- CREATED 20 HOURS AGO by dekaRituraj
- Public
- TLP: White
Cybersecurity researchers are warning of ongoing attacks coordinated by a suspected Chinese-speaking threat actor targeting the Afghanistan government as part of an espionage campaign that may have had its provenance as far back as 2014. Israeli cybersecurity firm Check Point Research attributed the intrusions to a hacking group tracked under the moniker “IndigoZebra,” with past activity aimed at other central-Asian countries, including Kyrgyzstan and Uzbekistan. “The threat actors behind the espionage leveraged Dropbox, the popular cloud-storage service, to infiltrate the Afghan National Security Council (NSC),” the researchers said in a technical write-up shared with The Hacker News, adding they “orchestrated a ministry-to-ministry style deception, where an email is sent to a high-profile target from the mailboxes of another high-profile victim.”REFERENCES:https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/https://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.htmlTAGS:xcaon, http, poisonivy, boxcaon, indigozebra, uzbekistan, dropbox, kyrgyzstan, c communication, dropbox account, kyrgyz, dropbox api, mac address, kaspersky, download, persistence, antiav, malware, poison ivy, execution, serviceADVERSARY:IndigoZebraINDUSTRIES:Political, GovernmentTARGETED COUNTRIES:China, Uzbekistan, KyrgyzstanMALWARE FAMILIES:HTTP, xCaon, BoxCaon, PoisonIvyATT&CK IDS:T1105 – Ingress Tool Transfer, T1059 – Command and Scripting Interpreter, T1083 – File and Directory Discovery, T1140 – Deobfuscate/Decode Files or Information, T1497 – Virtualization/Sandbox Evasion, T1027 – Obfuscated Files or Information, T1071 – Application Layer Protocol, T1102 – Web Service, T1132 – Data Encoding, T1204 – User Execution, T1518 – Software Discovery, T1547 – Boot or Logon Autostart Execution, T1566 – Phishing, T1567 – Exfiltration Over Web Service