By the CyberWire staff
At a glance.
- US government investigates Chinese hacking of US telecom infrastructure.
- US agencies debunk election disinformation attributed to Russia.
- Iranian threat actor targeted the 2024 Olympics.
- North Korean threat actor collaborates with the Play ransomware gang.
- Chinese threat actors target Canadian government networks.
- Law enforcement disrupts Redline and Meta malware operations.
- Midnight Blizzard launches widespread spearphishing campaign using RDP files.
- Evasive Panda targets cloud services with CloudScout toolkit.
- FakeCall Android malware intercepts phone calls.
- Chinese threat actor uses credentials stolen by the Quad7 botnet.
- Scammers compromise over a thousand online stores.
- TeamTNT exploits exposed Docker daemons to deploy malware.
US government investigates Chinese hacking of US telecom infrastructure.
The US Department of Homeland Security's Cyber Safety Review Board (CSRB) will investigate alleged Chinese hacking into US telecom networks, which may have targeted presidential campaign communications, BankInfoSecurity reports. The New York Times reported on Friday that Chinese hackers targeted phones belonging to former president Trump and his running mate Senator JD Vance as part of "a wide-ranging intelligence-collection effort." The operation also targeted staffers of Vice President Kamala Harris and prominent politicians on Capitol Hill.
The FBI and CISA issued a joint statement saying that the US government "is investigating the unauthorized access to commercial telecommunications infrastructure by actors affiliated with the People’s Republic of China."
US agencies debunk election disinformation attributed to Russia.
The Bucks County Board of Elections in Pennsylvania has issued an announcement debunking a video that purported to show individuals opening and destroying Bucks County mail-in votes for Trump, CyberScoop reports. The Board stated, "The envelope and materials depicted in this video are clearly not authentic materials belonging to or distributed by the Bucks County Board of Elections."
The US Office of the Director of National Intelligence (ODNI), the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint statement assessing that "Russian actors manufactured and amplified" the video. The agencies added, "This Russian activity is part of Moscow’s broader effort to raise unfounded questions about the integrity of the US election and stoke divisions among Americans, as detailed in prior ODNI election updates. In the lead up to election day and in the weeks and months after, the IC expects Russia to create and release additional media content that seeks to undermine trust in the integrity of the election and divide Americans."
Are You Confident in the Security of Your Remote and Hybrid Employees?
A remote or hybrid workforce expands your company's surface area of attack beyond corporate firewall boundaries. Employees’ personal computers introduce shadow IT, and home networks with default settings are easy targets, compounded by public Wi-Fi vulnerabilities. You need to develop a strategy to stay secure while remote employees work across untrusted networks. To learn how you can secure your company's workforce, get a free copy of the latest ThreatLocker® whitepaper on how to secure remote workforces.
Iranian threat actor targeted the 2024 Olympics.
The US FBI and Israel's National Cyber Directorate have issued a joint advisory on activity by the Iranian threat actor "Emennet Pasargad" (also tracked as "Cotton Sandstorm," "Marnanbridge," and "Haywire Kitten"). The FBI states, "The group exhibited new tradecraft in its efforts to conduct cyberenabled information operations into mid-2024 using a myriad of cover personas, including multiple cyber operations that occurred during and targeting the 2024 Summer Olympics – including the compromise of a French commercial dynamic display provider. ASA has also undertaken a project to harvest content from IP cameras and used online resources related to Artificial Intelligence."
The threat actor has also "exhibited new tradecraft including the use of fictitious hosting resellers to provision operational server infrastructure to its own actors as well as to an actor in Lebanon involved in website hosting."
North Korean threat actor collaborates with the Play ransomware gang.
Palo Alto Networks' Unit 42 assesses that Jumpy Pisces, a threat actor associated with North Korea's Reconnaissance General Bureau, is collaborating with the Play ransomware gang. Jumpy Pisces conducts both cyberespionage and financial crime on behalf of the North Korean government, and Unit 42 says network defenders should now be aware that Jumpy Pisces activity may also be a precursor to ransomware attacks.
While investigating a Play ransomware attack in September 2024, Unit 42 "discovered with high confidence that the North Korean state-sponsored threat group Jumpy Pisces gained initial access via a compromised user account in May 2024." The researchers add, "Jumpy Pisces carried out lateral movement and maintained persistence by spreading the open-source tool Sliver and their unique custom malware, DTrack, to other hosts via Server Message Block (SMB) protocol. These remote tools continued to communicate with their command-and-control (C2) server until early September. This ultimately led to the deployment of Play ransomware."
It's not clear if Jumpy Pisces was involved in the deployment of the ransomware or if it simply acted as an initial access broker for the Play gang. Either way, the researchers note that "[t]his development could indicate a future trend where North Korean threat groups will increasingly participate in broader ransomware campaigns."
Chinese threat actors target Canadian government networks.
The Canadian Centre for Cyber Security (CCCS) yesterday released its National Cyber Threat Assessment for 2025-2026, disclosing that networks belonging to at least 20 Canadian government agencies have been compromised by Chinese state-sponsored actors over the past four years. The report states, "The People’s Republic of China’s (PRC) expansive and aggressive cyber program presents the most sophisticated and active state cyber threat to Canada today. The PRC conducts cyber operations against Canadian interests to serve high-level political and commercial objectives, including espionage, intellectual property (IP) theft, malign influence, and transnational repression. Among our adversaries, the PRC cyber program’s scale, tradecraft, and ambitions in cyberspace are second to none."
The CCCS also outlines strategic threats from Russia and Iran, but notes that "[t]he PRC’s cyber program surpasses other hostile states in both the scope and resources dedicated to cyber threat activity against Canada."
Master Identity Orchestration with the ultimate Dummies guide.
“This book nailed it. It breaks down Identity Orchestration in a way that’s easy to follow, but sharp enough for anyone serious about IAM strategy.” Identity Orchestration for Dummies is the only book that tackles how to eliminate identity silos and simplify IAM for modern security. Whether you’re aiming for Zero Trust or modernizing apps, this book is your step-by-step guide. Download your free copy now.
Law enforcement disrupts Redline and Meta malware operations.
The Dutch National Police, working with the US FBI and other international law enforcement partners, have seized servers used by the Redline and Meta infostealers, BleepingComputer reports. The operation, called "Operation Magnus," also resulted in the seizure of data tied to the operators and developers of the malware, making future prosecutions likely. The authorities claim to have gained access to the malware operations' source code, including "license servers, REST-API services, panels, stealer binaries, and Telegram bots."
The US Justice Department has unsealed charges against Maxim Rudometov, one of the alleged developers and administrators of the Redline infostealer. Rudometov, who is believed to be living in Russia, has been charged with access device fraud, conspiracy to commit computer intrusion, and money laundering.
Midnight Blizzard launches widespread spearphishing campaign using RDP files.
Microsoft has published a report on a major spearphishing campaign launched by Midnight Blizzard (also known as "Cozy Bear" or "APT29"), a threat actor attributed to Russia's Foreign Intelligence Service (SVR). The threat actor sent spearphishing emails to thousands of individuals at over a hundred organizations in the government, academia, defense, NGOs, and other sectors. The emails impersonated Microsoft employees to deliver a signed Remote Desktop Protocol (RDP) configuration file, which is a new access vector for the threat actor.
Microsoft explains, "In this campaign, the malicious .RDP attachment contained several sensitive settings that would lead to significant information exposure. Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server. Resources sent to the server may include, but are not limited to, all logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of the Windows operating system, including smart cards. This access could enable the threat actor to install malware on the target’s local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access trojans (RATs) to maintain access when the RDP session is closed.
Fortify Your Cybersecurity Against Modern-Day Outlaws with Cisco
In our free eBook, Attack Vectors Decoded: Securing Organizations Against Identity-Based Threats, we delve into the attacker’s playbook and arm you with the knowledge and tools to bolster your secure access. Learn how to build powerful, secure identity access that protects your business, your data, and your workers—no matter where they are. Download the eBook now and take the first step in modernizing and galvanizing your secure access against identity-based threats.
Evasive Panda targets cloud services with CloudScout toolkit.
ESET has published a report on "CloudScout," a post-compromise toolkit used by the China-aligned threat actor Evasive Panda. The toolset uses stolen cookies to hijack authenticated web sessions and steal data from various cloud services, including Google Drive, Gmail, and Outlook. The researchers note, "Through a plugin, CloudScout works seamlessly with MgBot, Evasive Panda’s signature malware framework."
The threat actor used CloudScout to target a government entity and a religious organization in Taiwan between 2022 and 2023. ESET adds, "Evasive Panda’s objective is cyberespionage against countries and organizations opposing China’s interests through independence movements such as those in the Tibetan diaspora, religious and academic institutions in Taiwan and in Hong Kong, and supporters of democracy in China."
FakeCall Android malware intercepts phone calls.
Researchers at Zimperium are tracking new variants of the FakeCall Android malware. The malware is delivered via social engineering attacks, and is designed to hijack phone calls to the victim's bank. Zimperium explains, "When the compromised individual attempts to contact their financial institution, the malware redirects the call to a fraudulent number controlled by the attacker. The malicious app will deceive the user, displaying a convincing fake UI that appears to be the legitimate Android’s call interface showing the real bank’s phone number. The victim will be unaware of the manipulation, as the malware’s fake UI will mimic the actual banking experience, allowing the attacker to extract sensitive information or gain unauthorized access to the victim’s financial accounts."
Chinese threat actor uses credentials stolen by the Quad7 botnet.
Microsoft warns that the Chinese threat actor tracked as "Storm-0940" is using stolen credentials obtained by the Quad7 botnet (tracked by Microsoft as "CovertNetwork-1658") to gain initial access to networks. The botnet is made up of compromised small office and home office (SOHO) routers, most of which were manufactured by TP-Link. Microsoft notes, "Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time. This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions."
TeamTNT exploits exposed Docker daemons to deploy malware.
Aqua has published a report on a hacking campaign by the TeamTNT threat actor. The researchers state, "In this campaign, TeamTNT is leveraging native capabilities in cloud environments by appending compromised Docker instances to a Docker Swarm and utilizing Docker Hub to store and distribute their malware. They are also renting the victims’ computational power to third parties, effectively earning money indirectly from cryptomining without the hassle of managing it themselves. In addition, they have adopted new hacking tools by replacing their traditional Tsunami backdoor with the stealthier Sliver malware."
The group is using a tool called the "Docker Gatling Gun" to scan millions of IP addresses for exposed Docker ports.
Scammers compromise over a thousand online stores.
HUMAN’s Satori threat research team has published a report on a major fraud operation that compromised over a thousand legitimate shopping sites to post fake product listings. When a user clicked on one of these products, they were sent to a separate phishing site controlled by the threat actor.
The researchers explain, "The threat actors, whose internal tools used Simplified Chinese, drove traffic to these fake web shops by infecting legitimate websites with a malicious payload. This payload creates fake product listings and adds metadata that puts these fake listings near the top of search engine rankings for the items, making them an appealing offer for an unsuspecting consumer. When a consumer clicks on the item link, they’re redirected to another website, this one controlled by the threat actor. On this website, one of four targeted third-party payment processors collects credit card info and confirms a 'purchase,' but the product never arrives."