Pegasus spyware observed in Thailand. New North Korean ransomware group. Cozy Bear uses online storage services.

In one look.

  • Pegasus spyware observed in Thailand.
  • New North Korean ransomware group.
  • Cozy Bear uses online storage services.
  • A new technique against vacuum systems.

Pegasus spyware observed in Thailand.

Researchers from the Citizen Lab at the University of Toronto have observed the Pegasus spyware being used in “an extensive espionage campaign targeting Thai pro-democracy protesters and activists calling for reforms to the monarchy”. The spyware targeted at least thirty people between October 2020 and November 2021 and coincided with pro-democracy protests in Thailand. Citizen Lab does not definitively attribute the campaign to the Thai government, but they believe it is unlikely that any other nation-state would be interested in these targets:

“Waging such a large hacking campaign against high-profile individuals in another country is risky and at risk of discovery, especially given the well-known past cases where Pegasus infections have been discovered and publicly disclosed.

“Furthermore, the victimology, and in some cases the timing of infections, reflects information that would be readily available to Thai authorities, such as non-public relations and financial activity, but much more difficult to obtain for other governments. “

New North Korean ransomware group.

Microsoft warns that a North Korean threat actor calling himself “H0lyGh0st” is targeting small and medium-sized businesses in multiple countries with ransomware. Victims include “manufacturing organizations, banks, schools, and event and meeting planning companies.” Microsoft is tracking the threat actor as DEV-0530 and notes that it is unclear if Pyongyang is behind the operation or if North Korean government employees are acting independently for their own financial gain :

“The first possibility is that the North Korean government is sponsoring this activity. The weakened North Korean economy has weakened since 2016 due to sanctions, natural disasters, drought and the North Korean government’s blockade by the COVID-19 from the outside world since early 2020. To compensate for the losses associated with these economic setbacks, the North Korean government could have sponsored cyber actors stealing from banks and cryptocurrency wallets for more than five years. North Korean government orders these ransomware attacks, so the attacks would be yet another tactic that the government has allowed to compensate for financial losses.

“However, state-sponsored activities against cryptocurrency organizations have generally targeted a much broader set of victims than observed in the DEV-0530 victimology. Korean does not allow or support these ransomware attacks. Individuals with ties to PLUTONIUM infrastructure and tools could be moonlighting for personal gain. This moonlighting theory could explain the often random selection of victims targeted by DEV-0530.

Cozy Bear uses online storage services.

Palo Alto Networks Unit 42 Researchers Remark that Cloaked Ursa (also known as APT29 or Cozy Bear, a threat actor associated with the Russian SVR) uses online storage services, including Google Drive and Dropbox, to host its malware:

“Since early May, Cloaked Ursa has continued to evolve their abilities to deliver malware using popular cloud storage services. Their two most recent campaigns demonstrate their sophistication and ability to obfuscate their software deployment malware through the use of DropBox and Google Drive services. This is a new tactic for this actor and one that is proving difficult to detect due to the ubiquitous nature of these services and the fact that they benefit from trusted by millions of customers around the world.”

A new technique against vacuum systems.

Ben-Gurion University security researcher Mordechai Guri has published an article about a new technique for stealing data from isolated systems using Serial ATA (SATA) cables. Guri explains that SATA “is a widely used bus interface in modern computers and connects the host bus to mass storage devices such as hard drives, optical drives, and solid-state drives.” The attacker would still need to infect a system within four feet of the isolated system to steal data from it, but Guri notes that “the SATA interface is highly available to attackers in many computers, devices, and network environments.

Comments are closed.