
Getty Images
News brief: China-linked APTs and Russian access broker
Check out the latest security news from the Informa TechTarget team.
This news brief roundup highlights the latest developments of China-linked advanced persistent threat groups as well as the activities of a Russian cybercrime entity.
Weaver Ant: A China-nexus APT exposed
Researchers uncovered a yearslong web shell attack orchestrated by a China-nexus APT group dubbed Weaver Ant. Security service provider Sygnia released insights into the group's tactics, techniques and procedures (TTPs) after detecting it in the middle of a cyberattack against a telecom in Asia.
The report indicated that Weaver Ant has demonstrated high levels of persistence and adaptability, adjusting its TTPs to evade detection. Sygnia researchers provided recommendations for hunting and defending against Weaver Ant and similar multilayered attacks, including relevant logging and monitoring, implementing strong access control measures, and deploying threat detection and response technologies.
ISoon: Unveiling a Chinese espionage hacker group
Researchers uncovered a widespread espionage campaign dubbed FishMedley, carried out by a threat group known as FishMonger for the Chinese government. FishMonger, also known as Aquatic Panda, was working for the Chinese APT contractor iSoon. The hacker-for-hire operation, posing as a cybersecurity training company, was uncovered last year as a known contractor for the Chinese government.
ESET researchers have now released details of the FishMedley campaign, which targeted government and nongovernment organizations in Taiwan, Hungary, Turkey, Thailand, the U.S., France and other countries. While not known for its sophisticated TTPs, FishMonger was noted by researchers for its efficiency in achieving its mission of stealing confidential data.
Russian access broker: A cybercrime conduit
Researchers revealed details about an initial access broker (IAB) known as Raspberry Robin that is facilitating attacks on behalf of the highest levels of the Russian government.
Analysts from Silent Push, a cyberintelligence company, explained in the report how the IAB evolved from its 2019 beginnings of infecting targets through infected USBs to now using advanced tactics, such as using compromised network-attached storage boxes, routers and IoT devices, as well as sophisticated malware obfuscation techniques. Raspberry Robin also expanded its targets from manufacturing and technology organizations to include government agencies in Latin America, Australia and Europe, as well as victims across oil and gas, transportation, retail and education.