At a glance.
- The Molerats have some new tools.
- Israel turns to NSO Group's Pegasus to search for hostages taken by Hamas.
- BlackCat uses malicious Google ads.
- Social engineering in Q3 2023.
- Are small businesses in denial about ransomware?
- A look back at Patch Tuesday.
- Cyberespionage campaign attributed to Russia's SVR.
The Molerats have some new tools (but stick to their familiar targets).
Proofpoint researchers yesterday described some new activity by TA402, the Palestinian-aligned threat actor better known as the Molerats, and sometimes called the Gaza Cybergang, Frankenstein, or WIRTE. Between July and October TA402 has used a new downloader, IronWind, which they've used to install shellcode in victim systems. The group has also shifted away from using malicious Dropbox links and toward deploying XLL and RAR file attachments, presumably the better to evade detection. TA402's targeting has continued to follow its historical pattern of prospecting Arabic-speaking governmental organizations in the Middle East and North Africa. It hasn't so far shown a shift toward direct support of the war between Hamas and Israel.
Israel turns to NSO Group's Pegasus to search for hostages taken by Hamas.
Israeli authorities are said, Axios reports, to be using NSO's Pegasus zero-click intercept tool to track cellphones belonging to hostages, murdered civilians, and Hamas terrorists in their effort to locate surviving hostages. NSO Group is said to be approaching US officials to ask for relaxation of strictures against its tools, which it argues have become vital to collection against terrorist organizations. There are so far few signs that the US is moving toward such relaxation, imposed after many reports that Pegasus was widely abused by repressive governments, but there do appear to have been some approaches by European governments advocating for NSO Group's restoration to American good graces.
BlackCat uses malicious Google ads.
Researchers at eSentire warn that an ALPHV/BlackCat ransomware affiliate is using malware-laden Google ads to target entities in the Americas and Europe: “This affiliate is taking out Google ads promoting popular software, such as Advanced IP Scanner, Slack, WinSCP, and Cisco AnyConnect, to lure business professionals to attacker-controlled websites. Thinking they are downloading legitimate software, the business professionals are actually downloading the Nitrogen malware. Nitrogen is initial-access malware that leverages Python libraries for stealth. This foothold provides intruders with an initial entry into the target organization’s IT environment.”