APT Events, Groups
Q1-Q3 Edition
Overview of July 2024 APT Events
In July 2024, several significant Advanced Persistent Threat (APT) events were reported, affecting various sectors and regions. These events highlight the evolving nature of cyber threats and the need for robust cybersecurity measures.
Macau Government Websites DDoS Attack
On July 11, 2024, a Distributed Denial-of-Service (DDoS) attack targeted multiple Macau government websites, including the Office of the Secretary for Security, the Public Security Police Force, the Fire Services Bureau, and the Academy of Public Security Forces.The attack, which lasted for 45 minutes, was suspected to have originated from overseas. Local authorities collaborated with telecommunication operators to restore services promptly and initiated a criminal investigation to trace the source of the attack.
Squarespace DNS Hijacking Attacks
In the same month, a wave of coordinated DNS hijacking attacks targeted decentralized finance (DeFi) cryptocurrency domains hosted on Squarespace.The attackers exploited a vulnerability in Squarespace's domain management system, which allowed them to hijack domains originally registered at Google Domains and later transferred to Squarespace. This resulted in the redirection of visitors to phishing sites hosting wallet drainers, leading to the theft of cryptocurrency.
WazirX Cyber Attack
Indian crypto exchange WazirX suffered a significant cyber attack in July 2024, resulting in the loss of virtual assets valued at over $230 million.The attack, which has been linked to North Korea, targeted one of WazirX's multi-signature wallets, exploiting a discrepancy between the wallet's interface and actual transaction data. This allowed the attackers to bypass the multi-signature security measures and gain control of the wallet.
Earlier this Year (2024)
Iran's Railway Company APT Attack
In March 2024, Iran's Railway Company suffered an APT attack that exposed identity documents, routes, and internal reports. The attack, which was attributed to state-sponsored actors, demonstrated the vulnerability of critical infrastructure to cyber threats.
DuneQuixote and Other Malware Campaigns
In the first quarter of 2024, Kaspersky's Global Research and Analysis Team (GReAT) identified new malware campaigns, including DuneQuixote. This campaign targeted governmental entities worldwide, using sophisticated tools designed for stealth and persistence. The malware employed strings from Spanish poems to evade detection and was used to harvest sensitive data.
LilacSquid Data Exfiltration Attacks
In June 2024, LilacSquid launched data exfiltration attacks across various industry sectors in the US and EU. The attacks, which were attributed to state-sponsored actors, highlighted the need for robust cybersecurity measures to protect against evolving cyber threats.
Hidden Cobra
In 2024, US-CERT alerted about the deployment of Joanap and Brambul malware strains by Hidden Cobra, a North Korean state-sponsored hacking group. Joanap is a fully functional Remote Access Trojan (RAT) that can receive multiple commands remotely, while Brambul is a Server Message Block (SMB) worm that spreads through brute-force authentication attacks.
Operation Crimson Palace
Operation Crimson Palace was a state-sponsored cyber espionage campaign that targeted high-profile government organizations in Southeast Asia. The campaign, which was attributed to Chinese state-sponsored actors, involved the exfiltration of sensitive military and political secrets, including strategic documents related to the contested South China Sea.
LunarWeb and LunarMail
Nation-state backed hackers used new backdoors, LunarWeb and LunarMail, to infiltrate European diplomatic agencies. The attack chain initiated with spear-phishing emails that deployed the LunarMail backdoor, which established persistence by creating an Outlook add-in. LunarWeb persisted by masquerading as legitimate traffic, utilizing techniques such as the creation of Group Policy extensions and embedding in legitimate software.
