ESET APT Exercise Report Q2 2024–Q3 2024
ESET Analysis, Risk Studies
An outline of the actions of chosen APT teams investigated and analyzed by ESET Analysis in Q2 2024 and Q3 2024
07 Nov 2024
•
,
3 min. learn
ESET APT Exercise Report Q2 2024–Q3 2024 summarizes notable actions of chosen superior persistent menace (APT) teams that have been documented by ESET researchers from April 2024 till the top of September 2024. The highlighted operations are consultant of the broader panorama of threats we investigated throughout this era, illustrating the important thing traits and developments, and comprise solely a fraction of the cybersecurity intelligence knowledge supplied to prospects of ESET’s personal APT experiences.
Throughout the monitored interval, we noticed a notable growth in concentrating on by China-aligned MirrorFace. Sometimes centered on Japanese entities, it prolonged its operations to incorporate a diplomatic group within the European Union (EU) for the primary time whereas persevering with to prioritize its Japanese targets. Moreover, China-aligned APT teams have been relying more and more on the open-source and multiplatform SoftEther VPN to take care of entry to victims’ networks. We detected in depth use of SoftEther VPN by Flax Hurricane, noticed Webworm switching from its full-featured backdoor to utilizing the SoftEther VPN Bridge on machines of governmental organizations within the EU, and observed GALLIUM deploying SoftEther VPN servers at telecommunications operators in Africa.
We additionally noticed indications that Iran-aligned teams is perhaps leveraging their cybercapabilities to assist diplomatic espionage and, probably, kinetic operations. These teams compromised a number of monetary companies companies in Africa – a continent geopolitically essential to Iran; carried out cyberespionage towards Iraq and Azerbaijan, neighboring international locations with which Iran has complicated relationships; and elevated their curiosity within the transportation sector in Israel. Regardless of this seemingly slender geographical concentrating on, Iran-aligned teams maintained a worldwide focus, additionally pursuing diplomatic envoys in France and academic organizations in the US.
North Korea-aligned menace actors continued in advancing the targets of their regime, which has been accused by the United Nations and South Korea of stealing funds – each conventional currencies and cryptocurrencies – to assist its weapons of mass destruction packages. These teams continued their assaults on protection and aerospace firms in Europe and the US, in addition to concentrating on cryptocurrency builders, assume tanks, and NGOs. One such group, Kimsuky, started abusing Microsoft Administration Console information, that are usually utilized by system directors however can execute any Home windows command. Moreover, a number of North Korea-aligned teams steadily misused in style cloud-based companies, together with Google Drive, Microsoft OneDrive, Dropbox, Yandex Disk, pCloud, GitHub, and Bitbucket. For the primary time, we noticed an APT group – particularly ScarCruft – abusing Zoho cloud companies.
We detected Russia-aligned cyberespionage teams steadily concentrating on webmail servers resembling Roundcube and Zimbra, often with spearphishing emails that set off identified XSS vulnerabilities. Moreover Sednit concentrating on governmental, educational, and defense-related entities worldwide, we recognized one other Russia-aligned group, which we named GreenCube, stealing e-mail messages through XSS vulnerabilities in Roundcube. Different Russia-aligned teams continued to deal with Ukraine, with Gamaredon deploying giant spearphishing campaigns whereas remodeling its instruments utilizing and abusing the Telegram and Sign messaging apps. Sandworm utilized its new Home windows backdoor, which we named WrongSens, and its superior Linux malware: LOADGRIP and BIASBOAT. Moreover, we detected Operation Texonto, a disinformation and psychological operation primarily geared toward demoralizing Ukrainians, additionally concentrating on Russian dissidents. We additionally analyzed the general public hack-and-leak of the Polish Anti-Doping Company, which we consider was compromised by an preliminary entry dealer who then shared entry with the Belarus-aligned FrostyNeighbor APT group, the entity behind cyber-enabled disinformation campaigns crucial of the North Atlantic Alliance. Lastly, from analyzing an exploit discovered within the wild, we found a distant code execution vulnerability in WPS Workplace for Home windows. We attribute the assault leveraging the exploit to the South Korea-aligned APT-C-60 group.
Malicious actions described in ESET APT Exercise Report Q2 2024–Q3 2024 are detected by ESET merchandise; shared intelligence is primarily based on proprietary ESET telemetry knowledge and has been verified by ESET researchers.
ESET APT Exercise Studies comprise solely a fraction of the cybersecurity intelligence knowledge supplied in ESET APT Studies PREMIUM. For extra data, go to the ESET Threat Intelligence web site.
Comply with ESET research on Twitter for normal updates on key traits and high threats.