Monday, September 25, 2023
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cybersecurity

State-sponsored cyberespionage campaigns continue targeting journalists and media

Researcher by Researcher
July 17, 2022
in Cybersecurity
0
State-sponsored cyberespionage campaigns continue targeting journalists and media
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


Journalists have information that makes them particularly interesting for state-sponsored cyberespionage threat actors. Learn more about these threats now.

Image: lidiia/Adobe Stock

Media organizations and journalists in the last years have been increasingly targeted by state-sponsored advanced persistent threat actors with a clear purpose: Obtain access to their sensitive information, spy their activities or even identify their sources. In addition, compromised journalist accounts might also be used for spreading disinformation or pro-state propaganda.

Email is the initial infection vector that is the most often used, but the threat actors also target social media accounts.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

A new publication from Proofpoint exposes several of these targeted attacks in an attempt to raise awareness.

Four state-sponsored campaigns against journalists

China’s TA412 and TA459

Zirconium, a threat actor also known as TA412, has been targeting American journalists since 2021. The actor, aligned with Chinese state interests, has often used emails to target people with web beacons before fully compromising them.

Web beacons, also known as tracking pixels, are invisible objects within an HTML-crafted email which discreetly retrieve a benign image file from an attacker-owned server. This way, the attacker can collect information about the visitor such as its external IP address, his user-agent and his email address to validate that the user account is active.

Must-read security coverage

Beginning in 2021, TA412 launched at least five campaigns targeting American journalists covering U.S. politics and national security during events such as the attack on Jan. 6 of the Capitol.

In August 2021, the threat actor once again launched an attack campaign, this time targeting journalists with cybersecurity, surveillance and privacy issues focusing on China.

In 2022, the threat actor targeted journalists reporting on American and European engagement in the anticipated Russo-Ukrainian War.

Meanwhile, the threat actor TA459 targeted media employees with emails containing a malicious RTF attachment. Once opened, it would install and run a malware known as Chinoxy.

North Korea’s TA404

In early 2022, threat actor TA404, also known as Lazarus, created fake job offer pages designed to look like a branded job posting website in a campaign dubbed Operation Dream Job (Figure A).

Figure A

Image: Google. Fake job page hosted on an attacker-controlled server impersonating a legitimate brand.

Links to these pages were sent to American targets belonging to a media organization which had published an article that was critical of North Korean leader Kim Jong-un.

An exploit kit would then compromise the visitors with malware and provide access to the compromised device.

Turkey’s TA482

TA482 is a threat actor targeting the social media accounts of American journalists and media organizations. According to Proofpoint, the threat actor aligns with Turkish state interests.

In early 2022, TA482 used  social engineering to send an email supposedly from Twitter’s Security Center, warning the user of a suspicious connection (Figure B).

Figure B

Image: Proofpoint. Twitter security themed phishing email.

Clicking on the provided link would lead the target to a credential harvesting page impersonating Twitter.

Iran’s TA453, TA456 and TA457

TA453, also known as Charming Kitten, routinely masquerades as journalists from around the world. The threat actor starts benign conversations with its targets, who are mostly academics and policy experts working on Middle Eastern foreign affairs. The conversation usually encourages further dialogue by triggering the interest of the target and showing a knowledge of their work.

Should the victim not answer, TA453 will keep recontacting the target or invite them to a virtual meeting to have further discussions. The goal of the campaign is to obtain the target’s credentials by leading it to a credential harvesting domain controlled by the threat actor.

TortoiseShell, also known as TA456, is another actor from Iran who targets media organizations via other attack campaigns. The threat actor targets users with newsletter emails containing web beacons before compromising these users via malware infection.

TA457 disguises as an iNews reporter to deliver malware to people responsible for public relations in American, Israeli and Saudi Arabian companies. Between September 2021 and March 2022, the threat actor ran attack campaigns approximately every two to three weeks, targeting both generic and individual email addresses at these media organizations.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.



Source link

Related articles

Sentra Raises $30 Million for DSPM Technology

Northern Ireland’s Top Police Officer Apologizes for ‘Industrial Scale’ Data Breach

August 13, 2023
Minimizing Risk Through Proactive Apple Device Management: Addigy

Minimizing Risk Through Proactive Apple Device Management: Addigy

August 12, 2023
Tags: CampaignscontinuecyberespionagejournalistsmediaStatesponsoredTargeting
Share76Tweet47

Related Posts

Sentra Raises $30 Million for DSPM Technology

Northern Ireland’s Top Police Officer Apologizes for ‘Industrial Scale’ Data Breach

August 13, 2023
0

Northern Ireland’s top police officer apologized Thursday for what he described as an “industrial scale” data breach in which the...

Minimizing Risk Through Proactive Apple Device Management: Addigy

Minimizing Risk Through Proactive Apple Device Management: Addigy

August 12, 2023
0

Enterprise IT teams are struggling to cope with three major forces of change: the evolving regulatory environment, a globally dispersed...

Decipher Podcast: Katelyn Bowden and TC Johnson

Decipher Podcast: Katelyn Bowden and TC Johnson

August 12, 2023
0

Veilid main site: https://veilid.com/ Cult of the Dead Cow site: https://cultdeadcow.com/ Source link

In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack 

In Other News: macOS Security Reports, Keyboard Spying, VPN Vulnerabilities

August 12, 2023
0

SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under...

Used Correctly, Generative AI is a Boon for Cybersecurity

Used Correctly, Generative AI is a Boon for Cybersecurity

August 12, 2023
0

Adobe stock, by Busra At the Black Hat kickoff keynote on Wednesday, Jeff Moss (AKA Dark Tangent), the founder of...

Load More
  • Trending
  • Comments
  • Latest
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
Supply chain efficiency starts with securing port operations

Supply chain efficiency starts with securing port operations

March 15, 2022
Microsoft to Block Macros by Default in Office Apps

Qakbot Email Thread Hijacking Attacks Drop Multiple Payloads

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
‘Horse Gone Barn Bolted’ is Strong Password – Krebs on Security

‘Horse Gone Barn Bolted’ is Strong Password – Krebs on Security

September 23, 2023
SumUp Launches 7am Payouts; Offering UK Merchants Optimal Financial Flexibility

SumUp Launches 7am Payouts; Offering UK Merchants Optimal Financial Flexibility

September 23, 2023
Stealth Falcon preying over Middle Eastern skies with Deadglyph

Stealth Falcon preying over Middle Eastern skies with Deadglyph

September 23, 2023
Will you give X your biometric data? – Week in security with Tony Anscombe

ESET’s cutting-edge threat research at LABScon – Week in security with Tony Anscombe

September 23, 2023

Recent Posts

‘Horse Gone Barn Bolted’ is Strong Password – Krebs on Security

‘Horse Gone Barn Bolted’ is Strong Password – Krebs on Security

September 23, 2023
SumUp Launches 7am Payouts; Offering UK Merchants Optimal Financial Flexibility

SumUp Launches 7am Payouts; Offering UK Merchants Optimal Financial Flexibility

September 23, 2023
Stealth Falcon preying over Middle Eastern skies with Deadglyph

Stealth Falcon preying over Middle Eastern skies with Deadglyph

September 23, 2023

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • LetsAskBinuBlogs
  • Malware
  • Networking
  • Protection

Tags

Access attack Attacks banking BiWeekly bug Cisco cloud code critical Cyber Cybersecurity Data Digital exploited financial Fintech Flaw flaws Google Group Hackers Krebs Latest launches malware Microsoft million Network News open patches platform Ransomware RoundUp security Software Stories TFT Threat Top vulnerabilities vulnerability warns Week

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved