barclays twenty-somethings are most likely to be caught by scams. Over there, The Better Business Bureau finds that year after year it’s the younger folks getting stung by scams. In this direction, the UK’s Local Government Association has warned that it’s 16-34 year olds mostly feeling fakeout wrath. Some of the surveys listed claim that those in both the 31-40 or 71+ ranges are more susceptible to forms of advance fee fraud, but that seems to be about the only real negative mark against them.

Everything else is grim reading for the younger netizens out there.

**Are digital natives in trouble?**

A new study has just landed and guess what? It’s more misery for the so-called “digital native” generation (and, perhaps, those just on the fringes).

The Financial Times reports that a joint study by Visa and Aston University’s Institute for Forensic Linguistics brings bad tidings for the young. One in four 18-34 year olds trust scam messages, which is “more than double” of those over 55.

Gen-X, forgotten again.

**Crunching numbers**

We cover the “urgent action” type scams a lot, because it’s a core component of so many fakeouts. Nothing has people clicking links they shouldn’t click faster than the threat of losing access to accounts or finances. According to the study, some 70% of messages analysed contained some kind of “Hurry up please” messaging.

Gift cards and Bitcoin—cybercriminals’ favourite currencies—feature heavily, as you’d expect. And it’s no surprise that aspects of younger culture are tied up in the most common scam messages.

More than 50% of 18-34 year olds had sent cash to fakers pretending to be friends or family. Again, this is likely another tick in the pandemic box. There’s a lot more stats in the report itself \[PDF\], but that’s not what I’m most interested in. Despite it being focused on the language of fraud, there’s one key aspect which isn’t really touched upon.

Reports state that a quarter of 18-34 year olds don’t check for spelling and grammar mistakes. As the PDF itself notes that poor spelling, typography, and grammar are often indicators of a scam message, we may wonder how this disconnect is happening—and how to address it.

**Annoying your spell-check for fun and profit**

Security advice nowadays tends to steer clear of the “Your grandfather doesn’t understand computers” routine for the previously mentioned reasons. It’s just a bit crass and not particularly accurate.

And there may be other age-related pieces of security advice to reassess too.

Misspelling and errors have been a feature of scams for years, and a useful red flag we could advise people to watch out for. But does that advice still work for a generation that’s grown up on social media and messaging apps, and loosened its adherence to language norms by communicating with emojis and paired-down, abbreatived, vowelless blasts of text?

Some People Write On Social Media Like This.

others write everything in lower case and don’t even bother to consider throwing in the occasional comma or even a full stop because their messages are still entirely understandable

The rules have mostly gone out the window, and the “watch out for typos” advice might have to go with it. After all, you can’t tell people to beware strange spelling when everyone is officially doing their own thing.

**Some good news for Gen Z and Millennials**

Thankfully, “watch out for typos” is far from the only piece of security advice we can give when warning people away from bogus SMS messages or suspicious emails. When we warn you away from a phish, we give you several things to look out for in combination. It’s the same for a malware scam, or a bogus phone download, or something targeting young gamers.

The survey recognises this, and stresses the importance of picking out combinations of factors to spot a scam. It’s not just typos: It’s _combinations_ of certain words, pressures exerted on the recipient, mismatches between sender and links given, and a dash of ambiguity. One of these alone probably won’t help, but a few of them together most likely will.

Why you should be taking security advice from your grandmother

Kremlin-linked actors have launched multiple assaults since invasion began

Kremlin-linked actors have launched multiple assaults since invasion began

  

A new report from Microsoft has revealed that at least six separate Russian nation-state actors have launched damaging cyber-attacks against Ukraine since the invasion began earlier this year.

The study (PDF), released yesterday (April 27), detailed how Microsoft researchers have tracked at least 237 “cyber operations” originating from Russia.

These attacks “have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people’s access to reliable information and critical life services on which civilians depend, and have attempted to shake confidence in the country’s leadership”, Microsoft states.

It comes more than two months after Russian troops invaded neighboring Ukraine, sparking the beginning of a war that has so far claimed tens of thousands of lives.

**Direct hits**

Microsoft has observed these cyber-attacks as being “strongly correlated and sometimes directly timed” with Russia’s kinetic military operations targeting services and institutions crucial for civilians.

“For example, a Russian actor launched cyber-attacks against a major broadcasting company on March 1, the same day the Russian military announced its intention to destroy Ukrainian ‘disinformation’ targets and directed a missile strike against a TV tower in Kyiv,” the report details.

As many as 32% of destructive attacks directly targeted Ukrainian government organizations at the national, regional, and city levels, while more than 40% of attacks were aimed at organizations in critical infrastructure sectors that could have negative second-order effects on the Ukrainian government, military, economy and civilians.

A diagram detailing some of the nation-state actors identified by Microsoft

“At least six known or suspected Russian cyber threat groups in addition to other unattributed threat actors are engaged in activities that range from reconnaissance and phishing for initial access to pervasive lateral movement, data theft, and data deletion,” according to Microsoft.

“The multiple phases of their operations suggest these actors are positioning themselves for continued compromises and impact on Ukrainian networks for the duration of this conflict and beyond.”

Nation-state groups mentioned in the report include GRU unit 74455, aka Sandworm, also known as Iridium, which Microsoft claims is responsible for the malware FoxBlade wiper, CaddyWiper, and Industroyer2. GRU is Russian military intelligence.

Read more of the latest security news from Ukraine

Also mentioned in the report is Nobellium, aka APT29, which is thought to be led by Russia’s Foreign Intelligence Service, which has been seen using password spraying and phishing attacks against Ukrainian and NATO member diplomatic targets.

Microsoft stated that these attacks used a variety of techniques to gain initial access to their targets including phishing, use of unpatched vulnerabilities, and compromising upstream IT service providers.

The tech giant also noted how the cyber-attackers often modify their malware with each deployment to evade detection. “Notably, our report attributes wiper malware attacks we previously disclosed to a Russian nation-state actor we call Iridium,” Microsoft added.

READ MORE Data wiper deployed in cyber-attacks targeting Ukrainian systems

The Windows-specific data wiper appeared on “hundreds of machines”, according to telemetry from information security firm ESET, in the days following the invasion.

The wiper abuses legitimate drivers from the EaseUS Partition Master software in order to corrupt data.

Although primarily directed towards Ukraine, the ‘HermeticWiper’ malware strain has also been detected in the Baltic states of Latvia and Lithuania.

Date stamps on the malware indicate that it was compiled two months before the invasion – evidence that the cyber-attack was premeditated.

**Continued escalation**

“Given Russian threat actors have been mirroring and augmenting military actions, we believe cyber-attacks will continue to escalate as the conflict rages,” Microsoft concluded.

“Our report includes specific recommendations for organizations that may be targeted by Russian actors as well as technical information for the cybersecurity community.

“We will continue to provide updates as we observe activity and believe we can safely disclose new developments.”

The full report (PDF) contains more information, including a detailed timeline of individual attacks targeting Ukraine.

DON’T MISS Ukrainian ISP used by military disrupted by ‘powerful’ cyber-attack

<span>Microsoft report unmasks at least six Russian nation-state actors responsible for cyber-attacks against Ukraine</span>

Lexmark products through 2022-02-10 have Incorrect Access Control.

%PDF-1.7 %���� 1 0 obj <>/Metadata 187 0 R/ViewerPreferences 188 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/Annots\[ 25 0 R\] /MediaBox\[ 0 0 612 792\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��\\\[s�H~w��C?�� �o��RT;ޝ����$����>.6@�$�x����a���I%�F\_\_N��װ�\_���Wo~�ea���7쿗a⟔���S�����?���������g

CVE-2022-24935

The war in Ukraine appears to have triggered a change in mission for the APT known as Bronze President (aka Mustang Panda).

China's tacit support for Russia's war in Ukraine apparently doesn't preclude likely China-backed cyber actors from mounting espionage campaigns on the Russian military.

Researchers from Secureworks' Counter Threat Unit this week said they recently discovered malware that suggests the advanced persistent threat (APT) known as Bronze President (aka Mustang Panda) is now targeting Russian military personnel and officials. The security vendor described the effort as an example of how political changes can push countries into new territory for surreptitious information-gathering efforts, even against friends and allies.

**Cyberespionage Campaign Delivers PlugX**  
According to the report, the heavily obfuscated malicious executable being used in the campaign is designed to appear as a Russian-language PDF document pertaining to Russia's 56th Blagoveshchenskiy Red Banner Border Guard Detachment (which is deployed near Russia's border with China). The file is designed so that default Windows settings do not display its .exe extension, Secureworks said.

Secureworks also explained that the executable file displays a decoy document written in English, though the filename itself is in Russian. The document appears to be legitimate and contains data pertaining to asylum applications and migratory pressure in the three countries that border Belarus — Poland, Lithuania, and Latvia. The content also includes commentary on European Union sanctions against Belarus for its role in the war in Ukraine.

When executed, the file downloads three additional files from a staging server. One of them is a legitimate signed file from Global Graphics Software, a UK-based firm. The file uses DLL search-order hijacking to import an updated version of PlugX, a remote-access Trojan (RAT) that has been previously associated with Bronze President.

"DLL search-order hijacking has been around for years," says Mike McLellan, director of intelligence at Secureworks. "It's a well-known technique by threat actors in which they maliciously use a legitimate executable file, often from a well-known vendor, together with a malicious library file (DLL), to load and execute an encrypted malware payload."

Threat actors use the technique because it ensures that the malicious payload file on a compromised system is never sitting around on disk in a manner that scanners and anti-malware can detect.

"This technique has been a staple of several China-nexus threat groups for many years," McLellan says.

As part of the attack chain, the threat actors have also included a ping command that adds a significant delay before executing the legitimate signed file, Secureworks said — a generic evasion technique to introduce a time lag while files are downloaded to the victim.

The staging server that Secureworks observed the threat actor using in the current campaign hosts a domain that Proofpoint earlier this year linked to a PlugX campaign against diplomatic entities in Europe. The security vendor determined that campaign to be motivated by matters related to the war in Ukraine as well. The same domain has also been linked to Bronze President attacks in 2020 that Secureworks observed against the Vatican.

**A New Set of Victims for Bronze Panda**  
Bronze President is a threat group that has been active since at least 2018, according to the researchers. Secureworks and others have assessed the group as being China-based and likely sponsored by — or operating with the knowledge of — the Chinese government. The group has been associated with numerous attacks on nongovernmental organizations and others, mostly in Asia but to some extent in other countries. Last year, for example, researchers from McAfee spotted the threat actor conducting a major cyber espionage operation targeting telecommunication companies in the US, Asia, and Europe.

The latest campaign represents a departure from the usual for the group, since it targets Russian entities, according to McLellan: "This is substantially different to what we have seen over the past two years where Bronze President has been about 90% focused on Myanmar and Vietnam. We believe they still have a mission in the Asia region, but this has been a bit of a departure for them."

Tag

#pdf