Search This Blog

Showing posts with label Chinese Actors. Show all posts

Hackers Designs Malware for Recently Patched Fortinet Zero-Day Vulnerability


Researchers who recently disclosed and patched the zero-day vulnerability in Fortinet's FortiOS SSL-VPN technology have identified a new backdoor, specifically created in order to run on Fortinet’s FortiGate firewalls. 

Initial evidence collected by Google-owned security firm Mandiant suggests that the exploitation occurred in October 2022, nearly two months before the vulnerability was patched. Targets included a government entity in Europe and a managed services provider in Africa. 

According to a report published by Mandiant, the malware appears to have been created by a China-based threat actor that conducts cyber-espionage operations against individuals and groups associated with the government. 

It is the most recent instance of attackers from the country attacking firewalls, IPS, IDS, and other technologies used by businesses to secure their networks that are internet-facing. 

BoldMove Backdoor 

The attacks involved the use of a sophisticated backdoor known as BOLDMOVE, a Linux variant created especially to run on Fortinet's FortiGate firewalls. 

The intrusion vector in question is the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw in FortiOS SSL-VPN that could allow for unauthenticated remote code execution through carefully constructed requests. 

Earlier this month, Fortinet revealed that the unidentified hacking groups had taken advantage of the flaw to attack governments and other major institutions with a generic Linux implant capable of delivering additional payloads and carrying out remote server commands. 

Mandiant findings also indicate that the hackers managed to exploit the zero-day vulnerability to their advantage, accessing target networks for espionage operations. "With BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats," Mandiant added. 

The BoldMove Backdoor malware, written in C, is apparently available in both Windows and Linux versions, with the latter being able to read data from a Fortinet-exclusive file format. 

Moreover, according to Fortinet’s report, an extended Linux sample comes with a feature that allows attackers to disable and manipulate logging features in order to evade detection. Despite the fact that no copies of the backdoor have been found in the wild, metadata analysis of the Windows variations reveals that they were created as early as 2021. 

"The exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom implants, is consistent with previous Chinese exploitation of networking devices," Mandiant noted. 

Schooled in FortiOS 

Meanwhile, Fortinet itself described the malware as a variant of “generic” Linux backdoor designed by threat actors for FortiOS. According to the company's analysis, affected systems may have had the malicious file disguising itself as a part of Fortinet's IPS engine. 

According to Fortinet, one of the malware's more advanced features included manipulating FortiOS log-in to avoid detection. The malware can search FortiOS for event logs, decompress them in memory, and search for and delete a specific string that allows it to reconstruct the logs. The malware can also completely disable logging processes. 

"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," says Fortinet. 

Fortinet adds that designing the malware would have required the threat actors to have a “deep understanding” of the FortiOS and its underlying hardware. "The use of custom implants shows that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS," the vendor said.  

FBI: Tik Tok privacy issues


Christopher Wray, the director of the FBI, expressed its concern over the potential that the Chinese government might alter TikTok's recommendation algorithms, which can be utilised for conventional espionage activities.

The short clip social network is under federal attention recently, largely because of worries about data privacy, especially when it comes to youngsters, and because of the ongoing tension between the United States and China. In 2020, the Trump government made an unsuccessful effort to eliminate TikTok from app stores. Additionally, there have been legislative hearings on user data in both 2021 and this year.

While Wray acknowledged that there are numerous countries that pose cyberthreats to the United States, "China's rapid hacking operation is the largest, and they have gained more of Americans' personal and business data than any other country combined," Wray said.

He claimed that TikTok APIs may be used by China to manage the software on consumer devices, opening the door for the Chinese government to basically breach the appliances of Americans.

Rep. John Katko, D-NY, the ranking member of the committee and a persistent advocate of cybersecurity issues in Congress, claims that Chinese cyber operations pose a threat to the economic and national security of all Americans. He updated the members that ransomware assaults caused companies $1.2 billion in losses last year.

Using HUMINT operations, China has gained access to the US military and government and gathered important information about US intelligence operations. Due to the development of these abilities, China was able to intercept communications, gather sensitive information, and gather a variety of data regarding US military and diplomatic activities.





Upgraded Security Deal Among Japan and Australia Against Chinese Cybercrimes

 


On Saturday, a new defense cooperation pact was signed between Japan and Australia to recognize the deteriorating security situation in the region as a consequence of China's growing assertiveness.

Fumio Kishida, the prime minister of Japan, praised the advancement of relations between the two countries after meeting with his Australian colleague Anthony Albanese in Perth, Western Australia. The two nations are committed to conducting cooperative military games and exchanging more sensitive intelligence.

It expands upon a reciprocal access pact that Kishida signed with Scott Morrison, Australia's prime minister at the time, in January, which lifts restrictions on conducting joint military drills in either nation.

It is the first time Japan has reached such a deal with a nation other than the US. Japan's Self-Defense Forces will train and participate in operations with the Australian defense in northern Australia for the first time as per the agreement, as revealed on Saturday.

According to Albanese, "this major proclamation sends a powerful signal to the area of our strategic alignment" in relation to that deal. In an "increasingly hostile strategic environment," according to Kishida, a new structure for collaboration in operations, intelligence, information, and logistical support was devised.

Since the Australian leader's administration was elected in May, Kishida has met with Albanese four times. This visit is for an annual bilateral summit. Two days after the election, they first met in Tokyo at the Quadrilateral Security Dialogue meeting, also known as the Quad, which also included U.S. Vice President Joe Biden and Indian Prime Minister Narendra Modi.

It was emblematic of the close economic links between the two countries that the meeting was decided to be held in Perth, the state capital of Western Australia, which supplies much of Japan's liquid natural gas and the wheat used to make udon noodles.

According to a website maintained by the Australian government, Australia has some of the world's top five resources for vital minerals such as antimony, cobalt, lithium, manganese ore, niobium, tungsten, and vanadium.

Australia is the world's top producer of lithium, rutile, zircon, and rare earth elements, as well as the second-largest producer overall.

Since 2007, when Australia and Japan signed their first military statement, China's defense expenditure has more than doubled. Japanese jets were called into action 22 times in 2006 to stop Chinese military aircraft from entering Japanese airspace. 722 times in response to Chinese aircraft last year, Japanese warplanes had to scramble.



Smash and Grab: Meta Takes Down Disinformation Campaigns Run by China and Russia

 

Meta, Facebook’s parent company has confirmed that it has taken down two significant but unrelated ‘disinformation operations’ rolling out from China and Russia. 

The campaigns began at the beginning of May 2022, targeting media users in Germany, France, Italy, Ukraine, and the UK. The campaign attempted to influence public opinions by pushing fake narratives in the west, pertaining to US elections and the war in Ukraine. 

The campaign spoofed around 60 websites, impersonating legitimate news websites, such as The Guardian in the UK and Bild and Der Spiegel in Germany. The sites did not only imitate the format and design of the original news sites but also copied photos and bylines from the news reporters in some cases. 

“There, they would post original articles that criticized Ukraine and Ukrainian refugees, supported Russia, and argued that Western sanctions on Russia would backfire […] They would then promote these articles and also original memes and YouTube videos across many internet services, including Facebook, Instagram, Telegram, Twitter, petitions websites Change.org and Avaaz, and even LiveJournal” Meta stated in a blog post. 

In the wake of this security incident, Facebook and Instagram have reportedly removed nearly 2,000 accounts, more than 700 pages, and one group. Additionally, Meta detected around $105,000 in advertising. While Meta has been actively quashing fake websites, more spoofed websites continue to show up.  

However, “It presented an unusual combination of sophistication and brute force,” claims Meta’s Ben Nimmo and David Agranovich in a blog post announcing the takedowns. “The spoofed websites and the use of many languages demanded both technical and linguistic investment. The amplification on social media, on the other hand, relied primarily on crude ads and fake accounts.” 

“Together, these two approaches worked as an attempted ‘smash-and-grab’ against the information environment, rather than a serious effort to occupy it long term.” 

Both the operations are now taken down as the campaigns were a violation of Meta’s “coordinated inauthentic behaviour” rule, defined as “coordinated efforts to manipulate public debate for a strategic goal, in which fake accounts are central to the operation”. 

Addressing the situation of emerging fraud campaigns, Ben Nimmo further said, “We know that even small operations these days work across lots of different social media platforms. So the more we can share information about it, the more we can tell people how this is happening, the more we can all raise our defences.”

Information Commissioner Office Made a Regulatory Fine of $27 Million on Tiktok

 

The information commissioner's office of the United Kingdom recently fined Tiktok $29 million, having provisionally discovered that Tiktok had breached the laws of child data protection for two years. 
 
The privacy regulatory body of the United Kingdom reported the exploitation of protection laws of the country’s data. There was an investigation that concluded that TikTok may have breached the laws of data protection from May 2018 to July 2020. 
  
The fine is determined by the calculation of 4% of TikTok’s annual turnover globally. The ICO issued TikTok with a “notice of intent” with a fine of up to $27 million, which is considered the highest in ICO’s history as the largest amount paid till now is $20 million to British Airways. 
 
The Information Commissioner's office has pointed out in regard to Tiktok that it may breach privacy by processing data of minors under 13 years old without parental consent, failing to provide complete information to users "in a concise, transparent, and easily understandable manner" and processing unsuitable "special category" data without legal authority. 
 
The ICO defines “special category data” as any use of sensitive personal data including sexual orientation, religious beliefs, culture and nationality, political perspective, and biometric data. 
 
The information commissioner, John Edwards commented on TikTok’s failure in fulfilling its legal duties of protecting the privacy of data of its young users. He stated, "we all want children to be able to learn and experience the digital world, but with proper data privacy protection.” 
 
In John’s opinion, digital learning is essential for children, but the companies offering the digital services should be legally responsible for ensuring that reasonable protection measures are incorporated into these services, as during the investigation of TikTok it was found to be provisionally lacking in these measures.  
 
ICO added to its statement that the findings from the investigation are provisional and no final conclusions can be drawn at this time. A spokesperson from Tiktok in a conversation with TechCrunch shared that they do respect the concerns expressed by the ICO about security and protection laws, but that they disagree with the ICO's views regarding Tiktok's privacy policies.

Chinese Loan App Case: ED Freezes Rs 46.67 Crore Worth Funds Of Payment Gateway Apps

 

The Enforcement Directorate has carried out raids against Chinese “controlled” loan apps and investment tokens. The ED froze Rs. 46.67 cr. worth funds kept at the Bengaluru premise of payment gateways accounts of Easybuzz, Razorpay, Cashfree, and Paytm in connection with the HPZ token case over alleged irregularities in the operation of instant app-based loan-giving companies that are controlled by Chinese personals. The funds have been frozen and seized under the Prevention of Money Laundering Act (PMLA).

The investigation was carried out on September 14th at various business and residential premises in Delhi, Ghaziabad, Mumbai, Lucknow, and Gaya over the money laundering case probed against an app-based token named HPZ and related entities. The case is based on an FIR filed in October 2021, registered by the Kohima police’s cybercrime unit in Nagaland.

According to the ED, the HPZ token was an app-based token that lured victims to invest in the company, promising a doubling of their investments and large gains to the customers against investments by investing in mining machines in bitcoins and other cryptocurrencies.

“Payments were received from users through UPIs and other payment gateways/ nodal gateways/ individuals. Part amount was paid back to the investors and remaining amount was diverted to various individuals and company accounts through various payment gateways/ banks from where partly it was siphoned off in digital/virtual currencies. After that, the fraudsters stopped the payments and the website became inaccessible” states the ED.

Allegedly, the companies sourced the personal data of the victims at the time of downloading the loan apps even when their interest rates were “unsurious”. ED thus initiated a probe under the criminal sections of the PMLA after many debtors reportedly ended their lives. The debtors were being harassed and threatened by these loan app companies over the personal data available on their phones. The ED claims, that one such Loan app entity, labeled M/s Mad- Elephant Network Technology Private Limited in an agreement with X10 Financial Services Limited was operating several loan apps, namely Yo-Yo cash, Tufan Rupees, Coco cash, etc.) Similarly, Su Hui Technology Private Limited, in agreement with M/s Nimisha Finance India Private Limited, had operated loan apps.

In a meeting held on September 8, Finance Minister Nirmala Sitaraman reviewed the issues pertaining to the illegal loan apps. The meeting was attended by top officials from the ministry and RBI officials. It is being decided that appropriate measures shall be taken to check the operations of such apps. 

Chinese APT Group Target Government Officials in Europe, South America, and Middle East

 

A Chinese cyberespionage group tracked as Bronze President has launched a new campaign targeting the computer systems of government officials in Europe, the Middle East, and South America with a modular called malware PlugX. 

Threat analysts at Secureworks discovered the breach in June and July 2022, once again highlighting the hacker’s persistent focus on espionage against governments across the globe. 

The researchers have identified multiple pieces of evidence including the use of PlugX, naming schemes previously employed by the hacking group, and politically-themed lure documents that align with regions that are of strategic importance to China. 

“Several characteristics of this campaign indicate that it was conducted by the likely Chinese government-sponsored Bronze President threat group, including the use of PlugX, file paths and naming schemes previously used by the threat group, the presence of shellcode in executable file headers, and politically themed decoy documents that align with regions where China has interests,” Secureworks Counter Threat Unit (CTU) explained in a blogpost. 

Attack chains distribute RAR archive files that contain a Windows shortcut (.LNK) file masquerading as a PDF document, opening which executes a legitimate file present in a nested hidden folder embedded within the archive. 

Subsequently, it creates the path for installing a malicious document, while the PlugX payload sets up persistence on the exploited device. "Bronze President has demonstrated an ability to pivot quickly for new intelligence collection opportunities," the researchers added. 

"Organizations in geographic regions of interest to China should closely monitor this group's activities, especially organizations associated with or operating as government agencies." 

Bronze President, also known as RedDelta, Mustang Panda, or TA416 has been active since at least July 2018 and has a history of launching espionage campaigns by employing custom and publicly available tools to exploit, maintain long-term access, and exfiltrate data from targets of interest. 

The PlugX RAT continues to remain the Bronze President's preferred spying tool. The threat actor has used multiple variants of it for several years, together with other hackers originating from China. 

Earlier this year in March, the hacking group targeted Russian government officials with an updated version of the PlugX backdoor called Hodur, alongside organizations located in Asia, the European Union, and the U.S. 

Other than PlugX, infection chains utilized by the APT group have involved the deployment of custom stagers, reverse shells, Meterpreter-based shellcode, and Cobalt Strike, all of which are used to establish remote access to their targets with the intention of conducting espionage and information theft.

Windows, Linux and macOS Users Hit by Chinese Iron Tiger

China-sponsored cyberhackers group Iron Tiger (aka LuckyMouse) has been exposed using the compromised servers of a chat application called MiMi to execute malware to Windows, Linux, and macOS systems. The primary targets of Iron Tiger in this campaign were located in Taiwan and the Philippines. 

Cybersecurity organizations Trend Micro and SEKOIA published a detailed report stating that the Iron Tiger organized a new cyberespionage campaign by the Iron Tiger, also known as Emissary Panda, Cycldek, Bronze Union, Goblin Panda Conimes, LuckyMouse, APT27, and Threat Group 3390 (TG-3390). This group has been active since at least 2010, victimizing hundreds of organizations worldwide for cyberespionage purposes. 

Additionally, the group has a history of working around targeted servers in pursuit of its political and military intelligence-collection objectives aligned with China. Trend Micro has identified one of the victims of this attack  a Taiwan-based gaming development firm that along with thirteen other entities was targeted. 

The advanced persistent threat (APT) group used the compromised servers of MiMi, a messaging application available on different platforms with its installer files compromised to download and install HyperBro samples for the Windows operating system and rshell artifacts for Windows, Android, macOS, and iOS. The desktop version of MiMi has been built using the cross-platform framework ElectronJS. 

“Iron Tiger compromised the server hosting the legitimate installers for this chat application for a supply chain attack,” says Trend Micro. 

Trend Micro has uncovered various rshell samples, including some targeting Linux. Prior samples were uploaded in June 2021. Further Sekoia wrote in its blog post that the campaign has all elements of a supply chain attack since the hackers control the host servers of the app.

“We noticed that a chat application named MiMi retrieved the rshell executable, an app we came across recently while investigating threat actor Earth Berberoka. We noticed Iron Tiger controlling the servers hosting the app installers of MiMi, suggesting a supply chain attack.” the trend microblog post read.

Chinese Group Botnet Illegally Mine Crypto

 

Linux and cloud app vulnerabilities have been used by the 8220 Group crypto mining gang to expand their botnet to over 30,000 affected systems.

Over the course of just the previous month, SentinelOne researchers reported detecting this notable rise in the number of infected hosts. The malicious botnet, according to analysts, was only active on 2,000 servers worldwide by the middle of 2021.

The 8220 group has been operating at least since 2017. The hackers are China-based and the organization's name is derived from the port 8220 that the miner uses to connect to the C2 servers. 

Operation tactics

According to reports, the growth was spurred by the adoption of Linux, widespread vulnerabilities in cloud applications, and inadequately secured setups for services like Docker, Apache WebLogic, and Redis.

This group has used a publically available exploit in the past to breach confluence systems. Once inside, the attackers employ SSH brute force to spread out and commandeer the available computing power to operate crypto miners that point to untraceable pools.

Another improvement is the script's usage of block lists to prevent infections on particular hosts, usually, honeypots set up by security researchers.

Lastly, 8220 Gang has updated PwnRig, their proprietary crypto miner based on XMRig, an open-source Monero miner.

Microsoft researchers claim that the gang has actively upgraded its payloads and tactics over the past year. In a recent campaign, the organization targeted Linux systems running on i686 and x86 64 architectures and gained early access using RCE exploits for CVE-2022-26134 (Atlassian Confluence) CVE-2019-2725 (WebLogic) vulnerabilities.

In addition to underscoring a more intense "fight" to seize control of victim systems from rival cryptojacking-focused groups, the operations' expansion is seen as an effort to counteract the declining value of cryptocurrencies.



Chinese APT Utilizes Ransomware to Cover Cyberespionage

 

A China-based advanced persistent threat (APT) group called Bronze Starlight has been active since the start of 2021. It appears to be using double-extortion attacks and ransomware as cover for routine, state-sponsored cyberespionage and intellectual property theft. 

The distribution of post-intrusion ransomware, including LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0, is a feature of Bronze Starlight. Microsoft also labeled it as part of the DEV-0401 emerging threat cluster, highlighting its involvement in all phases of the ransomware attack cycle, from initial access to the payload dissemination.

China's Correlation

The threat actor has always loaded Cobalt Strike Beacon and then released ransomware on compromised computers using a malware loader known as the HUI Loader, which is solely utilized by  Chinese-based organizations. This method has not been noticed by other threat actors, according to Secureworks researchers.

Researchers from Secureworks believe that Bronze Starlight is more likely motivated by cyberespionage and intellectual property (IP) theft than financial gain due to the short lifespan of each ransomware family, victimology, and access to tools used by Chinese state hacktivists (including known vulnerabilities and the HUI Loader). HUI Loader has been used to distribute malware such as Cobalt Strike, QuasarRAT, PlugX, and SodaMaster as well as remote access trojans (RATs) at least since 2015.

Attacks carried out by the actor are distinguished by the use of vulnerabilities influencing Exchange Server, Zoho ManageEngine ADSelfService Plus, Atlassian Confluence, and Apache Log4j. This contrasts with other RaaS groups that obtain access from initial access brokers (IABs) to enter a network. 

The similarity between Ransomware 

Additionally, a familiar actor is apparent from the similarities found between LockFile, Atom Silo, Rook, Night Sky, and Pandora, the latter three of which were developed from the Babuk ransomware, the source code of which was leaked in September 2021. 

The researchers write that the use of HUI Loader to load Cobalt Strike Beacon, the configuration data for Cobalt Strike Beacon, the C2 network, and the code overlap "indicate that the same threat group is linked with these 5 ransomware families."

The use of the HUI Loader to launch next-stage encrypted payloads like PlugX and Cobalt Strike Beacons, which are used to disseminate the ransomware, is another instance of detected tradecraft. However, this technique requires first getting privileged Domain Administrator credentials. 

The main victims are American and Brazilian pharmaceutical firms, a U.S. media outlet with branches in China and Hong Kong, Lithuanian and Japanese electronic component designers and manufacturers, a U.S. legal company, and the aerospace & defense unit of an Indian conglomerate. 

To achieve this, ransomware operations not only give the threat actor a way to phish data as a result of the double extortion, but they also give them a chance to erase forensic proof of its destructive actions and distract them from data theft.

Sophos Firewall Zero-Day Flaw Exploited by Hackers

 

Chinese hackers leveraged a zero-day exploit for a vital vulnerability in Sophos Firewall to infiltrate a corporation and gain access to the victim's cloud-hosted web servers. Although the security flaw has been patched, many threat actors have continued to use it to escape authentication and execute arbitrary code remotely on businesses. 

Sophos Firewall's User Portal and Webadmin parts were found to have an authentication bypass vulnerability, which was tagged as CVE-2022-1040 on March 25. 

Researchers from Volexity revealed that Chinese threat actors used the zero-day vulnerability in Sophos Firewall (CVE-2022-1040) to hack a corporation and its cloud-hosted web servers. The threat actor was still operational when Volexity started the study, and the researchers were able to track the attacker's movements, showing a clever adversary who tried to go undiscovered.

According to the researchers, "the attacker was using access to the firewall to conduct man-in-the-middle (MitM) assaults." "Data obtained from these MitM assaults was used by the attacker to target further systems outside of the network where the firewall was located." Following the firewall breach, the infection sequence included backdooring a legitimate component of the security software with the Behinder web shell, which could be accessed remotely from any URL chosen by the threat actor.

Securing web server access 

Apart from the web shell, Volexity discovered further malicious behavior that maintained the threat actor's survival and allowed them to carry on the attack: 
  • The initial phase in the assault is gaining access to the Sophos Firewall, which permits a Man-in-the-Middle (MitM) attack by altering DNS replies for specified websites of the victim companies. 
  • Using stolen session cookies, the attacker gains access to the CMS admin page and then installs a File Manager plugin to manipulate files on the website. 
For a simpler investigation of intrusions, the firm advises using the auditd framework on Unix-based servers. Vendors' devices should also include tools for analyzing potential security flaws. Volexity also made a set of YARA rules accessible that may be used to detect unusual behavior from this form of threat.

Chinese Attackers Abused Sophos Firewall Zero-Day Bug to Target South Asian Organizations

 

Chinese hackers exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate multiple organizations in the South Asia region. 

The security bug has been patched in the meantime but multiple hackers continued to exploit it to bypass authentication and run arbitrary code remotely on several organizations. 

On March 25, Sophos issued a security patch about CVE-2022-1040, an authentication bypass flaw that affects the User Portal and Webadmin of Sophos Firewall and could be weaponized to implement arbitrary code remotely. 

Earlier this week, Volexity researchers detailed an assault from a Chinese APT group they track as DriftingCloud, which exploited CVE-2022-1040 since early March, a little over three weeks before Sophos issued a patch. The hackers employed a zero-day exploit to drop a webshell backdoor and target the customer’s staff. 

“This particular attack leveraged a zero-day exploit to compromise the customer’s firewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer’s staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization’s public-facing websites.” reads a blog post published by Volexity researchers. “This type of attack is rare and difficult to detect. This blog post serves to share what highly targeted organizations are up against and ways to defend against attacks of this nature.” 

The adversary used the zero-day exploit to compromise the firewall to install webshell backdoors and malware that would enable compromising external systems outside the network protected by Sophos Firewall. Volexity spotted the breach while investigating suspicious traffic generated from the Sophos Firewall to key systems in its customer’s networks. The examination of the logs revealed significant and repeated suspicious access aimed at a valid JSP file (login.jsp). 

Further investigation disclosed that the hackers were using the Behinder framework, which was employed by other Chinese APT groups in assaults abusing the recently disclosed CVE-2022-26134 vulnerability in Confluence servers. 

The exploitation of the Sophos Firewall was the first stage of the attack chain, APT group later launched man-in-the-middle (MitM) assaults to steal data and use them to exploit additional systems outside of the network where the firewall resided. Once secured access to the target webservers, the hackers installed multiple open-source malware, including PupyRAT, Pantegana, and Sliver.

Zimbra Memcached Injection Bug Patched

According to SonarSource, an open-source alternative to email servers and collaboration platforms such as Microsoft Exchange. Since May 10, 2022, a patch has been released in Zimbra versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1. Zimbra is utilized by organizations, governments, and financial institutions throughout the world. 

Unauthenticated attackers might contaminate an unwary victim's cache, according to Simon Scannell, a vulnerability researcher at Swiss security firm Sonar. The vulnerability has been assigned the number CVE-2022-27924 (CVSS: 7.5), and it has been described as a case of "Memcached poisoning with unauthorized access," which might allow an attacker to inject malicious commands and steal sensitive data. 

Since newline characters (\r\n) in untrusted user input were not escaped, attackers were able to inject arbitrary Memcached instructions into a targeted instance, causing cached entries to be overwritten. Memcached servers keep track of key/value pairs that may be created and retrieved using a simple text-based protocol and analyze data line by line. A malicious actor might alter the IMAP route entries for a known username by sending a specially crafted HTTP request to the susceptible Zimbra server, according to the researchers. When the genuine user logs in, the Nginx Proxy in Zimbra will send all IMAP communication, including the credentials in plain text, to the attacker. 

Knowing the victim's email address, and utilizing an IMAP client makes it easier for the attacker to abuse the vulnerability. A second attack technique allows users to circumvent the aforesaid constraints and steal credentials for any user with no involvement or knowledge of the Zimbra instance. This is accomplished through "Response Smuggling," a different approach that makes use of a web-based Zimbra client. Cross-site scripting (XSS) and SQL injection issues caused by a lack of input escaping "are well known and documented for decades," as per Scannell, but "other injection vulnerabilities can occur that are less well known and can have a catastrophic consequence." 

As a result Scannell, advises programmers to "be cautious of special characters that should be escaped when coping with technology where there is less documentation and research regarding potential vulnerabilities." The bug was discovered four months after Zimbra provided a hotfix for an XSS flaw that was exploited in a series of sophisticated spear-phishing efforts attributed to an undisclosed Chinese threat group.

 New Linux Malware Syslogk has a Clever Approach of Staying Undetected

 

Syslogk, a newfound clever form of Linux malware, installs a backdoor that remains hidden on the target device until its controller sends so-called 'magic packets' from anywhere on the internet. It is mostly based on Adore-Ng, a Chinese open-source kernel rootkit for Linux. 

Adore-Ng which has been around since 2004, is a free open-source rootkit, that gives an attacker complete control over an infected system. Syslogk can force-load its packages into the Linux kernel (versions 3. x are supported), hide folders or spoof files and network traffic, and ultimately load a backdoor named 'Rekoobe.' 

How does the malware work?

Syslogk was originally discovered in early 2022, with the sample constructed for a specific kernel version – meaning it could be loaded without being forced – and the payload named PgSD93ql, which disguised it as a PostgreSQL file. 

"Rekoobe is a piece of code that has been placed in genuine servers," according to Avast security researchers. "In this case, it's embedded in a phony SMTP server that, when given a specially designed command, spawns a shell." 

The rootkit was created to hide harmful files, malicious software, and its malicious payload from showing on the list of operating services, to deliver the malicious payload when it received a specially constructed TCP packet, and to halt the payload if the attacker directed it to. 

Rekoobe appears to be a harmless SMTP server, but it is built on an open-source project called Tiny SHell, so it contains a backdoor command for generating a shell that allows it to run arbitrary instructions for data mining. Despite the restricted support for Linux kernel versions, Avast claims that using Syslogk and Rebooke on a bogus SMTP server gives an attacker a strong toolkit. 

The Syslogk rootkit is yet one piece of highly evasive malware for Linux systems, joining the likes of Symbiote and BPFDoor, which both exploit the BPF system to monitor and dynamically change network traffic. Ransomware campaigns, crypto attacks, and other data theft illicit behavior are increasingly being launched against Linux systems and cloud infrastructure making it a vulnerable target. 
 
As in the case of Syslogk, the initiative is in its early stages of development, so it's unclear whether it'll become a wide-scale threat. However, given its secrecy, it will almost certainly continue to release new and improved versions.

China's Attacks on Telecom Providers Were Exposed by US

 

Since 2020, US cybersecurity and intelligence agencies have cautioned about state-sponsored cyber attackers located in China using network vulnerabilities to target public and private sector enterprises.

Chinese hacking gangs have used publicly known vulnerabilities to infiltrate everything from unpatched small office/home office (SOHO) routers to moderate and even big enterprise networks, according to a joint cybersecurity alert released on Tuesday by the NSA, CISA, and the FBI. 

Several servers are used by China-linked APTs to create new email accounts, host command and control (C&C) domains, and connect with target networks, using hop points as an obfuscation strategy to mask its true location."Once within a telecommunications organization or network service provider, PRC state-sponsored cyber actors identified essential users and infrastructure, including systems critical to ensuring the stability of authentication, authorization, and accounting," as per the report. 

These threat actors are continually altering their techniques to avoid detection, according to US authorities, including watching network defenders' actions and adjusting current attacks to remain undiscovered. 

They were also seen changing the infrastructure and tools when the campaigns were made public. After stealing credentials to access underlying SQL databases, the attackers utilized SQL commands to discard user and admin credentials from key Remote Authentication Dial-In User Service (RADIUS) servers. The three US agencies have revealed that Chinese threat actors primarily exploit vulnerabilities in: 
  • Cisco (CVE-2018-0171, CVE-2019-15271, and CVE-2019-1652)
  • Citrix (CVE-2019-19781) 
  • DrayTek (CVE-2020-8515) 
  • D-Link (CVE-2019-16920) 
  • Fortinet (CVE-2018-13382) 
  • MikroTik (CVE-2018-14847) 
  • Netgear (CVE-2017-6862) 
  • Pulse ( (CVE-2020-29583) 

Open-source tools such as RouterSploit and RouterScan (vulnerability scanning framework) are used by threat actors to scan for vulnerabilities and conduct reconnaissance, allowing them to identify brands, models, and known problems that can be attacked. 

"Once within a network service provider, PRC state-sponsored cyber actors identified essential users and infrastructure, particularly systems critical to maintaining the security of authentication, authorization, and accounting," as per the joint advisory.

Lastly, the attackers altered or deleted local log files to eliminate proof of its presence and avoid discovery. Security updates should be applied as quickly as feasible, unneeded ports and protocols should be disabled to reduce the attack surface, and end-of-life network infrastructure which no longer receives security patches should be replaced, according to federal agencies.

Segmenting networks to prevent lateral movement and enabling robust monitoring on internet-exposed services to discover attack attempts as soon as possible are also recommended.

European Organizations Targeted by 'Mustang Panda’ Hacking Group

 

Cybersecurity researchers have unearthed a new campaign by advanced persistent threat (APT) group Mustang Panda targeting European and Russian organizations using topical spear-phishing lures linked to the war in Ukraine. 

Mustang Panda, also known as RedDelta, Bronze President, or TA416 has been active since at least 2012 and over the years has targeted entities in EU member states, the United States and Asian countries where China has interests. The targets have included diplomatic organizations, non-governmental organizations (NGOs), religious organizations, telecommunication firms, and political activists.

"Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves," Cisco Talos said in a new report published this week. 

The hacking group is known for designing its phishing lures based on current scenarios that might be of interest to its targets. These have included the COVID-19 pandemic, international summits, and political topics. The attacks observed this year by researchers from Cisco Talos and several other security firms used reports from EU institutions regarding the security situation in Europe both before and after Russia's invasion of Ukraine. 

Mustang Panda modus operandi 

The PlugX RAT, also known as KorPlug, continues to remain the Mustang Panda's preferred spying tool. is Mustang Panda’s malware of choice. The threat actor has used multiple variants of it for several years, together with other threat actors originating from China. 

Recent attack campaigns spotted this year have primarily phishing messages containing malicious lures masquerading as official European Union reports on the ongoing conflict in Ukraine or Ukrainian government reports, both of which download malware onto infected devices. 

A similar technique is also used to target various entities in the U.S. and several Asian countries like Myanmar, Hong Kong, Japan, and Taiwan. 

The researchers also spotted Mustang Panda distributing a malicious file containing PlugX with a Russian name referencing the Blagoveshchensk Border Guard Detachment. But similar attacks identified towards the end of March 2022 show that the actors are upgrading their tactics by minimizing the remote URLs used to obtain different components of the infection chain. 

Other than PlugX, infection chains utilized by the APT group have involved the deployment of custom stagers, reverse shells, Meterpreter-based shellcode, and Cobalt Strike, all of which are used to establish remote access to their targets with the intention of conducting espionage and information theft. 

"By using summit- and conference-themed lures in Asia and Europe, this attacker aims to gain as much long-term access as possible to conduct espionage and information theft," Talos researchers added.