The report analyzes the activities of APT groups from April to September 2023. Highlighting the campaigns of pro-Chinese groups in the EU and the evolution of the Russian-Ukrainian cyber-war. Exploited WinRAR vulnerabilities in Microsoft Exchange and IIS servers. New groups close to China discovered
ESET, a global European leader in the cybersecurity market, has published the latest report on the activities of the APT (Advanced Persistent Threat) groups analyzed by researchers between April and September of this year. In particular, ESET Research has observed several APT groups exploiting known vulnerabilities to exfiltrate data from government agencies or related organizations. The report analyzes the persistent campaigns of China-aligned groups in the European Union and the evolution of Russia's cyber-war in Ukraine which is moving from sabotage towards espionage.
The pro-Russian Sednit and Sandworm, the North Korea-aligned Konni, and the geographically unattributable Winter Vivern and SturgeonPhisher took the opportunity to exploit vulnerabilities in WinRAR (Sednit, SturgeonPhisher, and Konni), Roundcube (Sednit and Winter Vivern), Zimbra (Winter Vivern), and Outlook for Windows (Sednit) to target various government organizations, not only in Ukraine but also in Europe and Asia central. As for China-affiliated threat actors, GALLIUM has likely exploited vulnerabilities in Microsoft Exchange or IIS servers, extending its target from telecom operators to government organizations around the world. MirrorFace likely took advantage of flaws in the online storage service Proself, and TA410 is alleged to have exploited vulnerabilities in the Adobe ColdFusion application server.
Iran- and Middle East-aligned groups continued to operate at full speed, focusing primarily on espionage and theft of data from organizations in Israel. Notably, Iran-affiliated MuddyWater also targeted an unknown target in Saudi Arabia, deploying a payload that raises the possibility that the attacker serves as a development team for a more advanced group.
The main target of the Russian-aligned groups remained Ukraine, where ESET detected new versions of the familiar wipers RoarBat and NikoWiper and a new wiper that was named SharpNikoWiper, all distributed by Sandworm. Interestingly, while other groups – such as Gamaredon, GREF and SturgeonPhisher – target Telegram users to try to exfiltrate information, or at least some Telegram-related metadata, Sandworm actively uses this service in order to publicize its cybersabotage operations. However, the most active group in Ukraine continued to be Gamaredon, which significantly improved its data collection capabilities, reworking existing tools and implementing new ones.
I gruppi allineati alla Corea del Nord hanno continuato a concentrarsi sul Giappone, sulla Corea del Sud e sulle organizzazioni presenti nel Paese, utilizzando e-mail di spear phishing accuratamente realizzate. Lo schema Lazarus più attivo osservato è rappresentato dall’Operazione DreamJob, che ha attirato gli obiettivi con false offerte di lavoro per posizioni remunerative. Questo gruppo ha dimostrato di essere in grado di creare malware per tutte le principali piattaforme desktop.
Infine, i ricercatori di ESET hanno scoperto le attività di tre gruppi precedentemente non identificati allineati alla Cina: DigitalRecyclers, che ha ripetutamente compromesso un’organizzazione governativa nell’UE; TheWizards, che ha condotto attacchi adversary-in-the-middle e PerplexedGoblin, che ha preso di mira un’altra organizzazione governativa nell’UE.
Gli ESET APT Activity Report contengono solo una parte dei dati di intelligence sulla cybersecurity forniti ai clienti. ESET realizza report tecnici approfonditi e aggiornamenti frequenti sulle attività di gruppi APT specifici sotto forma di ESET APT Reports PREMIUM per aiutare le organizzazioni incaricate di proteggere i cittadini, le infrastrutture critiche nazionali e le risorse di alto valore dai cyberattacchi criminali e diretti dagli Stati nazionali. Le informazioni dettagliate sulle attività descritte in questo documento sono state quindi fornite in precedenza esclusivamente ai clienti Premium di ESET. Ulteriori informazioni sugli ESET APT Reports PREMIUM, che forniscono informazioni di alta qualità sulle minacce alla sicurezza informatica, strategiche e tattiche, sono disponibili alla pagina ESET Threat Intelligence.
