On September 23, 2020, Group-IB reported that a cybercrime gang dubbed 'OldGremlin' had been targeting banks and other businesses in Russia with ransomware since early March, 2020. OldGremlin uses spear-phishing emails to enter networks and then encrypts data for a ransom of around $50,000. The Russian-speaking group is also notable for its apparent focus on Russian-based companies.

Iranian APT 35 Group Posing as Journalist to Phish Victims

On June 22, 2020, researchers identified a new variant of the IcedID banking trojan that uses COVID-19 related phishing lures. This new variant is using steganography to infect the victims and comes equipped with fresh anti-detection capabilities.

Group-IB has reported that PerSwaysion, a cybercrime group operating since mid-2019, has breached the email accounts of high-ranking executives at more than 150 firms. The group appears to have primarily targeted the financial sector, although it has expanded into other verticals, and typically uses phishing campaigns to breach corporate email accounts. The group members appear to be based in Nigeria and South Africa.

In the first week of January 2020, it was reported that major banks in sub-Saharan Africa were targeted by the Silence hacking group. According to Kaspersky, who attributed the attacks to the Silence group based on malware used, the general outline of such an attack involved phishing emails being sent with the malware, data gathering, and then withdrawing large amounts of cash in one go via ATMs. As of mid-January 2020, the attacks are ongoing and persist in targeting large banks.

Since 2018, Silence has sent over 170,000 phishing attacks to financial institutions. The group has refined its techniques since it was first spotted in 2016. Silence now uses fileless techniques, repurposed open-source projects, and old vulnerabilities.

On May 16, 2019, Europol, the U.S. Department of Justice (DoJ), and six other countries, dismantled a group of international cyber criminals that used the GozNym malware to steal over $100 million. The group stole from over 40,000 victims, including the bank accounts of small businesses, law firms, international corporations, and nonprofit organizations. Following a law enforcement investigation across the U.S., Bulgaria, Germany, Georgia, Moldova, and Ukraine, ten members were charged for the crime. The leader of the network was charged in Georgia while another was extradited from Bulgaria to the U.S. to face trial. Although some members of the gang are still on the run, the initial charges have been seen as a success for law enforcement in their efforts to combat international cybercrime.

In late 2018, security researchers uncovered that Cobalt, a state-sponsored threat group that specializes in attacks on financial institutions, had begun employing a new variant of the ThreadKit exploit builder kit to execute phishing schemes utilizing Microsoft Office documents.

In late 2018, security researchers uncovered that Cobalt, a state-sponsored threat group that specializes in attacks on financial institutions, had begun employing a new variant of the ThreadKit exploit builder kit to execute phishing schemes utilizing Microsoft Office documents. First observed in October 2017, the new tactics show an evolution of the ThreadKit macro delivery tool and demonstrate the growing range of techniques employed by malicious actors.

In May 2016 and January 2017, the National Bank of Blacksburg, based in the state of Virginia, was hit by phishing emails that enabled intruders to install malware and pivot into the Star Network, a U.S. bank card processing service. The 2017 attack gave wider access to bank networks and enabled the thieves to withdraw $1.8 million over the course of a weekend, taking total losses to $2.4 million. According to a lawsuit filed by the bank against its insurer to recover more of its losses, an investigation after the second attack concluded that both incidents were by the same group, using tools and servers of Russian origin.

Proofpoint cybersecurity researchers have released a shocking report on how state-backed hackers employ novel tactics to carry out data breaches and trap their targets. Reportedly, threat actors allegedly affiliated with the Chinese, Iranian, and Turkish governments are posing as Twitter employees and journalists.

As per the report, an Advanced Persistent Threat (APT) group identified as TA482 sends phishing emails to infiltrate the computer systems of their targets (mainly US journalists/media outlets) and obtain sensitive data.

Iranian hackers were identified as TA453 (aka Cobalt Illusion, also known as Charming Kitten, Phosphorus, APT35, and Newscaster). The group created reporter personas to breach the email accounts of foreign affairs policy experts from the Middle East and academics. They sent emails to their victims, one of which read:

Another APT group known as TA453, Charming Kitten or Phosphorus, targeted medical professionals who specialize in genetic, neurology, and oncology research in the United States and Israel with phishing emails.

The group also targeted at least 140 organizations in a new round of supply chain attacks. This large-scale campaign has been active since May 2021 and affected Cloud Service Providers, Managed Service Providers, and other IT services organizations. In attacks the threat actors did not leverage exploits for vulnerabilities, but rather they used well-known techniques like password spraying and spear phishing.

In response, the regime and its Islamic Revolutionary Guard Corps (IRGC) have harassed and even bombed vessels traveling through the Persian Gulf,7 and downed a U.S. drone in international airspace.8 State-backed hackers have, among other things, increased targeted phishing attemptsa against private industry in the United States and around the world9 and against journalists and activists.10 Tehran also stands accused of launching drone and missile attacks on Saudi oil giant Saudi Aramco.b

TAG-56: Recorded Future says it spotted a spear-phishing campaign conducted by TAG-56, a cyber-espionage group the company considers to have an Iran nexus. The campaign took place in early November and targeted a Washington think tank using email lures related to the 2022 Sir Bani Yas Forum, an economic forum hosted by the government of the United Arab Emirates (UAE).

Operation ShadowTiger: The same QiAnXin team has a second report out on Operation ShadowTiger, a series of attacks carried out by an East Asian APT group they call Tiger Hibiscus, or APT-Q-11. The campaign took place from 2019 to 2021 and involved the use of spear-phishing, (browser and intranet) zero-days, and an intranet watering-hole attack. 2ff7e9595c