Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label APT actors. Show all posts

ColdRiver APT: Google TAG Warns Against Russian APT Group is Using a Custom Backdoor


Google has warned that a Russia-linked threat actor named ‘COLDRIVER’ which is expanding its targets has also been developing custom malware. 

ColdRiver APT

The ColdRiver APT (aka “Seaborgium“, “Callisto”, “Star Blizzard”, “TA446”) is a Russian cyberespionage outfit that has been targeting government officials, military personnel, journalists and think tanks since at least 2015.

The threat actor has previously engaged in ongoing phishing and credential theft efforts that resulted in intrusions and data theft. Although specialists have noticed efforts targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine, the APT predominantly targets NATO member states.

Google TAG researchers have warned against COLDRIVER, claiming that it is enhancing its tactics techniques and procedures (TTPs), in order to evade detection. 

TAG has recently seen COLDRIVER use phishing efforts to spread bespoke malware using PDFs as lure materials. Google experts discovered and stopped these attempts by adding all known domains and hashes to Safe Browsing blocklists.

In November 2022, TAG observed that COLDRIVER was sending its targets malicious PDF documents from their fraudulent accounts. Threat actors asked for the recipient's feedback on fresh opinion pieces or other kinds of publications that they were hoping to publish using the lure materials. The victims see an encrypted text when they view the PDF.

In case the targets fail to read the content, following which they contact the threat actors, they receive a link from the cyberspies to a decryption tool located on the threat actors' website. After downloading and running the tool, a backdoor—tracking as SPICA—is installed and a bogus document appears. 

“Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user. In the background, it establishes persistence and starts the main C2 loop, waiting for commands to execute,” reads TAG’s analysis. 

Spica is a Rust backdoor that uses JSON over websockets for C2. Spica supports multiple capabilities, such as: 

  • Executing arbitrary shell commands. 
  • Stealing cookies from Chrome, Firefox, Opera and Edge. 
  • Uploading and downloading files. 
  • Perusing the filesystem by listing the contents of it. 
  • Enumerating documents and exfiltrating them in an archive 
  • There is also a command called “telegram,” however the functionality of this command is unclear.

An obfuscated PowerShell command that generates a scheduled activity called CalendarChecker is how the infection stays persistent.

The Russian APT has reportedly been using SPICA since at least November 2022, while the researchers have only observed its use since early September 2023.

Analysing Advanced Persistent Threats 2023: Tactics, Targets, and Trends

 

The term "Advanced Persistent Threat" (APT) denotes a highly specialised category of cyber adversaries within the field of cybersecurity. These entities distinguish themselves through advanced skill sets and substantial access to resources, often employing sophisticated tools and techniques. APTs typically exhibit state sponsorship, indicating either direct or indirect government support or intricate ties to organized crime syndicates. 

This connection to state actors or criminal groups grants them a level of persistence and capability that far exceeds that of conventional cybercriminals. In 2023, the cybersecurity landscape has witnessed the persistent activity of several Advanced Persistent Threat (APT) groups, with attributions largely pointing to nation-states, notably Iran and China. These sophisticated entities operate at the forefront of cyber capabilities, employing advanced tactics, techniques, and procedures. Their activities extend beyond conventional cybercriminal motives, often involving strategic objectives tied to geopolitical influence, military espionage, or the compromise of critical infrastructure. As the year unfolds, the vigilance of cybersecurity experts remains crucial in monitoring and responding to the evolving tactics employed by these APT groups, reflecting the ongoing challenge of safeguarding against state-sponsored cyber threats.  

Here’s a summary of some of the most active and prominent APT Groups as of 2023:  

1) APT39  

APT39, believed to be associated with Iran, has emerged as a notable player in the cyber threat landscape in 2023. This advanced persistent threat group strategically directs its efforts towards the Middle East, with a specific focus on key sectors such as telecommunications, travel, and information technology firms. APT39 employs a sophisticated arsenal of cyber tools, including the use of SEAWEED and CACHEMONEY backdoors, along with spearphishing techniques for initial compromise. 

2) APT35 

APT35, believed to be affiliated with Iran, has solidified its position as a significant threat in 2023, honing its focus on military, diplomatic, and government personnel across the U.S., Western Europe, and the Middle East. Employing a sophisticated toolkit that includes malware such as ASPXSHELLSV and BROKEYOLK, the group employs a multifaceted approach, leveraging spearphishing and password spray attacks to infiltrate target networks. APT35's strategic interests span various sectors, encompassing U.S. and Middle Eastern military, diplomatic and government personnel, as well as organizations in the media, energy, defense industrial base (DIB), and the engineering, business services, and telecommunications sectors.  

3) APT41 

APT41, believed to be linked to China, continues to pose a significant cyber threat in 2023, targeting a diverse range of sectors including healthcare, telecommunications, high-tech, education, and news/media. Renowned for employing an extensive arsenal of malware and spear-phishing tactics with attachments, APT41 demonstrates a multifaceted approach, engaging in both state-sponsored espionage and financially motivated activities. Researchers have identified APT41 as a Chinese state-sponsored espionage group that has also ventured into financially motivated operations. Active since at least 2012, the group has been observed targeting industries such as healthcare, telecom, technology, and video games across 14 countries. APT41's activities overlap, at least partially, with other known threat groups, including BARIUM and Winnti Group, underscoring the complexity and interconnected nature of cyber threats associated with this sophisticated actor.  

4) APT40 

APT40, associated with China, maintains a strategic focus on countries crucial to China's Belt and Road Initiative, with a particular emphasis on the maritime, defense, aviation, and technology sectors. Notably active in 2023, APT40 employs a diverse range of techniques for initial compromise, showcasing their sophisticated capabilities. These methods include web server exploitation, phishing campaigns delivering both publicly available and custom backdoors, and strategic web compromises. APT40's modus operandi involves the utilization of compromised credentials to access connected systems and conduct reconnaissance. The group further employs Remote Desktop Protocol (RDP), Secure Shell (SSH), legitimate software within victim environments, an array of native Windows capabilities, publicly available tools, and custom scripts to facilitate internal reconnaissance. This comprehensive approach highlights APT40's adaptability and underscores the persistent and evolving nature of cyber threats in the geopolitical landscape. 

5) APT31 

Focused on government entities, international financial organizations, aerospace, and defense sectors, among others, APT31, also known as Zirconium or Judgment Panda, stands out as a formidable Advanced Persistent Threat group with a clear mission likely aligned with gathering intelligence on behalf of the Chinese government. Operating in 2023, APT31 exhibits a strategic approach, concentrating on exploiting vulnerabilities in applications like Java and Adobe Flash to achieve its objectives. Similar to other nation-state actors, the group's primary focus is on acquiring data relevant to the People's Republic of China (PRC) and its strategic and geopolitical ambitions. The group's activities underscore the ongoing challenge of safeguarding sensitive information against sophisticated state-sponsored cyber threats. 

6) APT30 

APT30, believed to be associated with China, distinguishes itself through its noteworthy focus on long-term operations and the infiltration of air-gapped networks, specifically targeting members of the Association of Southeast Asian Nations (ASEAN). Employing malware such as SHIPSHAPE and SPACESHIP, this threat actor utilizes spear-phishing techniques to target government and private sector agencies in the South China Sea region. Notably, APT30's objectives appear to lean towards data theft rather than financial gain, as they have not been observed targeting victims or data that can be readily monetized, such as credit card information or bank credentials. Instead, the group's tools demonstrate functionality tailored for identifying and stealing documents, with a particular interest in those stored on air-gapped networks. APT30 employs decoy documents on topics related to Southeast Asia, India, border areas, and broader security and diplomatic issues, indicating a strategic approach to lure in and compromise their intended targets in the geopolitical landscape. 

7) APT27 

APT27 believed to be operating from China, is a formidable threat actor specializing in global intellectual property theft across diverse industries. Employing sophisticated malware such as PANDORA and SOGU, the group frequently relies on spear-phishing techniques for initial compromise. APT27 demonstrates versatility in deploying a wide array of tools and tactics for its cyberespionage missions. Notably, between 2015 and 2017, the group executed watering hole attacks through the compromise of nearly 100 legitimate websites to infiltrate victims' networks. Targeting sectors including government, information technology, research, business services, high tech, energy, aerospace, travel, automotive, and electronics, APT27 operates across regions such as North America, South-East Asia, Western Asia, Eastern Asia, South America, and the Middle East. The group's motives encompass cyberespionage, data theft, and ransom, employing a diverse range of malware including Sogu, Ghost, ASPXSpy, ZxShell RAT, HyperBro, PlugX RAT, Windows Credential Editor, and FoundCore. 

8) APT26 

APT26, suspected to have origins in China, specializes in targeting the aerospace, defense, and energy sectors. Recognized for its strategic web compromises and deployment of custom backdoors, this threat actor's primary objective is intellectual property theft, with a specific focus on data and projects that provide a competitive edge to targeted organizations within their respective fields. The group's tactics involve the utilization of associated malware such as SOGU, HTRAN, POSTSIZE, TWOCHAINS, and BEACON. APT26 employs strategic web compromises as a common attack vector to gain access to target networks, complementing their approach with custom backdoors deployed once they penetrate a victim's environment.  

9) APT25 

APT25, also recognized as Uncool, Vixen Panda, Ke3chang, Sushi Roll, and Tor, is a cyber threat group with suspected ties to China. The group strategically targets the defense industrial base, media, financial services, and transportation sectors in both the U.S. and Europe. APT25's primary objective is data theft, and its operations are marked by the deployment of associated malware such as LINGBO, PLAYWORK, MADWOFL, MIRAGE, TOUGHROW, TOYSNAKE, and SABERTOOTH. Historically, the group has relied on spear-phishing techniques in its operations, incorporating malicious attachments and hyperlinks in deceptive messages. APT25 actors typically refrain from using zero-day exploits but may leverage them once they become public knowledge. The group's consistent focus on targeted sectors and methods underscores its persistence and intent to pilfer sensitive information from key industries in the U.S. and Europe. 

10) APT24 

APT24, also known as PittyTiger and suspected to have origins in China, conducts targeted operations across a diverse array of sectors, including government, healthcare, construction, mining, nonprofit, and telecommunications industries. The group has historically targeted organizations in countries such as the U.S. and Taiwan. APT24 is distinguished by its use of the RAR archive utility to encrypt and compress stolen data before exfiltration from the network. Notably, the stolen data primarily consists of politically significant documents, indicating the group's intention to monitor the positions of various nation-states on issues relevant to China's ongoing territorial or sovereignty disputes. Associated malware utilized by APT24 includes PITTYTIGER, ENFAL, and TAIDOOR. The group employs phishing emails with themes related to military, renewable energy, or business strategy as lures, and its cyber operations primarily focus on intellectual property theft, targeting data and projects that contribute to an organization's competitiveness within its field. 

11) APT23 

APT23, suspected to have ties to China, directs its cyber operations towards the media and government sectors in the U.S. and the Philippines, with a distinct focus on data theft of political and military significance. Unlike other threat groups, APT23's objectives lean towards traditional espionage rather than intellectual property theft. The stolen information suggests a strategic interest in political and military data, implying that APT23 may be involved in supporting more traditional espionage operations. The associated malware used by APT23 is identified as NONGMIN. The group employs spear-phishing messages, including education-related phishing lures, as attack vectors to compromise victim networks. While APT23 actors are not known for utilizing zero-day exploits, they have demonstrated the capability to leverage these exploits once they become public knowledge. 

12) APT22 

Also known as Barista and suspected to be linked to China, APT22 focuses its cyber operations on political, military, and economic entities in East Asia, Europe, and the U.S., with a primary objective of data theft and surveillance. Operating since at least early 2014, APT22 is believed to have a nexus to China and has targeted a diverse range of public and private sector entities, including dissidents. The group utilizes associated malware such as PISCES, SOGU, FLATNOTE, ANGRYBELL, BASELESS, SEAWOLF, and LOGJAM. APT22 employs strategic web compromises as a key attack vector, allowing for the passive exploitation of targets of interest. Additionally, threat actors associated with APT22 identify vulnerable public-facing web servers on victim networks, uploading webshells to gain access to the victim's network. This comprehensive approach underscores APT22's persistent and multifaceted tactics in carrying out intrusions and surveillance activities on a global scale. 

13) APT43 

Linked to North Korea, APT43 has targeted South Korea, the U.S., Japan, and Europe across various sectors, including government, education/research/think tanks, business services, and manufacturing. Employing spear-phishing and fake websites, the group utilizes the LATEOP backdoor and other malicious tools to gather information. A distinctive aspect of APT43's operations involves stealing and laundering cryptocurrency to purchase operational infrastructure, aligning with North Korea's ideology of self-reliance, thereby reducing fiscal strain on the central government. APT43 employs sophisticated tactics, creating numerous convincing personas for social engineering, masquerading as key individuals in areas like diplomacy and defense. Additionally, the group leverages stolen personally identifiable information (PII) to create accounts and register domains, establishing cover identities for acquiring operational tooling and infrastructure. 

14) Storm-0978 (DEV-0978/RomCom) 

Storm-0978, also known as RomCom, is a Russian-based cybercriminal group identified by Microsoft. Specializing in ransomware, extortion-only operations, and credential-stealing attacks, this group operates, develops, and distributes the RomCom backdoor, and its latest campaign, detected in June 2023, exploited CVE-2023-36884 to deliver a backdoor with similarities to RomCom. Storm-0978's targeted operations have had a significant impact on government and military organizations primarily in Ukraine, with additional targets in Europe and North America linked to Ukrainian affairs. The group is recognized for its tactic of targeting organizations with trojanized versions of popular legitimate software, leading to the installation of RomCom. Notably, ransomware attacks attributed to Storm-0978 have affected industries such as telecommunications and finance, highlighting the group's broad impact and the evolving nature of cyber threats in the geopolitical landscape. 

15) Camaro Dragon 

A Chinese state-sponsored hacking group named 'Camaro Dragon' has recently shifted its focus to infecting residential TP-Link routers with a custom malware called 'Horse Shell.' European foreign affairs organizations are the specific targets of this cyber campaign. The attackers utilize a malicious firmware exclusively designed for TP-Link routers, enabling them to launch attacks appearing to originate from residential networks rather than directly targeting sensitive networks. Check Point, the cybersecurity firm that uncovered this campaign, clarifies that homeowners with infected routers are unwitting contributors rather than specific targets. The infection is attributed to self-propagating malware spread via USB drives. Checkpoint identified updated versions of the malware toolset, including WispRider and HopperTick, with similar capabilities for spreading through USB drives. These tools are associated with other tools employed by the same threat actor, such as the Go-based backdoor TinyNote and a malicious router firmware implant named HorseShell. The shared infrastructure and operational objectives among these tools provide further evidence of Camaro Dragon's extensive and coordinated cyber activities. 

In conclusion, the cybersecurity landscape of 2023 has been defined by a substantial surge in Advanced Persistent Threat (APT) activities, reflecting a sophisticated and dynamic threat environment. This analysis has delved into the intricate and evolving nature of these threats, emphasizing the persistent and increasingly sophisticated endeavours of emerging and established APT groups. These actors, distinguished by high skill levels and substantial resources, often operate with state sponsorship or connections to organized crime, enabling them to execute complex and prolonged cyber campaigns. 

Throughout the year, APTs have prominently featured, executing meticulously planned operations focused on long-term infiltration and espionage. Their objectives extend beyond financial gain, encompassing geopolitical influence, military espionage, and critical infrastructure disruption, posing a significant threat to global stability and security. 

Key regions such as the Asia-Pacific (APAC), South America, Russia, and the Middle East have witnessed diverse APT activities, showcasing unique tactics and targeting various sectors. Notable incidents, including compromising secure USB drives, deploying remote access Trojans (RATs), and sophisticated spear-phishing campaigns, underscore the adaptability of APT groups. The emergence of new actors alongside well-established groups, utilizing platforms like Discord and exploiting zero-day vulnerabilities, highlights the need for enhanced cyber defenses and international cooperation. 

Incidents like the Sandworm attack and exploitation of Atlassian Confluence flaws exemplify the diverse and evolving nature of APT threats, emphasizing their technical prowess and strategic focus on critical sectors and infrastructure. In response, a comprehensive and adaptive approach involving robust security measures, intelligence sharing, and strategic collaboration is essential to effectively mitigate the multifaceted risks posed by these highly skilled adversaries in the ever-evolving cyber threat landscape.

Increasing Threat of Generative AI Technology


Think of a drastic surge in advanced persistent threats (APTs), malware attacks, and organizational data breaches. An investigation on the case scenario revealed that these attacks are actually developed by threat actors who have access to generative AI.

However, it raises a question: who should be the culprit? The cybercriminals? The generative AI bots? The firms who develop these bots? Or perhaps the government that fails to come up with proper regulation and accountability? 

Generative AI Technology

Generative AI technology is another form of artificial intelligence that aids users in generating texts, images, sounds, and other content from inputs or instructions that are given in natural language.

Similar AI bots like ChatGPT, Google Bard, Perplexity, and others are made available to any online user who wishes to chat, generate human-like texts, and scripts, or even write complex codes. 

Although, one problem in common that these AI bots possess is their ability to produce offensive or harmful content on the basis of user input, which may violate ethical standards, inflict harm, or even be illegal.

These cases are why chatbots include security mechanisms onboard and content filters that could restrict output that may be harmful or malicious. However, how effective are these preventative methods for content monitoring, and how closely do they resemble cyber defense? The most recent chatbots are reportedly being used by hackers to develop and distribute malware. These chatbots can be "tricked" into creating spam and phishing emails, and they have even assisted bad actors in creating programs that bypass security safeguards and damage computer networks.

Bypassing Chatbot Security Filters

In order to improve their understanding of the problem, researchers investigated some malicious content-generation capabilities of chatbots and found ways to a few techniques used by fraudsters to get beyond chatbot security measures. For instance: 

  • The chatbot can generate practically anything imaginable if a user jailbreaks it and make it stay in character. As an illustration, some manipulators have developed prompts that turn the chatbot into a fictional character, such as Yes Man and DAN (Do Anything Now), which deceive the chatbot into thinking that it is exempt from following laws, moral principles, or other obligations.
  • Developing a fictional environment can also prompt the chatbot into behaving as if it is part of a film, series, or book, or a game player assigned a mission to complete or a conversation to follow. In this situation, the chatbot provides all the content it won't give otherwise. It can be tricked sometimes by character role play that uses words like "for educational purposes" or "for research and betterment of society" to bypass the filter. 
  • Another tactic used by threat actors is ‘reverse psychology,’ through which they persuade chatbots into revealing information, that they would not have displayed otherwise, due to community guidelines.

There are innumerable other ways these chatbots might be used to launch destructive cyberattacks; these methods for getting around ethical and social standards are simply the tip of the iceberg. Modern chatbots are AI-based systems trained on knowledge of the world as it exists today, so they are aware of weaknesses and how to exploit them. Thus, it is high time that online users and AI developers seek innovative ways to ensure safety and mitigate consequences that would otherwise result in destructive cyberspace.  

North Korean Cybercriminals Attempt to Steal $27M in ETH

Hacking organizations 'Lazarus' and 'APT38' supported by the North Korean government were responsible for the loss of $100 million worth of Ethereum from Harmony Horizon in June 2022. 

The funds and the seizure of stolen assets were reported to the authorities. The exploiters' activities closely resembled the attempt, which was undertaken on January 13, 2023, since more than $60 million was attempted to be laundered.

The Binance chain, Bitcoin, and Ethereum transfers are made possible through Harmony's Horizon Bridge. Numerous tokens worth $100,000,000  were taken from the network on June 23, 2022.

North Korean cybercriminals were actively shifting a portion of Harmony's Horizon bridge funds during the last weekend as the price of bitcoin approached $24,000. While several cryptocurrency exchanges instantly froze certain cash, Binance CEO Changpeng Zhao (CZ) claimed that some exchanges are not helpful in fighting crime, which made it easier to convert ETH to BTC.

According to reports, the APT38 was able to convert some of the $27 million in Ethers to Bitcoin and withdraw the money from exchanges. The Lazurus group has reportedly been shifting laundered money to a number of addresses in order to mask their true identity through multiple layers.

With the use of its Horizon Bridge, Harmony can transmit data to and from the Ethereum network, Binance Chain, and Bitcoin. On June 23, a number of tokens from the network valued at roughly $100 million were taken.

After the exploit, the Tornado Cash mixer processed 85,700 Ether, which was then deposited at various addresses. The hackers began transferring about $60 million of the stolen money via the Ethereum-based anonymity protocol RAILGUN on January 13. 350 addresses have been linked to the attack through numerous exchanges in an effort to escape detection, according to research by the cryptocurrency tracking tool MistTrack.

Cryptocurrency exchanges like Binance and Huobi have alerted authorities about stolen Harmony's Horizon Bridge funds by freezing them. This demonstrates how DeFi platforms and centralized exchanges are dependent on one another.





Cheerscrypt Spyware Attributed to Chinese APT Entity

The Emperor Dragonfly Chinese hacker group, notorious for frequently switching between several ransomware families to avoid detection, has been connected to the Cheerscrypt virus. 

The attacks were linked by the cybersecurity company Sygnia to a threat actor also dubbed Bronze Starlight and DEV-0401. The hacking gang seems to be a ransomware operation, but past research suggests that the Chinese government is interested in many of its victims.

Cheerscrypt is the most recent addition to a long range of ransomware families that the gang has previously used, including LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0 in a little over a year.

Recently, Sygnia researched a Cheerscrypt ransomware operation that utilized Night Sky ransomware TTPs. The attackers then dropped a Cobalt Strike beacon linked to a C2 address formerly tied to Night Sky operations. 

The code for the Babuk ransomware, which was exposed online in June 2021, was used to develop the Cheerscrypt ransomware family, which Trend Micro first analyzed in May 2022. Cheerscrypt is one of several ransomware families used by the APT organization. The DEV-0401 group, unlike other ransomware gangs, oversees every stage of the assault chain directly, from the first access to the data theft. It does not rely on a system of affiliates.

A significant Log4Shell vulnerability in Apache Log4j was utilized by hackers in January 2022 assaults to acquire initial access to VMware Horizon servers. They subsequently dropped a PowerShell payload that was used to send an encrypted Cobalt Strike beacon. Apart from the beacon, the hackers also sent three Go-based tools: a keylogger that sent keystrokes to Alibaba Cloud, a customized version of the internet proxy tool iox, and the tunneling program NPS.

Trend Micro initially identified Cheerscrypt in May 2022, highlighting its capacity to target VMware ESXi servers as a component of a tried-and-true strategy known as double extortion to force its victims into paying the ransom or risk having their data exposed.

The hackers break into networks, take information, and encrypt devices just like other ransomware groups that target businesses. The victim is then coerced into paying a ransom through double-extortion methods using the data. The stolen data is posted on a data leak website when a ransom is not paid.

A PowerShell payload that can deliver an encrypted Cobalt Strike beacon has been dropped on VMware Horizon servers by infection chains that have exploited the major Log4Shell vulnerability in the Apache Log4j library.

Cheerscrypt and Emperor Dragonfly share initial access vectors, and lateral movement strategies, including the use of DLL side-loading to distribute the encrypted Cobalt Strike beacon. Notably, the ransomware gang is acting as a 'lone wolf' separated from the rest of the cybercrime community rather than as a RaaS (Ransomware-as-a-Service) platform for affiliates.






Middle East Targeted via Steganography

A hacktivist gang that has previously attacked an African country's stock exchange with malware and seized vast amounts of data is now focusing on the governments of several Middle Eastern countries.

ESET, a cybersecurity company, discovered Witchetty also known as LookingFrog for the first time in April 2022. It is thought to be closely associated with the state-sponsored Chinese threat actor APT10 formerly known as Cicada. The gang is also regarded as TA410 personnel, who have previously been connected to strikes against American energy suppliers.

A threat actor identified as Witchetty was seen by Broadcom's Symantec Threat Hunter Team utilizing steganography to conceal an unknown backdoor in a Windows logo.

The new malware uses steganography, a method for hiding a message in an openly available document, to extract dangerous code from a bitmap image of a previous version of the Microsoft Windows logo.

In the campaign that Symantec found, Witchetty is utilizing steganography to conceal backdoor software that is XOR-encrypted in an outdated Windows logo bitmap picture.

"By disguising the payload in this way, the attackers were able to host it on a reliable, cost-free service. Downloads from reputable servers like GitHub are much less likely to cause concern than downloads from a command-and-control (C&C) server that is under the control of an attacker" the researchers stated.

Backdoor employment

The employment of another backdoor known as Stegmap is highlighted in Symantec's most recent investigation of attacks between February and September 2022, when the organization attacked the governments of two Middle Eastern countries as well as the stock exchange of an African nation. 

Like many backdoors, Stegmap includes a wide range of features that enable it to do file manipulation operations, download and run executables, stop processes, and alter the Windows Registry. The hackers updated their toolset for this effort to target the vulnerabilities, and they used steganography to shield their harmful payload from antivirus software.

By taking advantage of the Microsoft Exchange ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) attack chains to drop web shells on susceptible servers, the threat actors acquire initial access to a network and launch the attack. 

According to the chronology of an attack on a Middle Eastern government organization, Witchetty maintained remote access for as long as six months and carried out a variety of post-exploitation activities, such as network enumeration and the installation of custom malware, up to September 1, 2022.

Governments and state institutions around the world, including those in Asia and Africa, continue to face active threats from TA410 and Witchetty. The best defense against such attacks is to implement security upgrades as soon as they are available. In the campaign that Symantec has identified, the hackers depend on last year's flaws to infiltrate the target network and take advantage of the subpar management of publicly accessible servers.



FancyBear: Hackers Use PowerPoint Files to Deliver Malware

 

FancyBear: Hackers Use PowerPoint Files to Deliver Malware Cluster25 researchers have recently detected a threat group, APT28, also known as FancyBear, and attributed it to the Russian GRU (Main Intelligence Directorate of the Russian General Staff). The group has used a new code execution technique that uses mouse movement in Microsoft PowerPoint, to deliver Graphite malware.
 
According to the researchers, the threat campaign has been actively targeting organizations and individuals in the defense and government organizations of the European Union and East European countries. The cyber espionage campaign is believed to be still active.
 

Methodology of Threat Actor

 
The threat actor allegedly entices victims with a PowerPoint file claiming to be associated with the Organization for Economic Cooperation (OECD).
 
This file includes two slides, with instructions in English and French to access the translation feature in zoom. Additionally, it incorporates a hyperlink that plays a trigger for delivering a malicious PowerShell script that downloads a JPEG image carrying an encrypted DLL file.
 
The resulting payload, Graphite malware is in Portable Executable (PE) form, which allows the malware operator to load other malwares into the system memory.
 
“The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.” States Cluster25, in its published analysis.
 
The aforementioned Graphite malware is a fileless malware that is deployed in-memory only and is used by malware operators to deliver post-exploitation frameworks like Empire. Graphite malware’s purpose is to allow the attacker to deploy other malwares into the system memory.
 
 
Based on the discovered metadata, according to Cluster25, the hackers have been preparing for the cyber campaign between January and February. However, the URLs used in the attacks were active in August and September.
 
With more hacker groups attempting to carry out such malicious cyber campaigns, the government and private sectors must deploy more powerful solutions to prevent future breaches and cyber attacks to safeguard their organizations.

China's Attacks on Telecom Providers Were Exposed by US

 

Since 2020, US cybersecurity and intelligence agencies have cautioned about state-sponsored cyber attackers located in China using network vulnerabilities to target public and private sector enterprises.

Chinese hacking gangs have used publicly known vulnerabilities to infiltrate everything from unpatched small office/home office (SOHO) routers to moderate and even big enterprise networks, according to a joint cybersecurity alert released on Tuesday by the NSA, CISA, and the FBI. 

Several servers are used by China-linked APTs to create new email accounts, host command and control (C&C) domains, and connect with target networks, using hop points as an obfuscation strategy to mask its true location."Once within a telecommunications organization or network service provider, PRC state-sponsored cyber actors identified essential users and infrastructure, including systems critical to ensuring the stability of authentication, authorization, and accounting," as per the report. 

These threat actors are continually altering their techniques to avoid detection, according to US authorities, including watching network defenders' actions and adjusting current attacks to remain undiscovered. 

They were also seen changing the infrastructure and tools when the campaigns were made public. After stealing credentials to access underlying SQL databases, the attackers utilized SQL commands to discard user and admin credentials from key Remote Authentication Dial-In User Service (RADIUS) servers. The three US agencies have revealed that Chinese threat actors primarily exploit vulnerabilities in: 
  • Cisco (CVE-2018-0171, CVE-2019-15271, and CVE-2019-1652)
  • Citrix (CVE-2019-19781) 
  • DrayTek (CVE-2020-8515) 
  • D-Link (CVE-2019-16920) 
  • Fortinet (CVE-2018-13382) 
  • MikroTik (CVE-2018-14847) 
  • Netgear (CVE-2017-6862) 
  • Pulse ( (CVE-2020-29583) 

Open-source tools such as RouterSploit and RouterScan (vulnerability scanning framework) are used by threat actors to scan for vulnerabilities and conduct reconnaissance, allowing them to identify brands, models, and known problems that can be attacked. 

"Once within a network service provider, PRC state-sponsored cyber actors identified essential users and infrastructure, particularly systems critical to maintaining the security of authentication, authorization, and accounting," as per the joint advisory.

Lastly, the attackers altered or deleted local log files to eliminate proof of its presence and avoid discovery. Security updates should be applied as quickly as feasible, unneeded ports and protocols should be disabled to reduce the attack surface, and end-of-life network infrastructure which no longer receives security patches should be replaced, according to federal agencies.

Segmenting networks to prevent lateral movement and enabling robust monitoring on internet-exposed services to discover attack attempts as soon as possible are also recommended.

 SideWinder Hackers Have Planted a Bogus Android VPN Program

 

A bogus VPN program for Android smartphones was uploaded on the Google Play Store, along with a proprietary tool that screens users for improved targeting, according to phishing efforts linked to an advanced threat actor known as SideWinder. SideWinder is an APT organization that has been operating since at least 2012 and is thought to be led by an Indian actor with a high level of expertise.

Over 1,000 cyber attacks were ascribed to this gang in the last two years, according to Kaspersky, who praised its persistence and clever obfuscation tactics. Organizations in Pakistan, China, Nepal, and Afghanistan are the principal targets.

The threat actor uses spear-phishing emails to spread malicious ZIP bundles containing RTF or LNK files that install an HTML Application (HTA) payload from a remote server. The adversary uses a pretty big infrastructure that includes over 92 IP addresses, mostly for phishing assaults, and hundreds of domains and subdomains that serve as command and control servers. 

SideWinder, also known by the names, RattleSnake, Razor Tiger, T-APT-04, APT-C-17, and Hardcore Nationalist, was responsible for a recent phishing campaign that targeted both public and commercial sector institutions in Pakistan. 

A phishing document tempting victims with a document advocating "a formal debate of the impact of the US withdrawal from Afghanistan on maritime security" was discovered earlier this year by researchers at cybersecurity firm Group-IB. While the exact purpose of the bogus VPN program is unknown, this isn't the first time SideWinder has gotten around Google Play Store restrictions by publishing malicious apps disguised as utility software.

Trend Micro reported in January 2020 that three malicious applications masquerading as photography and file manager utilities used a security weakness in Android (CVE-2019-2215) to acquire root access and abuse accessibility service rights to gather sensitive data.

Iranian Hackers Launch Cyberattack Against US and the UK 

 

Secureworks, a cybersecurity firm, has detected a new attack attributed to the Iranian hacker organization known as APT34 or Oilrig, which utilized custom-crafted tools to target a Jordanian diplomat. APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453 are advanced persistent threat (APT) actors known for targeting activists, government organizations, journalists, and other entities. 

A ransomware gang with an Iranian operational connection has been linked to a succession of file-encrypting malware operations targeting institutions in Israel, the United States, Europe, and Australia.

"Elements of Cobalt Mirage activities have been reported as Phosphorus and TunnelVision," Secureworks, which tracks the cyberespionage group, said today. "The group appears to have switched to financially motivated attacks, including the deployment of ransomware." 

The threat actor used recently obtained access to breach the network of a nonprofit organization in the United States in January 2022, where they built a web shell which was then used to drop further files, according to the researchers. 

The threat actor has seemingly carried out two types of intrusions, one of which involves opportunistic ransomware assaults using genuine tools like BitLocker and DiskCryptor for financial benefit. The second round of attacks is more focused, with the primary purpose of securing access and acquiring intelligence, with some ransomware thrown in for good measure.

Initial access routes are enabled by scanning internet-facing servers for web shells and exploiting them as a route to move laterally and activate the ransomware, which is vulnerable to widely reported holes in Fortinet appliances and Microsoft Exchange Servers. 

The spear-phishing email, which Fortinet discovered, was sent to a Jordanian diplomat and pretended to be from a government colleague, with the email address faked accordingly. The email included a malicious Excel attachment with VBA macro code that creates three files: a malicious binary, a configuration file, and a verified and clean DLL. The macro also adds a scheduled job that runs every four hours to provide the malicious application (update.exe) persistence. 

Another unique discovery concerns two anti-analysis methods used in the macro: the manipulating of sheet visibility in the spreadsheet and a check for the presence of a mouse, both of which may not be available on malware analysis sandbox services.

Secureworks detailed a January 2022 attack on an undisclosed US charity organization but said the exact means by which full volume encryption capability is triggered is unknown. In mid-March 2022, another attack aimed at a US local government network is thought to have used Log4Shell holes in the target's VMware Horizon architecture to perform reconnaissance and network scanning tasks. 

While the group has managed to breach a huge number of targets around the world, the security researchers believe that "their capacity to leverage on that access for financial gain or information collection is limited." Secureworks determines that the group's use of publicly available tools for ransomware activities proves that it is still a threat.

The Hacking Group 'ModifiedElephant' Remained Undetected

 

SentinelLabs' IT security researchers have discovered information of growing cyber-attacks (APT) wherein the threat actors have been targeting human rights activists, free speech advocates, professors, and lawyers in India using readily available trojans via spear-phishing since 2012. The group known as ModifiedElephant has been found to be planting 'incriminating evidence' on the devices of its targets. 

"The goal for ModifiedElephant is long-term espionage which sometimes ends with the transmission of evidence – files that implicate the victim in criminal offenses – prior to conveniently synchronized arrests," stated Tom Hegel, a threat researcher at SentinelOne. According to the research, over the previous decade, ModifiedElephant hackers have been attacking their victims with spearphishing emails containing malicious file attachments, with their methods becoming more complex over time. 

Spearphishing is the technique of emailing victims that appear to come from a trustworthy source in order to either divulge sensitive information or install malware on their computers. ModifiedElephant usually uses infected Files to spread malware to its victims. The particular mechanism and content included in malicious files have varied over time, according to SentinelOne, the timeline has been given below: 
  • 2013 – An adversary sends malware via email attachments with phony double extensions (file.pdf.exe). 
  • 2015 – The group switches to encryption key RAR attachments including legitimate luring documents that hide malware execution signals. 
  • 2019 – Updated Elephant begins hosting malware-distribution sites and takes advantage of cloud hosting capabilities, transitioning from phony papers to malicious URLs.
  • 2020 – attackers circumvent identification by skipping scans by using big RAR files (300 MB).

The CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, and CVE-2015-1641 exploits, according to SentinelOne, were frequently utilized in luring documents, which attacked Microsoft Office Suite programs. 

Modified Elephant is not seen using any customized backdoors in its operational history, indicating the group isn't particularly sophisticated. NetWire and DarkComet, two publicly available remote access trojans extensively utilized by lower-tier hackers, were the principal malware used in the campaigns. 

ModifiedElephant's Visual Basic keylogger hasn't changed since 2012, and it's been open-source on hacking forums all that time. SentinelLabs remarks on the tool's history, pointing out that it no longer works on recent OS versions. The Android virus is likewise a commodity trojan that is distributed to users in order of an APK, luring them in by appearing like a news app or a secure messaging tool.

Iranian Hackers Employed a New Marlin Backdoor in a Surveillance Operation 

 

Iranian hackers are using the New Marlin backdoor as part of a long-running surveillance operation that began in April 2018. ESET, a Slovak cybersecurity firm, linked the attacks, entitled "Out to Sea," to a threat actor known as OilRig (aka APT34), firmly linking its actions to another Iranian group known as Lyceum as well (Hexane aka SiameseKitten).

Since 2014, the hacking organization has attacked Middle Eastern governments as well as a range of industry verticals, including chemical, oil, finance, and telecommunications. In April 2021, the threat actors used an implant dubbed SideTwist to assault a Lebanese company. 

"Victims of the campaign include diplomatic institutions, technological businesses, and medical organizations in Israel, Tunisia, and the United Arab Emirates," according to a report by ESET.

Lyceum has previously conducted campaigns in Israel, Morocco, Tunisia, and Saudi Arabia to single out IT companies. Since the campaign's discovery in 2018, the Lyceum infecting chains have developed to drop many backdoors, starting with DanBot and progressing to Shark and Milan in 2021. Later attacks, utilizing a new data harvesting virus dubbed Marlin, were detected in August 2021. 

The hacking organization discarded the old OilRig TTPs, which comprised command-and-control (C&C) connections over DNS and HTTPS. For its C2 activities, Marlin relies on Microsoft's OneDrive API. ESET identified parallels in tools and tactics between OilRig's backdoors and those of Lyceum as "too numerous and specific," stating the initial access to the network was gained through spear-phishing and management applications like ITbrain and TeamViewer. 

"The ToneDeaf backdoor connected with its C&C primarily over HTTP/S, but featured a secondary route, DNS tunneling, which did not work effectively," the researcher indicated. "Shark has similar problems, with DNS as its primary communication channel and an HTTP/S secondary one which isn't working." 

Marlin randomly selects the executable code's internal structure, denying the attacker a comprehensive assessment of instruction addresses needed to build the intended exploit payload. The findings also revealed the usage of several folders in a backdoor's file menu for sending and receiving data from the C&C server, the concurrent use of DNS as a C&C communication route while also utilizing HTTP/S as a backup communication mechanism.

The Lazarus Group uses Windows Update to Spread Malware

 

Researchers discovered that Lazarus Group is leveraging Windows Update to spread malware in a campaign backed by a GitHub command-and-control (C2) server. The Malwarebytes Threat Intelligence team announced on Thursday that they identified the North Korean state advanced persistent threat (APT) group's latest living-off-the-land strategy while investigating a spear-phishing campaign discovered on Jan. 18. 

The campaign's emphasis – in which the APT posed as the American global security and aerospace company Lockheed Martin – is consistent with Lazarus' preference for penetrating the military.  

Lazarus, which has been active since at least 2009, is regarded by researchers as one of the world's most active threat actors. The US also refers to Lazarus as Hidden Cobra, a term used to describe the North Korean government's cyber-activity in general.

“This APT group has been behind large-scale cyber-espionage and ransomware campaigns and has been spotted attacking the defence industry and cryptocurrency markets,” Kaspersky researchers have noted in the past. 

In the Jan. 18 campaign, Malwarebytes discovered two macro-embedded decoy documents purporting to offer new job openings at Lockheed Martin. Their filenames: Lockheed_Martin_JobOpportunities.docx and Salary_Lockheed_Martin_job_opportunities_confidential.doc. 

Both of these documents were created on April 24, 2020, but researchers have enough evidence to believe they were utilized in a campaign in late December 2021 or early 2022. The domains utilized by the threat actor are some of the evidence that this assault was carried out recently. Both documents employ the same attack theme and share some features, such as embedded macros, but the entire attack chain appears to be completely different. 

According to the researchers, the attack begins by running malicious macros embedded in Word documents. The malware achieves startup persistence in the victim's system after a series of injections. When a victim opens the malicious attachments and allows macro execution, an embedded macro places a WindowsUpdateConf.lnk file in the startup folder and a DLL file (wuaueng.dll) in a secret Windows/System32 folder. LNK files are Windows shortcut files, meaning they are pointers to original files in Windows. 

Then comes the .LNK file which is needed to launch the WSUS / Windows Update client - wuauclt.exe, a genuine process file generally known as Windows automatic updates and is located in C:WindowsSystem32. The Update client is used to execute a malicious DLL that avoids detection by security software. 

“With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious DLL and /RunHandlerComServer argument after the DLL,” the researchers explained.

APT27 Hackers are Backdooring Business Networks in Germany

 

The German domestic intelligence services BfV issued a warning about ongoing operations orchestrated by the Chinese-backed hacker group APT27. The attackers are utilising the HyperBro remote access trojans (RAT) to backdoor German commercial enterprises' networks in this active campaign. By operating as an in-memory backdoor with remote administration capabilities, HyperBro assists threat actors in maintaining persistence on the victims' networks.

HyperBro is a RAT that has been seen predominantly in the gambling industries, while it has also been seen in other places. The malware is typically composed of three or more components: a) a genuine loader with a signed certification, b) a malicious DLL loader loaded from the former component via DLL hijacking, and c) an encrypted and compressed blob that decrypts to a PE-based payload with its C2 information hardcoded within.

APT27 (also known as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse) is a Chinese-sponsored threat group that has been active since at least 2010 and is noted for its emphasis on data theft and cyber espionage efforts. 

Since March 2021, APT27 has been exploiting flaws in Zoho AdSelf Service Plus software, an enterprise password management solution for Active Directory and cloud apps, according to the German intelligence agency. This is consistent with prior reports that Zoho ManageEngine installations will be the target of many campaigns in 2021, coordinated by nation-state hackers employing techniques and tooling similar to APT27. 

The threat group's objective, according to the agency, is to steal critical information and may potentially seek to target its victims' customers in supply chain attacks.

"The Federal Office for the Protection of the Constitution has information about an ongoing cyber espionage campaign by the cyber-attack group APT27 using the malware variant HYPERBRO against German commercial companies," the BfV said. "It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of customers or service providers." 

In addition, the BfV issued indicators of compromise (IOCs) and YARA rules to assist targeted German organisations in detecting HyperBro infections and connections to APT27 command-and-control (C2) servers. 

APT27 initially exploited an ADSelfService zero-day exploit until mid-September, then transitioned to an n-day AdSelfService vulnerability before beginning to exploit a ServiceDesk flaw on October 25. According to Palo Alto Networks researchers, they effectively infiltrated at least nine organisations from vital industries around the world, including defence, healthcare, energy, technology, and education.

BlackBerry Discovers Initial Access Broker Linked to 3 Different Hacker Groups

 

The latest report from BlackBerry revealed an initial access broker termed "Zebra2104" that has links with three harmful cybercriminals groups, and few are involved in phishing campaigns and ransomware attacks Research and Intelligent team at Blackberry discovered that Zebra2104 gave entry points to ransomware groups such as MountLocker, Phobos, and StrongPity APT. 

The access was given to various organizations in Australia and Turkey which fell victim to the attacks. The StrongPity APT attacked Turkish firms in the healthcare sector, and also targeted smaller enterprises. As per Blackberry, its research suggests an access broker having a lot of manpower, or actors might've built large hidden traps on the web. 

The report also suggests that an inquiry confirmed that MountLocker ransomware was working along with StrongPity, an APT group that dates back to 2012, a Turkish state-sponsored group (allegedly). As of now, it might be hard to believe that criminal groups are sharing resources, but the experts have found a common link, enabled by a fourth criminal group termed Zebra2104, which the experts believe to be an Initial Access Broker (IAB). According to experts, there is an abundance of hacking groups working together, more than mentioned in this article. 

The single-domain directed the experts to a path where they discovered various ransomware attacks, and an APT C2 (command and control). The path turned out to be an IAB--Zebra2104 infrastructure. IAB's general gets access to the top bidders in dark web platforms on underground forums. Following that, the winning bidder deploys ransomware or any other malware in the target organization's systems, the campaign depends on the goals of the attack. 

"A few of the domains had been involved in a phishing campaign that went after state government departments in Australia as well as real estate companies there in September 2020. With the help of other Microsoft reports, the researchers were able to trace the campaigns further to an indicator of compromise of a MountLocker intrusion," reports ZD Net.

Newly Discovered 'Tomiris’ Backdoor Linked to SolarWinds Attack Malware

 

Kaspersky security researchers have unearthed a new backdoor likely designed by the Nobelium advanced persistent threat (APT) behind last year's SolarWinds supply chain attack. 

The new malware, dubbed Tomiris, was first identified in June 2021 from samples dating back to February, a month before the “sophisticated second stage backdoor” Sunshuttle was spotted by FireEye and linked to Nobelium. Nobelium is also known by the monikers UNC2452, SolarStorm, StellarParticle, Dark Halo, and Iron Ritual. 

"While supply-chain attacks were already a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims. Evidence gathered so far indicates that Dark Halo spent six months inside Orion IT's networks to perfect their attack and make sure that their tampering of the build chain wouldn't cause any adverse effects,” Kaspersky researchers stated. 

Moscow-headquartered firm Kaspersky identified Tomiris while examining a series of DNS hijacking attacks mounted against multiple government organizations in a CIS member state between December 2020 and January 2021, which allowed threat actors to redirect traffic from government mail servers to devices under their possession.

Their victims were redirected to webmail login pages that helped hackers steal their email credentials and, in some cases, tricked them into installing a malware update that instead downloaded the Tomiris backdoor. 

“During these times, the authoritative DNS servers for the above zones were switched to attacker-controlled resolvers. Most of these hijackings were relatively brief and appear to have primarily targeted the mail servers of the affected organizations. We don’t know how the threat author was able to achieve this, but we assume that he somehow obtained credentials from the Registrar’s control panel used by the victims,” researchers added. 

Multiple similarities between Tomiris and Sunshuttle malware 

Researchers discovered multiple similarities between the Sunshuttle and Tomiris backdoors (e.g., both developed in GB, persistence through scheduled tasks, the same coding scheme for C2 communications, automated sleep triggers to reduce network noise). They also spotted the Kazuar backdoor, a .NET-based backdoor linked to the Turla group which shares multiple features with the Sunburst malware used in the SolarWinds attack on the same network as Tomiris. 

Earlier this year in March 2021, Microsoft and FireEye describe Sunshuttle as a Golang-based malware that acts as a command-and-control backdoor, establishing a secure connection with an attacker-controlled server to fetch and execute arbitrary commands on the exploited device as well as exfiltrate files from the system to the server. 

Despite this, researchers have not established a conclusive link between the new backdoor and Russia-backed Nobelium state hackers due to the possibility of a false flag attack designed to mislead researchers. 

The revelation comes days after Microsoft released the details of a passive and highly targeted implant dubbed ‘FoggyWeb’ that was employed by the Nobelium hacking group to deploy additional payloads and steal sensitive information from Active Directory Federation Services (ADFS) servers.

North Korean Lazarus Group Attacks South African Freight Via New Weapon

 

The North Korean-backed Lazarus hacking group employed a new backdoor in targeted attacks against a South African freight and logistics company. ESET researchers first discovered the malware in June 2020, but further evidence suggests Lazarus has been using it in previous attacks going back to at least December 2020. 

The new backdoor malware, dubbed Vyveva is one of the latest tools discovered in the Lazarus armory. Vyveva has the capability of exfiltrating files, gathering data from an exploited machine and its drives, remotely connect to a command-and-control (C2) server and run arbitrary code. It also uses watchdogs to keep track of newly connected drives or the active user sessions to trigger new C2 connections on new sessions or drive events.

While ESET researchers have not gained much success in identifying the initial compromise vector but they have discovered three main components comprising Vyveva – its installer, loader and backdoor. Vyveva also consists a ‘timestomping’ option which allows its operators to manipulate any file’s data using metadata from other files on the system or by setting a random date between 2000 and 2004 to hide new or modified files. 

“Vyveva shares multiple code similarities with older Lazarus samples that are detected by ESET technology. However, the similarities do not end there: the use of a fake TLS protocol in network communication, command-like execution chains, and the methods of using encryption and Tor services all point toward Lazarus. Hence, we can attribute Vyveva to this APT group with high confidence,” security researcher Filip Jurcacko stated.

According to the US government, Lazarus group was formed in 2007 and since then, as per the researchers, the group has been responsible for the $80 million Bangladeshi bank heist and the HaoBao Bitcoin-stealing campaign. The Lazarus Group’s activities were widely reported only after it was blamed for the 2014 cyber-attack on Sony Pictures Entertainment and the 2017 WannaCry ransomware attack on the countries including the US and Britain.

FBI & CISA Warns of Active Attacks on Fortinet FortiOS Servers

 

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of active exploits targeting three susceptibilities in Fortinet FortiOS. Fortinet FortiOS is an operating system designed to improve enterprise security and it enables secure networks, endpoints, and clouds to keep the user safe from vulnerabilities and threats. 

According to the advisory, these three unpatched vulnerabilities in Fortinet FortiOS platforms belong to technology services, government agencies, and other private sector bodies. The advanced persistent threat (APT) actors are targeting the vulnerabilities CVE-2018-13379, a path traversal vulnerability (CVSS base score of 9.8); CVE-2020-12812, an improper authentication flaw (CVSS base score of 9.8) and CVE-2019-5591, a default configuration vulnerability (CVSS base score of 7.5) which were initially revealed in 2019.

The attackers have specifically exploited the vulnerability CVE-2018-13379 since its discovery in 2018. In 2019, nation-state hackers exploited the flaw and targeted the U.S. National Security Agency. Last year in October, a joint CISA/FBI advisory regarding federal, state, and local U.S. government networks being targeted mentioned the flaw.

“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks. APT actors may use the other CVEs or common exploiting techniques – such as spear-phishing – to gain access to critical infrastructure networks to pre-position for follow-on attacks,” the advisory read.

Carl Windsor, Fortinet field chief technology officer responded to the joint advisory by stating that Fortinet has already patched the flaws and is educating the customers regarding the vulnerabilities.

“The security of our customers is our first priority. CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019 and July 2020 strongly recommending an upgrade. Upon resolution we have consistently communicated with customers, as recently as late as 2020,” he further stated.