Cyber Intelligence Weekly (October 27, 2024): Our Take on Three Things You Need to Know
Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!
To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe
Before we get started on this week’s CIW, I’d like to highlight and announce that Echelon Risk + Cyber has been named a 2024 Power Partner Award Winner by Inc. Magazine 🎉
We’re proud to be part of a select group of 359 companies recognized for their instrumental role in supporting businesses across various industries.
A huge thank you to our clients for trusting us with their cybersecurity strategies. We’re committed to staying by your side, securing your future.
👉 Read the full press release here: https://lnkd.in/edmhf9Gw
Away we go!
1. Chinese Hackers Allegedly Target Campaign Phones of Trump, Vance, and Harris
Chinese hackers believed to be linked to state intelligence services reportedly infiltrated U.S. telecommunications networks, targeting the phones of high-profile figures including former President Donald Trump, his running mate JD Vance, and individuals linked to Vice President Kamala Harris’s campaign. The hackers used their deep access to target phone data across dozens of individuals, expanding their reach to include Democratic and Republican figures in Congress, as well as a Wall Street Journal reporter. Investigators continue to assess what, if any, sensitive information was accessed, as potential leaks could expose communications within these high-stakes campaigns.
The U.S. government formally acknowledged the intrusion for the first time, with the FBI confirming it is investigating unauthorized access to telecom infrastructure by Chinese actors. The hackers, identified as the group “Salt Typhoon,” have continued their attempts to re-enter networks even after detection, raising concerns within federal agencies and telecommunications providers about possible election interference or broader espionage efforts. Security agencies and telecom companies, including Verizon and AT&T, are actively working with law enforcement to address and remediate the impacts.
This extensive breach also targeted systems used for court-authorized surveillance wiretaps, creating additional security concerns as China could potentially gain insight into U.S. law enforcement operations. Beyond political figures, the hackers attempted to infiltrate a journalist's account, an uncommon tactic that suggests possible retaliation against the reporter's previous coverage of the breaches.
As the investigation continues, White House officials and national security agencies are evaluating response options to China’s aggressive cyber tactics, which appear aimed at gathering intelligence and influencing high-profile individuals in the U.S. ahead of the election. With Election Day approaching, the scale and persistence of these breaches have officials on high alert for any further disruptive attempts.
2. Black Basta Ransomware Group Uses Microsoft Teams to Masquerade as IT Support
The Black Basta ransomware group has developed a new approach to infiltrate corporate networks, now using Microsoft Teams to impersonate IT support. Previously, Black Basta overwhelmed employees with spam emails and then posed as IT help desk agents over the phone to offer "assistance." This tactic has now evolved to leveraging Microsoft Teams as an external user, where attackers masquerade as a company IT help desk to trick employees into providing remote access.
Black Basta members create accounts under misleading names like “supportadministrator.onmicrosoft[.]com” or “cybersecurityadmin.onmicrosoft[.]com,” and contact employees directly on Teams, claiming to address a spam issue. Through this scheme, they aim to convince targets to install remote access software like AnyDesk or launch Windows Quick Assist. Once they gain access, attackers spread across the network, installing malware such as SystemBC and Cobalt Strike, which allow further exploitation, data theft, and eventual ransomware deployment.
Security firm ReliaQuest warns that this method heightens risks for organizations, as attackers bypass typical email security measures. They suggest limiting external communication on Teams, logging suspicious chat activities, and setting communication permissions to only trusted domains. These measures can help reduce the likelihood of falling prey to such sophisticated social engineering tactics.
Black Basta's continued innovation in attack methods emphasizes the importance of robust security policies, vigilance in employee training on phishing awareness, and tightening controls around remote access protocols to safeguard against increasingly deceptive cyber threats.
3. Kremlin-Linked Hackers Target Ukrainian Agencies in Espionage Campaign
Russian state-backed hacker group APT29, also known as Cozy Bear, has launched a new espionage campaign aimed at Ukrainian state and military agencies, as well as industrial sectors, according to findings by Amazon Web Services (AWS) and Ukraine’s CERT-UA. This campaign, which uses phishing emails mimicking Amazon and Microsoft messages, aims to steal sensitive login credentials. Researchers believe APT29, associated with Russia’s Foreign Intelligence Service (SVR), is seeking access to Ukrainian networks to extract Windows credentials through Microsoft Remote Desktop, potentially compromising sensitive Ukrainian government and defense information.
APT29 typically targets a narrow set of entities, but this campaign appears unusually broad, targeting a wider group of potential victims than usual. AWS reported that hackers used deceptive domain names to impersonate legitimate AWS sites, aiming to lure targets into disclosing their credentials. AWS has responded by seizing these domains, intending to limit the hackers’ access and disrupt the operation. CERT-UA stated that the campaign has been ongoing since at least August, highlighting a sustained effort by Russian-backed hackers to target Ukraine amidst heightened cyber tensions.
On Friday, Ukraine’s CERT-UA issued an additional warning of another attack attributed to a separate Russian group, APT28, or Fancy Bear. This campaign similarly targeted Ukrainian local government agencies, using fake Google reCAPTCHA to gain access to credentials stored in internet browsers like Chrome and Edge, and to deploy Metasploit, a tool often used to identify system vulnerabilities.
As Russian-backed hacking groups expand their tactics, AWS and CERT-UA continue to work to identify and dismantle the infrastructure used in these campaigns, underscoring the ongoing cyber risk for Ukrainian entities in critical sectors.
Thanks for reading!
About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about