Friday 8th November 2024

Good morning everyone, thank you for joining me for the latest installment of Cyber Daily. Today's edition looks into some new developments showing how far hackers are willing to go. First up, China-aligned hackers are targeting diplomatic organisations across Europe, expanding their espionage reach. Next, a UK-based fleet tracking firm suffered a cyberattack that temporarily halted security systems in prison transport vans—leaving crews relying on old-school paper maps and phone check-ins. And as if that weren’t enough, a global phishing scam is baiting victims with fake copyright claims to steal personal data using AI-enhanced malware. Enjoy!

China-backed hacking group expands its reach into the EU

MirrorFace, a cyber-espionage group with alleged links to China, has expanded its operations, hitting a diplomatic organisation within the EU for the first time. The group, also known as Earth Kasha and suspected to be part of the broader APT10 umbrella, historically focuses on Japan-related targets. In this latest campaign, MirrorFace sent spear-phishing emails with a link to a ZIP file referencing the 2025 World Expo in Japan—a lure that’s reflective of their Japan-centric targeting strategy, according to cybersecurity firm ESET.

The ZIP file contained malware, reviving MirrorFace’s old tool, ANEL, last seen in 2018, along with NOOPDOOR to infiltrate the victim’s systems. This development highlights China-aligned hackers’ growing reliance on open-source tools like SoftEther VPN to maintain stealthy, long-term access to compromised networks. Meanwhile, other China-backed actors, such as Volt Typhoon and Salt Typhoon, have increasingly targeted critical telecom infrastructure, including the phone lines of U.S. officials, indicating a sweeping interest in both surveillance and network control on a global scale.

UK vehicle tracking firm Microlise hit by cyberattack, disrupts prison van security

Microlise, a UK-based vehicle tracking provider, faced a cyberattack last week, impacting tracking and alarm systems for fleets including prison transport and courier services. The breach, disclosed on October 31, disabled critical features like location tracking and panic alarms on some vehicles. Microlise swiftly launched an investigation with external cybersecurity experts and has since been gradually restoring its services, expecting full recovery by next week.

While Microlise assured that no customer systems data was compromised, the hack did expose some employee information. Affected individuals are being notified, and the UK’s Information Commissioner’s Office has been informed.

Government contractor Serco, responsible for prisoner transport, was one of the key clients affected. Serco temporarily reverted to manual protocols, including paper maps and regular base check-ins to maintain prisoner transport security. DHL’s courier fleet also faced disruptions, forcing some drivers to operate without real-time tracking. Microlise noted that the cyber incident won’t impact its financial outlook but has yet to share specifics on the attack type or its broader customer impact.

Global phishing campaign uses fake copyright notices to deliver Rhadamanthys malware

Since July, an expansive phishing campaign dubbed “CopyRh(ight)adamantys” has been tricking victims worldwide into downloading the latest version of the Rhadamanthys information stealer by posing as copyright notices. Spearheaded by a financially motivated cybercrime group, the campaign has impersonated over a dozen companies across sectors like entertainment and tech to spread malware-laden files under the guise of legal notices, according to cybersecurity firm Check Point.

Victims receive emails claiming copyright violations, with instructions supposedly included in a password-protected file hosted on platforms like Dropbox and Discord. Once downloaded, the file activates Rhadamanthys v0.7, which utilises AI-based optical character recognition (OCR) to steal sensitive information. In a parallel operation, attackers are distributing SteelFox malware by embedding it in cracked software, including fake versions of AutoCAD and Foxit PDF Editor. SteelFox, delivered via complex execution chains, uses vulnerable Windows drivers to gain system privileges, deploy cryptocurrency mining software, and siphon sensitive browser data.

These campaigns illustrate the evolution of phishing attacks, with a global reach and sophisticated tactics that continue to outsmart standard cybersecurity measures.