CrowdStrike has uncovered evidence that attacks against the Democratic National Committee (DNC) have been ongoing since June of this year. The researchers have already identified five different intrusions, all of which appear to be motivated by financial gain. ..
The CrowdStrike firm researchers who tracked these attacks aligned these to the low-confidence Scattered Spider, who shows persistence in maintaining access, altering defensive mitigation, avoiding detection, and turning to different valid targets if stooped.
The security firm says the main goal of these campaigns is to break into telecom network systems and gain access to subscribers’ information. They also say that other activities such as swapping SIMs are also part of the campaign.
The hackers then use the company’s systems to track and monitor the activity of their victims, in order to identify potential targets for further attack.
The company uses MFA (Multi-factor authentication) to protect its users’ identities and data. If an attacker gains access to user credentials, they may use push notifications to make it feel like they are constantly trying to log in with the stolen information. Additionally, other social engineering tactics may be used to gain access.
A burner account is a type of online account that allows users to easily and quickly access their online content, including photos, videos, and articles. burners are popular among online users because they allow for quick and easy sharing of content without having to create an account or sign in. Some burners also offer features that make them more convenient, such as the ability to save content for later retrieval.
Once the hackers gain access to the system, they try to add their devices to the list of trusted MFA lists by using the compromised user account. ..
The hackers are using a remote monitoring and management tool to control their campaign.
The majority of these software are trusted by corporate and are unlikely to give alerts on security software. Moreover, the intrusions noticed by the security firms mention that the hackers went fierce in their attempts to maintain access to the breached network even after being detected. ..
In the first observation, the threat actors seem to have gotten more active and deployed persistence methods such as VPN (Virtual Private Network) access or RMM tools if these mitigations were slowly applied. In the second observation, the threat actors seem to have gotten more active and deployed persistence methods more quickly if these mitigations were not slowly applied.
In some of the other cases, the adversary went back to some of the severity methods by re-enabling the accounts which were earlier disabled by the victim organization. ..
The CrowdStrike report says that the threat actors used various VPNs and ISPs to access the victim’s Google Workspace Environment and the adversaries obtained various kinds of espionage information, downloaded user lists from the compromised tenants, exploited WMI and SSH Tunneling & domain replications.
A37 Group, a South Korean technology company, said its Dolphin malware was used to steal data and target South Korean paper companies. The company said the malware was first discovered in March and has since been used to steal data from more than 100 South Korean companies.