At a glance.
- Turla piggybacks on abandoned malware infrastructure.
- Bluebottle targets African countries.
- Blind Eagle goes after Ecuador.
- Automotive vulnerabilities.
Turla piggybacks on abandoned malware infrastructure.
Mandiant says the Russian threat actor Turla is using expired domains from the commodity malware ANDROMEDA to distribute its own backdoors KOPILUWAK and QUIETCANARY. The domains were used to selectively target organizations in Ukraine:
"This is Mandiant’s first observation of suspected Turla targeting Ukrainian entities since the onset of the invasion. The campaign’s operational tactics appear consistent with Turla’s considerations for planning and advantageous positioning to achieve initial access into victim systems, as the group has leveraged USBs and conducted extensive victim profiling in the past. In this case, the extensive profiling achieved since January possibly allowed the group to select specific victim systems and tailor their follow-on exploitation efforts to gather and exfiltrate information of strategic importance to inform Russian priorities."
Bluebottle targets African countries.
Symantec reports that the financially motivated threat actor Bluebottle is targeting banks in Francophone African countries. The threat actor is using job-themed executables, likely delivered via spearphishing emails. The researchers state, "In many cases, the job-themed malware delivered to victims was the commodity loader called GuLoader. GuLoader is a shellcode-based downloader with anti-analysis features. In addition to malicious files, the loader deploys some legitimate binaries as a decoy for its malicious activity. GuLoader was distributed to victims in a self-extracting NSIS executable."
Blind Eagle goes after Ecuador.
Check Point is tracking a financially motivated threat actor dubbed "Blind Eagle" that's targeting entities based in Ecuador with phishing emails that purport to come from an Ecuadorian government institution. Blind Eagle's previous campaigns were confined to targeting entities in Colombia. The researchers explain that the threat actor uses a combination of remote access Trojans and living-off-the-land tactics:
"Blind Eagle is a strange bird among APT groups. Judging by its toolset and usual operations, it is clearly more interested in cybercrime and monetary gain than in espionage; however, unlike most such groups that just attack the entire world indiscriminately, Blind Eagle has a very narrow geographical focus, most of the time limited to a single country. This latest campaign targeting Ecuador highlights how, over the last few years, Blind Eagle has matured as a threat — refining their tools, adding features to leaked code bases, and experimenting with elaborate infection chains and 'Living off the Land.'"
Automotive vulnerabilities.
Over the course of 2022, a security research team led by Sam Curry found vulnerabilities affecting vehicles from sixteen leading car manufacturers. The car manufacturers have since released patches for the flaws, and Curry’s team last week published an extensive writeup on the vulnerabilities.
The type and severity of the vulnerabilities varied by model. In some cases, an attacker could unlock the car, start the engine, report the vehicle as stolen, or track the car’s location. The affected vehicles included models manufactured by Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, and Toyota.
In addition to vulnerabilities affecting individual cars, the researchers discovered API vulnerabilities that could grant an attacker access to sensitive company accounts. BleepingComputer notes that BMW and Mercedes-Benz could have been "affected by company-wide SSO (single-sign-on) vulnerabilities that [might have] enabled attackers to access internal systems.”