(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Enlarge (credit: Sumitcommunicationcyber)

APT28, the Russian hacking group tied to last year's interference in the 2016 presidential election, has long been known for its advanced arsenal of tools for penetrating Windows, iOS, Android, and Linux devices. Now, researchers have uncovered an equally sophisticated malware package the group used to compromise Macs.

Like its counterparts for other platforms, the Mac version of Xagent is a modular backdoor that can be customized to meet the objectives of a given intrusion, researchers from antivirus provider Bitdefender reported in a blog post published Tuesday. Capabilities include logging passwords, snapping pictures of screen displays, and stealing iOS backups stored on the compromised Mac.

The discovery builds on the already considerable number of tools attributed to APT28, which other researchers call Sofacy, Sednit, Fancy Bear, and Pawn Storm. According to researchers at CrowdStrike and other security firms, APT28 has been operating since at least 2007 and is closely tied to the Russian government. An analysis Bitdefender published last year determined APT28 members spoke Russian, worked mostly during Russian business hours, and pursued targets located in Ukraine, Spain, Russia, Romania, the US, and Canada.

Read 4 remaining paragraphs | Comments

 

Enlarge / A phishing e-mail aimed at worker rights activists in Qatar and Nepal crafted to fool targets into giving up their credentials. (credit: Amnesty International)

Over the course of the last year, a number of human rights organizations, labor unions, and journalists were targeted in a "phishing" campaign that attempted to steal the Google credentials of targets by luring them into viewing documents online. The campaign, uncovered by Amnesty International, is interesting largely because of the extent to which whoever was behind the attack used social media to create a complete persona behind the messages—a fictional rights activist named Safeena Malik.

Malik translates from Arabic as "King," so Amnesty International refers to the spear-phishing campaign in a report posted to Medium today as "Operation Kingphish."

The party or parties behind the operation created Facebook, Google, LinkedIn, and Twitter profiles for "Safeena Malik" using a young woman's photos, which were apparently harvested from another social media account. "It appears that the attackers may have impersonated the identity of a real young woman and stole her pictures to construct the fake profile," wrote Nex, a security researcher working with Amnesty International, "along with a professional biography also stolen from yet another person."

Read 5 remaining paragraphs | Comments

 
[security bulletin] HPSBMU03691 rev.1 - HPE Insight Control, Multiple Remote Vulnerabilities
 

Microsoft delayed the release of all bulletins scheduled for today. Today was supposed to be the first month of Microsoft using its new update process, which meant that we would no longer see a bulletin summary, and patches would be released as monolithic updates vs. individually. It is possible that this change in process caused the delay.

At this point, we do not know when Microsoft will release its February patches. There is still the unpatched SMB 3 DoS vulnerability that I hoped would be addressed in this round.

https://blogs.technet.microsoft.com/msrc/2017/02/14/february-2017-security-update-release/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[SECURITY] [DSA 3788-1] tomcat8 security update
 
[SECURITY] [DSA 3787-1] tomcat7 security update
 
[SECURITY] [DSA 3786-1] vim security update
 
Internet Storm Center Infocon Status