APT 41 into limelight

Tracked as Barium, Wicked Panda, Winnti, and Wicked Spider, the cyber-espionage group is said to have hacked over 100 organizations worldwide,

APT41’s activity spans over more than a decade, with victims located in the United States, Australia, Brazil, Chile, Hong Kong, India, Indonesia, Japan, Malaysia, Pakistan, Singapore, South Korea, Taiwan, Thailand, and Vietnam. Researchers tracked the hacker groups called Grayfly and Blackfly

Grayfly activity, which has been observed in recent years, is associated with the indictment against Jiang, Qian, and Fu, who hold senior positions in a Chinese company named Chengdu 404.

Malware used by the threat actor includes Barlaiy/POISONPLUG and Crosswalk/ProxIP (Backdoor.Motnug), with many victims compromised through public facing web servers. Backdoor.Motnug, remote accessing to the breached environment and also provides proxy access to hard-to-reach segments of the network.

Blackfly,has been active since at least 2010 and is mainly known for the targeting of video gaming companies. .

Malware used by the threat actor includes PlugX/Fast (Backdoor.Korplug), Winnti/Pasteboy (Backdoor.Winnti), and Shadowpad (Backdoor.Shadowpad). One specific artifact observed in the group’s attacks was the use of the names of security vendors when naming their malicious binaries.

The link between Grayfly and Blackfly, the security firm says, is drawn by two other Chinese nationals that the U.S. indicted as part of the APT41 group, namely Zhang Haoran and Tan Dailin. They allegedly worked at Chengdu 404 for a while, but also collaborated with the Blackfly actors for extra cash.

“Grayfly and Blackfly have been prolific attackers in recent years and, while it remains to be seen what impact the charges will have on their operations, the publicity surrounding the indictments will certainly be unwelcome among attackers who wish to maintain a low profile,”.

NIST Phish Scale

A new method that could be used to accurately assess why employees click on certain phishing emails. The tool, dubbed Phish Scale, uses real data to evaluate the complexity and quality of phishing attacks to help organizations comprehend where their (human) vulnerabilities lie.

What it is ?

“The Phish Scale is intended to help provide a deeper understanding of whether a particular phishing email is harder or easier for a particular target audience to detect,” said NIST researcher Michelle Steves in the press release announcing the new tool.

It looks at two main elements when assessing how difficult it is to detect a potential phishing email. The first variable the tool evaluates is ‘phishing email cues’ – observable signs, such as spelling mistakes, using personal email addresses rather than work emails, or using time-pressuring techniques.

The second ‘alignment of the email’s context to the user’ leverages a rating system to evaluate if the context is relevant to the target – the more relevant it is, the harder it becomes to identify it as a phishing email. Based on a combination of these factors, Phishing Scale categorizes the difficulty of spotting the phish into three categories: least, moderate, and very difficult.

These can provide valuable insight into the phishing attacks themselves, as well as help ascertain why people are more or less likely to click on these emails.

Hungary hit by an Asian DDoS . It’s powerful

Hungarian banking and telecommunication services were briefly disrupted by a powerful cyber attack on Thursday launched from computer servers in Russia, China and Vietnam, telecoms firm Magyar Telekom MTEL.BU said on Saturday.

The event was a (DDoS) attack, a cyber attack in which hackers attempt to flood a network with unusually high volumes of data traffic in order to paralyse it.

The volume of data traffic in the attack was 10 times higher than the amount usually seen in DDoS events. One of the heaviest in Hungary

“Russian, Chinese and Vietnamese hackers tried to launch a DDoS attack against Hungarian financial institutions, but they tried to overwhelm the networks of Magyar Telekom as well,” the company added in a statement.

The attack, which took place in several waves, disrupted the services of some of the country’s banks and caused lapses in Magyar Telekom’s services in certain parts of the capital, Budapest, being impelled after a while

Hungarian bank OTP Bank OTPB.BU confirmed it had been affected by the attack.

Meanwhile SIM Swap with a remote monitoring tool phished in another banking attack which drained the handful banking customer accounts

Bugs in GPO of Server 2016

Microsoft has identified a bug in Windows 10 version 1607 and Windows Server 2016 is causing errors to appear in the Group Policy Editor.

Microsoft health report stated Windows 10 1607 and Windows Server 2016 users were experiencing errors when opening the Security Options MMC in Group Policy Editor.

Group Policy Editor error

This issue is due to applying September cumulative update KB4577015 and that they are working on a fix.

Accessing the Security Options data view in Group Policy Management Editor (gpedit.msc) or Local Security Policy Editor (secpol.msc) may fail with error MMC a detected an error in a snap-in. It is recommended that you stop and restart MMC “or” MMC cannot initialize snap-in .

This happens from the MMC window, when the console tree is expanded in the following order: select Computer Configuration, then Policies, then Windows Settings, then Security Settings, then Local Policies, then Security Options Microsoft explained.

As a work around uses can install RSAT tool in Windows 10 v1709 and above to bypass the issue for now. Possibly this will get patched in next patch window.