It was revealed on Thursday that Google's Threat Analysis Group had taken action to block 36 malicious domains run by hack-for-hire groups from India, Russia, and the United Arab Emirates.
Hack-for-hire firms provide their clients with the tools to launch targeted attacks on high-profile targets such as corporations, activists, journalists, and politicians, in a manner similar to the surveillance ware ecosystem.
Hack-for-hire attacks are distinct from commercial spyware purchases in that the hackers are known to carry out the intrusions on their clients' behalf in order to hide their involvement.
Google's Shane Huntley, director of Google TAG, said in a report that "the hack-for-hire landscape is fluid, both in how attackers organize themselves and in the wide range of targets they pursue in a single campaign at the behest of disparate clients."
In some cases, hackers for hire advertise their services to the general public, while in other cases, they operate more discreetly, selling only to a select group of customers.
Attacks by an Indian hacker for hire on an IT company in Cyprus, Nigeria's educational institution, and the Balkans' fintech company were among those reported recently, indicating the wide range of victims.
Credential phishing attacks targeting government agencies, Amazon Web Services (AWS), and Gmail accounts have been linked to an Indian group that Google TAG says it has been tracking since 2012.
An email is sent with a spear-phishing attachment that contains a rogue link that when clicked launches an attacker-controlled phishing page designed to steal user credentials. Government, healthcare, and telecommunications sectors in Bahrain, Saudi Arabia, and the United Arab Emirates were among those targeted.
Rebsec, which is short for "Rebellion Securities," is the firm that Google TAG attributed the Indian hack-for-hire actors to, according to its dormant Twitter account. At the time of this writing, the website of the company claims to offer services for corporate espionage.
A Russian cyber mercenary group known as Void Balaur has been linked to a series of credential theft attacks on journalists, European politicians, and non-profits.
A five-year investigation has revealed that the group has targeted accounts at major webmail providers like Gmail, Yahoo! Mail.ru, and inbox.lv, as well as smaller regional ones like abv.bg and UKR.net.
A group that is based in the United Arab Emirates and has connections to njRAT's original developers was also mentioned in TAG's report (aka H-Worm or Houdini).
Attackers in the Middle East and North Africa are using the password reset lures to steal credentials from government, education, and political institutions. This has been previously discovered by Amnesty International (2018).
A legitimate email application like Thunderbird, an App Password to access the account via IMAP, or a link to an adversary-owned account on a third-party mail provider is some of the ways in which the threat actor maintains persistence after the account compromise.
An Italian spyware company named RCS Lab, whose "Hermit" hacking tool was used to target Android and iOS users in Italy and Kazakhstan just a week earlier, was exposed by Google TAG.
Post a Comment
Your suggestions and comments are welcome