Google said Wednesday that it caught suspected People’s Republic of China-backed hackers leveraging its Calendar service to help stealthily stage attacks on government agencies.

In late October of last year, Google Threat Intelligence Group said it “discovered an exploited government website hosting malware being used to target multiple other government entities,” the company’s Patrick Whitsell wrote in a blog post. The exploited website delivered malware the company dubbed TOUGHPROGRESS that took advantage of Google Calendar for command and control (C2) to help it blend in with authentic activity.

Google determined “with high confidence” that the group behind the attacks was APT41, the Chinese Ministry of State Security-linked outfit alternatively known by a host of other names such as Wicked Panda, Winnti and Double Dragon.

“To disrupt APT41 and TOUGHPROGRESS malware, we have developed custom fingerprints to identify and take down attacker-controlled Calendars,” Whitsell wrote. “We have also terminated attacker-controlled Workspace projects, effectively dismantling the infrastructure that APT41 relied on for this campaign. Additionally, we updated file detections and added malicious domains and URLs to the Google Safe Browsing blocklist.”

There are signs that hacker exploitation of Google Calendar has been on the uptick. And APT41 has been increasingly on the radar since 2019 for going after a wide range of industries and sectors, from government to entertainment to technology to automotive targets. In 2020, the Justice Department charged seven individuals in a hacking campaign that it linked to APT41 and that it said hit hundreds of targets in the United States and elsewhere. 

In the latest case, as Google explained in the blog post, APT41 delivered the malware payload through spearphishing emails hosted on the exploited government site, along with phony files and decoy PDFs. TOUGHPROGRESS has the ability to read and write events via an attacker-controlled Google Calendar, Google said. It involves placing encrypted commands on specific past dates, polling the Calendar for those events and decrypting events, then again encrypting command execution to write back to another Calendar event.

“Misuse of cloud services for C2 is a technique that many threat actors leverage in order to blend in with legitimate activity,” Whitsell wrote.

The Chinese government denies all claims of connections to any hacking groups.

The post Chinese hackers used Google Calendar to aid attacks on government entities appeared first on CyberScoop.

from CyberScoop https://ift.tt/fh504eJ
via IFTTT

Zscaler announced Tuesday its intention to acquire Red Canary, a company known for Managed Detection and Response (MDR) services, to boost its ability to integrate artificial intelligence, automation and human expertise into its security offerings. 

The acquisition is positioned around the convergence of Zscaler’s data-driven, AI-centric cloud security and Red Canary’s decade of operational expertise in MDR. Zscaler’s executive leadership emphasizes the blending of large-scale data intelligence and automated, agentic Security Operations Centers (SOCs) with the capabilities of ThreatLabz, its security research division.

“The proposed acquisition of Red Canary is a natural expansion of our capabilities into managed detection and response and threat intelligence to accelerate our vision of AI-powered SOC of the future,” Jay Chaudhry, CEO and founder of Zscaler, said in a press release. “By integrating Red Canary with Zscaler, we will deliver to our customers the power of a fully integrated Zero Trust platform and AI-powered security operations.”

Red Canary, with over a decade of experience in MDR and security operations, is known for accelerating threat investigation and automating remediation at scale. Its core value proposition focuses on swift, accurate threat detection, claiming up to a tenfold reduction in investigation time and an accuracy rate of 99.6% across extensive customer deployments.

Zscaler brings scale and data depth to the equation, protecting nearly 45% of Fortune 500 enterprises. Its cloud security platform handles more than 500 billion transactions per day, forming a substantial data lake used to fuel AI-based security products and digital experience tools.

By joining Zscaler, Red Canary anticipates access to a broader array of security data, including that processed on Zscaler’s Zero Trust Exchange and exposure management systems. The integration aims to enhance the speed and accuracy of threat detection, further leveraging cross-domain insights from endpoints, networks, cloud workloads, and identity systems.

“We’re about to gain access to 500 billion daily transactions of data and threat intelligence processed on Zscaler’s Zero Trust Exchange and exposure management data,” Brian Beyer, Red Canary CEO and co-founder, said in a release. “This will significantly enhance our ability to detect threats faster and more accurately. The innovation this will bring is going to be incredible.”

The deal reflects a growing trend in cybersecurity toward consolidation and integration, as enterprises are seeking to centralize their data, automate detection and response, and use AI to offset talent shortages.

Earlier this month, Proofpoint acquired Germany-based Hornetsecurity for $1 billion. In March, Google announced plans to acquire Israeli-founded cloud security startup Wiz for $32 billion, while Palo Alto Networks revealed its intention in April to purchase AI-focused startup Protect AI.

Terms of the deal were not disclosed. The agreement, subject to regulatory approvals, is expected to close in August 2025. 

The post ZScaler acquires Red Canary for boost in AI-driven security operations appeared first on CyberScoop.

from CyberScoop https://ift.tt/rCbP5RY
via IFTTT

As the internet fills up with clips from AI-video generators, hacking groups are seeding the online landscape with malware-laced programs and fake websites hoping to cash in on the trend.

Tracked by researchers at Mandiant and Google Cloud, the campaign is being carried out by a group identified as “UNC6032.” Since mid-2024, they have spread thousands of advertisements, fake websites and social media posts promising victims access to popular prompt-to-video AI generation tools like Luma AI, Canva Dream Lab and Kling AI.

Those promises lead to phishing pages and malware, with the group deploying infostealers and backdoors on victim devices. Compromised parties saw their login credentials, cookies, credit card data and in some cases Facebook information stolen, and the scheme appears to be impacting a wide range of industries and geographic areas.

“Mandiant Threat Defense has identified thousands of UNC6032-linked ads that have collectively reached millions of users across various social media platforms like Facebook and LinkedIn,” wrote researchers Diana Ion, Rommel Joven and Yash Gupta. “We suspect similar campaigns are active on other platforms as well, as cybercriminals consistently evolve tactics to evade detection and target multiple platforms to increase their chances of success.”

The emergence of highly realistic AI prompt-to-video generation tools over the past several months has generated curiosity, concerns and a significant amount of interest from the public. According to Google Trends, internet searches for AI video generation tools have surged over the past year, and especially since April.

The technology today is capable of creating startlingly lifelike people and scenes with virtually none of the glitching or visual cues that made previous AI-generated videos easier to spot.

Cybersecurity company Morphisec, which published similar research earlier this month, noted how the proliferation of AI video generators over the past year has lowered the barrier for new entrants, giving even low-technical users the ability to create realistic fake media. The rush to jump on this latest trend, from users who may not be highly technical or familiar with AI tools, represents a new opportunity for cybercriminals and hackers.

“What makes this campaign unique is its exploitation of AI as a social engineering lure — turning an emerging legitimate trend into an infection vector,” wrote Morphisec researcher Shmuel Uzan. “Unlike older malware campaigns disguised as pirated software or game cheats, this operation targets a newer, more trusting audience: creators and small businesses exploring AI for productivity.”

Mandiant researchers gave a shout-out to Meta, which was apparently aware of and investigating UNC6032’s campaign before being notified by Mandiant, and contributed to the research. Using Meta’s ad library, which has enhanced ad targeting information for European users due to regulations, Mandiant’s team found more than 30 different websites that were cited in thousands of fake ads, mostly on Facebook through attacker-created pages or hacked accounts.
Nearly all the websites advertised free or high-quality AI-video generation capabilities.

“Once the user provides a prompt to generate a video, regardless of the input, the website will serve one of the static payloads hosted on the same (or related) infrastructure,” the researchers wrote.

Google Cloud has said UNC6032 has a “nexus” to Vietnam. Mandiant and Google Cloud use the term “UNC” to denote unique clusters of hacking activity for which there is only limited available information and telemetry. 

That means UNC6032 may be an offshoot of a previously tracked threat group using different tactics, techniques and procedures or a completely new hacking group, and while the activity has a “nexus” to Vietnam, that does not necessarily imply a state-based connection. 

The post Mandiant flags fake AI video generators laced with malware appeared first on CyberScoop.

from CyberScoop https://ift.tt/lyISF9u
via IFTTT

A newly discovered Russian state-sponsored threat group has targeted a large swath of industries, especially in NATO member states and Ukraine, part of a global espionage campaign in support of Moscow’s interests, Microsoft Threat Intelligence said in a Tuesday blog post. 

Laundry Bear, a group Microsoft tracks as Void Blizzard, has attacked multiple governments and critical infrastructure providers since at least 2024. Dutch intelligence and security services agencies on Tuesday said the group infiltrated the Netherlands’ national police force’s systems in September 2024 and stole work-related contact details on police staff.

“We have seen this hacker group successfully gain access to sensitive information from a large number of government organizations and companies worldwide,” Peter Reesink, director of the Netherlands’ Ministry of Defense, said in a statement Tuesday, according to a translation. “Laundry Bear is looking for information about the purchase and production of military equipment by Western governments and Western deliveries of weapons to Ukraine.”

The group’s initial access methods lack sophistication, yet the group has gained access to and stolen data from multiple organizations in critical sectors. 

“While Void Blizzard’s tactics, techniques, and procedures are not unique among advanced persistent threat actors or even Russian nation state-sponsored groups, the widespread success of their operations underscores the enduring threat from even unsophisticated TTPs when leveraged by determined actors seeking to collect sensitive information,” Microsoft threat researchers said in the blog post.

Void Blizzard has engaged in espionage targeting government agencies, defense suppliers, and organizations in communications, IT, health care, education, media and transportation since mid-2024, according to Microsoft.

“The threat actor uses stolen credentials — which are likely procured from commodity infostealer ecosystems — and collects a high volume of email and files from compromised organizations,” Microsoft threat researchers said. The group likely obtains cookies and other credentials from criminal ecosystems for password spray attacks, Microsoft added.

Void Blizzard uses these credentials to gain initial access to Exchange and SharePoint Online for intelligence gathering. The group then abuses legitimate cloud APIs to sift through mailboxes and cloud-hosted files prior to automating bulk theft of cloud-hosted data, Microsoft said.

In some cases, the group has accessed Microsoft Teams conversations and messages, and cataloged Microsoft Entra ID configurations to gain information about users, roles, groups, applications and devices belonging to that account. 

Microsoft Threat Intelligence in April identified a Void Blizzard adversary-in-the-middle spear-phishing campaign that targeted more than 20 non-governmental agencies in Europe and the United States. In those attacks, the threat group used a typosquatted domain to spoof Microsoft Entra authentication. 

“This new tactic suggests that Void Blizzard is augmenting their opportunistic but focused access operations with a more targeted approach, increasing the risk for organizations in critical sectors,” Microsoft said.

Microsoft declined to answer questions about how many attacks have been attributed to Void Blizzard to date and how much the group’s threat activity levels have increased in the past year.

Laundry Bear has targeted “virtually all countries” in the European Union and NATO, Dutch intelligence and security agencies said in a cybersecurity advisory, adding that the group has also attacked organizations in Eastern and Central Asia. 

Dutch officials said Laundry Bear operates at a high pace and described the group as “very successful,” compared to some other Russian state-sponsored threat groups.

The post New Russian state-sponsored APT quickly gains global reach, hitting expansive targets appeared first on CyberScoop.

from CyberScoop https://ift.tt/WjQnlMt
via IFTTT