At a glance.
- Iranian threat actors target the IT supply chain.
- North Korean cyberespionage.
- RedCurl continues conducting corporate cyberespionage.
- More information on Emotet's return.
Iranian threat actors target the IT supply chain.
Microsoft's Threat Intelligence Center (MSTIC) warns of an increase in Iranian actors targeting companies in the IT supply chain, particularly in India:
"In July 2021, a group that MSTIC tracks as DEV-0228 and assesses as based in Iran compromised a single Israel-based IT company that provides business management software. Based on MSTIC’s assessment, DEV-0228 used access to that IT company to extend their attacks and compromise downstream customers in the defense, energy, and legal sectors in Israel. In September, we detected a separate Iranian group, DEV-0056, compromising email accounts at a Bahrain-based IT integration company that works on IT integration with Bahrain Government clients, who were likely DEV-0056’s ultimate target. DEV-0056 also compromised various accounts at a partially government-owned organization in the Middle East that provide information and communications technology to the defense and transportation sectors, which are targets of interest to the Iranian regime. DEV-0056 maintained persistence at the IT integration organization through at least October."
Microsoft adds, "MSTIC detected a significant increase in these and other Iranian groups targeting IT companies based in India beginning in mid-August. From mid-August to late September, we issued 1,788 nation state notifications (NSNs) across Iranian actors to enterprise customers in India, roughly 80% of which were to IT companies, an exponential rise from the 10 notifications we issued the previous three years in response to previous Iranian targeting. Iranian cyber actors have rarely targeted India, and the lack of pressing geopolitical issues that would have prompted such a shift suggests that this targeting is for indirect access to subsidiaries and clients outside India."
North Korean cyberespionage.
Proofpoint has published a report on TA406, one of three threat actors that Proofpoint tracks under the umbrella of the North Korean threat group Kimsuky (also known as Thallium or Konni Group). The researchers say the group conducts both cyberespionage and financially motivated attacks, including cryptocurrency theft and sextortion. Proofpoint stated, "In early 2021, TA406 began almost weekly campaigns featuring themes that included nuclear weapon safety, U.S. President Joe Biden, Korean foreign policy and other political themes. The group attempted to collect credentials, such as Microsoft logins or other corporate credentials, from the targeted individuals. In some cases, the emails were benign in nature; these messages may have been attempts by the attackers to engage with victims before sending them a malicious link or attachment."
RedCurl continues conducting corporate cyberespionage.
Group-IB is tracking a threat actor dubbed "RedCurl" that's conducting corporate cyberespionage. The threat actor has attacked a Russian wholesale company and two other unknown companies since the beginning of 2021. The researchers note that the group is stealthy and focuses solely on data theft rather than ransomware or extortion:
"Group-IB has noted that despite a high level of control over the victim’s network, RedCurl does not encrypt infrastructure, withdraw money from accounts, or demand ransoms for stolen data. This most likely indicates that the group monetizes on its attacks in a different way. The group strives to obtain valuable information as covertly as possible. RedCurl is mainly interested in the following types of files: business emails, staff records, documents relating to various legal entities, court records, and other internal information. Even after the attack has ended, victims could remain unaware that confidential information has been exfiltrated to RedCurl's servers."
More information on Emotet's return.
Researchers at AdvIntel offer details on the reappearance of the Emotet Trojan and botnet, noting that former members of the Ryuk ransomware gang (many of whom are now believed to operate the Conti ransomware) pushed Emotet's operators to rebuild their infrastructure:
"AdvIntel's visibility into the adversary space enables us to confirm that it was the former Ryuk members who were able to convince former Emotet operators to set up a backend and a malware builder from the existing repository project to return to business in order to restore the TrickBot-Emotet-Ryuk triad. This partnership enables the Conti syndicate to answer the unfulfilled demand for initial accesses on an industrial scale, while competitor groups such as LockBit or HIVE will need to rely on individual low-quality access brokers. As a result, Conti can further advance their goal of becoming a ransomware monopolist."