The main goal for nation-state actors working for intelligence purposes is to establish a consistent and reliable digital presence. Whether or not they have an active operation, they need to be ready to launch a campaign at any time. To do so, they need to be deployed all the time.
APT10—allegedly a Chinese threat actor—has come up in the news recently, this time running a campaign known as Operation “Cloud Hopper”.
Chinese actors are the main suspect based on malware compilation time and interactive hacking activities, but there’s a chance that this is a deception attempt to manipulate the forensics evidence.
Edward Snowden was right about CIA hacking activities: they are going to lose control of their “weaponized gun” — and it’s going to be ugly.
On March 7th, 8,761 documents and files were leaked from the CIA to Wikileaks introducing the scope and direction of the CIA’s global covert hacking program, its malware arsenal, and dozens of “zero day” weaponized exploits against a wide range of U.S. and European company products: Apple iPhone, Google Android, Microsoft Windows, and even Samsung smart TVs, which are turned into covert microphones.
How is Samas RansomWorm different from normal ransomware?
Whereas traditional ransomware only encrypts the machine the attacker is controlling, RansomWorm spreads inside throughout the entire network to encrypt every server and computer—and the backups.
PTH and PTT attacks are commonly known methods that attackers use for their lateral movement in a domain environment. We’ve seen them for a long time in the industry, but the constant pursuit after the detection of those attack methods isn’t over yet.
They’re really hard to detect because these attacks leverages legitimate Active Directory operations in order to achieve their goals, which is eventually – getting higher permissions inside the domain environment context, and being able to move laterally into more sensitive and desirable locations.