Daily Drop (752): AZORult Malware, ViaSat: AcidRain, Earth Krahang: China APT, Ukrainian 'Hacktivists', Operation PhantomBlu, E-Root Marketplace, Fujitsu Reports Malware, DEEP#GOSU, Fancy Bear
03-19-24
Tuesday, Mar 19 2024 // (IG): BB // ShadowNews // Coffee for Bob // Proxies
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
Sophisticated HTML Smuggling Campaign Uses Fake Google Sites to Distribute AZORult Malware
Bottom Line Up Front (BLUF): A new cybersecurity threat has emerged, exploiting bogus Google Sites pages and an advanced HTML smuggling technique to deliver the AZORult malware, a commercial information stealer. The campaign, which has not been attributed to any specific group, is characterized by its use of an external JSON file for smuggling the malicious payload, circumventing traditional security measures and aiming to harvest sensitive user data for sale on the dark web.
Analyst Comments: This latest phishing campaign represents a significant evolution in cyberattack strategies, leveraging the legitimacy of Google Sites to create counterfeit documents that deploy malware via HTML smuggling. The addition of a CAPTCHA barrier further lends an air of legitimacy to these malicious sites, complicating efforts to automatically detect and block them. The use of cloud services such as Dropbox in the malware's command-and-control infrastructure showcases the adaptability of threat actors, emphasizing the need for organizations to enhance their cybersecurity posture.
FROM THE MEDIA: The cybersecurity community has identified a malicious operation utilizing HTML smuggling to distribute the AZORult malware, known for its ability to steal credentials, browser cookies, history, and cryptocurrency wallet data. Initiated through phishing emails containing a ZIP archive, the attack employs a rogue .LNK file that appears as a benign PDF document. This file, in reality, launches a series of scripts that fetch the AZORult loader and ultimately deploy the stealer malware, utilizing evasion techniques to bypass detection by anti-malware products.
READ THE STORY: THN
New Variant of Malware Targeting Satellite Modems Emerges, Signaling Evolution in Cyber Warfare Tactics
Bottom Line Up Front (BLUF): A newly identified variant of the wiper malware, "AcidPour," presents enhanced capabilities over its predecessor "AcidRain," used in the 2022 cyberattack on Viasat's satellite modems amidst the Russian invasion of Ukraine. Spotted by SentinelOne researchers, this evolution marks a significant shift in the landscape of cyber warfare, potentially targeting a broader range of devices beyond modems, including RAID arrays and embedded systems, raising alarms about the resilience of critical infrastructure against sophisticated cyber threats.
Analyst Comments: The emergence of "AcidPour" underscores a persistent and evolving threat from state-sponsored actors, particularly in the context of the ongoing conflict between Russia and Ukraine. This development not only reflects the tactical evolution of cyber warfare capabilities but also highlights a strategic intent to disrupt communications and critical infrastructure. The ability of "AcidPour" to target RAID arrays and embedded systems suggests a move towards attacks that can cause more widespread and challenging-to-recover damages.
FROM THE MEDIA: The "AcidPour" malware represents an advanced iteration of the "AcidRain" wiper malware, initially deployed to disrupt Ukrainian military communications by targeting satellite modems provided by the U.S.-based company Viasat. Discovered by Tom Hegel of SentinelOne, "AcidPour" introduces new technical features capable of inflicting broader damage, indicating potential use in more extensive service disruptions. The malware's enhanced capabilities allow it to wipe not only modems but also RAID arrays and Unsorted Block Image File Systems (UBIFS), targeting a wider array of embedded devices critical to various sectors. The sophistication of "AcidPour" raises concerns over the preparedness of critical infrastructure to withstand such attacks, emphasizing the need for advanced detection and recovery solutions. The identification and analysis of this malware variant were facilitated by its upload to VirusTotal, a platform for sharing information on malware, signaling the crucial role of collaborative efforts in cybersecurity.
READ THE STORY: Cyberscoop
Earth Krahang: Unveiling the Stealth Operations of a Chinese Espionage Group
Bottom Line Up Front (BLUF): The Earth Krahang group, a previously unidentified Chinese espionage outfit, has been implicated in a substantial breach of at least 70 organizations across 23 countries, utilizing primarily open-source tools and social engineering tactics. Despite its relatively standard modus operandi, Earth Krahang's global reach and the high-profile nature of its targets—predominantly within the government sector—spotlight the persistent and sophisticated threat posed by state-sponsored cyber espionage groups.
Analyst Comments: Earth Krahang's operations reveal a strategic approach to cyber espionage that emphasizes breadth over technical sophistication. By leveraging open-source tools and exploiting known vulnerabilities, such as CVE-2023-32315 and CVE-2022-21587, Earth Krahang demonstrates that even well-documented methods can be highly effective in penetrating high-level targets. This campaign's success underscores the critical need for organizations to maintain vigilant cybersecurity practices, including regular patching and monitoring for anomalous activities.
FROM THE MEDIA: Trend Micro's latest findings on Earth Krahang offer a detailed glimpse into the group's expansive cyber espionage campaign, which has successfully compromised a wide array of targets across the globe. The group's use of open-source scanning tools to identify and exploit vulnerabilities in public-facing servers highlights a pragmatic approach that relies on the sheer volume of attacks to achieve its objectives. Additionally, Earth Krahang's exploitation of compromised Ubiquiti routers to host WebDAV and C2 servers showcases an adeptness at utilizing existing infrastructures to further their espionage efforts. The diversity of sectors targeted by Earth Krahang, including government, education, telecommunications, finance, IT, sports, and more, illustrates the group's broad strategic interests and its role in furthering the Chinese Communist Party's intelligence-gathering capabilities.
READ THE STORY: DarkReading // PoC: CVE-2023-32315 and CVE-2022-21587
Ukrainian 'Hacktivists' Take on Russia in Cyberwarfare Front
Bottom Line Up Front (BLUF): In response to Russia's invasion of Ukraine, volunteer hacking groups, including the IT Army of Ukraine, have emerged to fight back on the digital front. These 'hacktivists' conduct operations aimed at causing economic and moral damage to Russia, while navigating the intricate rules of international law and cyber ethics. Despite their informal status, many of these groups maintain close connections with Ukrainian government and intelligence agencies, contributing significantly to the country's defense efforts through cyberwarfare.
Analyst Comments: The rise of 'hacktivism' in the context of the Ukraine conflict represents a pivotal shift in the nature of warfare, where digital battlegrounds are becoming as crucial as physical ones. The involvement of civilians in cyberwarfare activities blurs traditional lines between combatants and non-combatants, raising significant legal and ethical questions. International law provides a framework for what is permissible, emphasizing the importance of avoiding civilian targets. However, the reality of cyber conflicts often complicates adherence to these norms. The strategic choice by Ukrainian 'hacktivists' to target financial sectors underlines the economic dimension of modern warfare, where disrupting the adversary's economy can have tangible effects on their war effort.
FROM THE MEDIA: Artem and other members of volunteer hacking organizations like the IT Army of Ukraine have positioned themselves as key players in the digital resistance against Russian forces. These groups, though officially independent, work closely with Ukrainian authorities and intelligence, aiming to disrupt Russian operations and gather valuable intelligence. Their tactics range from simple Distributed Denial of Service (DDoS) attacks to sophisticated efforts aimed at collecting and exploiting confidential information to undermine Russian military operations. Despite the challenges and risks involved, these 'hacktivists' are motivated by a sense of duty to defend their country and contribute to its war efforts using their digital skills.
READ THE STORY: Firstpost
Operation PhantomBlu: Sophisticated Cyber Campaign Deploys NetSupport RAT via Innovative Techniques
Bottom Line Up Front (BLUF): Operation PhantomBlu represents a significant shift in cyberattack methodologies, utilizing innovative tactics, techniques, and procedures (TTPs) to evade detection systems and deploy the NetSupport Remote Access Trojan (RAT). By exploiting the legitimate features of the NetSupport Manager tool, attackers orchestrate a complex chain of actions to gain unauthorized access to US-based organizations' networks, highlighting the need for advanced detection mechanisms in cybersecurity defenses.
Analyst Comments: The emergence of Operation PhantomBlu underscores the evolving sophistication of cyber adversaries, who now leverage the very tools designed for IT support to conduct espionage and data theft. The campaign's use of Object Linking and Embedding (OLE) template manipulation and social engineering to deliver malware represents a nuanced shift towards more evasive attack vectors. This approach not only challenges traditional security measures but also emphasizes the importance of continuous innovation in cybersecurity practices to counter these advanced threats.
FROM THE MEDIA: Perception Point's analysis of Operation PhantomBlu reveals a multifaceted campaign aimed at deploying the NetSupport RAT through deceptive means. Attackers initiate contact through phishing emails, appearing to offer monthly salary reports from an accounting service. Recipients are tricked into enabling malicious macros within a seemingly benign Office Word document, which ultimately leads to the downloading and execution of the NetSupport RAT. This process is facilitated by the manipulation of OLE templates, a method not previously observed in NetSupport RAT distribution, enabling the malware to bypass conventional security systems unnoticed.
READ THE STORY: THN // Perception Point
Moldovan National Sentenced in US for Cybercrime Involving Illicit Sale of Over 350,000 Compromised Credentials
Bottom Line Up Front (BLUF): Sandu Boris Diaconu, a 31-year-old from Moldova, has been sentenced to 42 months in federal prison by a US court for his role in creating and managing the E-Root Marketplace. This digital platform was implicated in the widespread sale of compromised computer credentials, enabling unauthorized access to systems globally. Diaconu's guilty plea encompasses charges of conspiracy to commit access device and computer fraud, alongside possession of unauthorized access devices. This sentencing marks a significant victory for cybersecurity enforcement agencies in their ongoing battle against international cybercrime.
Analyst Comments: The sentencing of Sandu Boris Diaconu underscores a growing trend of global cooperation in the fight against cybercrime. The E-Root Marketplace, under Diaconu’s administration, facilitated a vast network of digital fraud, affecting countless individuals and organizations worldwide. By operating a platform that sold over 350,000 compromised credentials, Diaconu enabled a variety of cybercrimes, from ransomware attacks to identity theft. His arrest and extradition from the UK, followed by the sentencing in the US, highlight the complexities and challenges of policing the digital frontier.
FROM THE MEDIA: The Department of Justice announced the sentencing of Sandu Boris Diaconu after he pleaded guilty to charges related to cybercrime through the E-Root Marketplace, an online platform notorious for trading compromised computer credentials. Operating from January 2015 until February 2020, Diaconu's marketplace allowed cybercriminals to buy access to hacked computers and servers, including those within the US, facilitating various illicit activities. The marketplace boasted a sophisticated structure to anonymize transactions and hide user identities, utilizing digital currencies and an online payment system called Perfect Money for financial transactions. Over 350,000 credentials were sold on this platform, leading to significant cybersecurity breaches, including ransomware attacks and identity theft.
READ THE STORY: GBhackers // THN // Justice.gov
Fujitsu Reports Malware Discovery on Corporate Network, Raises Alarm Over Potential Data Breach
Bottom Line Up Front (BLUF): Fujitsu, a leading IT services provider based in Japan, has announced the detection of malware on its corporate network, prompting concerns over the potential theft of personal and customer information. The company is investigating the malware's entry point and the extent of the data breach, which remains undetermined.
Analyst Comments: The revelation of malware within Fujitsu's corporate network highlights the continuous and evolving threat landscape that even the largest and most technologically advanced companies face. Fujitsu, with its vast global footprint and significant role in providing IT services, including to the Japanese government, finds itself in a precarious position that could undermine trust among its clientele. This incident not only stresses the importance of robust cybersecurity measures but also the need for transparency in the wake of potential data breaches.
FROM THE MEDIA: Fujitsu has disclosed a cybersecurity breach involving the discovery of malware on its corporate network, leading to concerns over a potential data breach affecting personal and customer information. The company, a giant in the IT sector with a significant global presence and a history of providing services to critical sectors, including the Japanese government, is actively investigating the breach. This incident follows previous cybersecurity challenges faced by Fujitsu, including a hack of its ProjectWEB platform in 2021 that affected multiple Japanese government agencies. Fujitsu has reported the recent incident to Japan's data protection authority and is in the process of assessing the breach's impact. As investigations continue, the company has apologized for the inconvenience and concern caused to all involved parties.
READ THE STORY: arsTechnica // DARKREADING // systemtek
Analyzing the Detrimental Impact of Internet Disruptions on Democratic Engagement and the Digital Economy
Bottom Line Up Front (BLUF): Internet blackouts, initiated by governments worldwide, are increasingly being used as a tool to suppress dissent, control information flow, and disrupt economic activities. These intentional disruptions of internet access, ranging from total shutdowns to bandwidth throttling, pose significant threats to democratic principles, economic stability, and the social fabric of societies. With a record number of shutdowns reported in recent years, the need for concerted efforts to combat these disruptions and uphold digital rights has never been more critical.
Analyst Comments: The phenomenon of government-imposed internet blackouts is not just a violation of digital rights; it is a direct assault on the foundational elements of democracy itself. By cutting off access to information and stifling free expression, these blackouts undermine the democratic process, especially during crucial periods such as elections and social movements. The economic repercussions are equally dire, with significant losses to GDP in affected countries due to disruptions in e-commerce, mobile banking, and international investments. The cases of Pakistan and India, where prolonged internet blackouts have crippled businesses and hampered civil society's ability to operate, highlight the urgent need for a multi-stakeholder approach to advocacy against internet disruptions.
FROM THE MEDIA: The global surge in internet blackouts, notably in countries like India, Nigeria, and during significant events in Myanmar and Uganda, has alarmed activists, businesses, and policymakers alike. These blackouts are often justified by governments as necessary for national security or public order but are primarily aimed at quelling dissent and controlling the narrative during political unrest, elections, and crises. The impact on the private sector is profound, with businesses suffering immediate revenue losses and long-term damage to consumer trust and investment climate. Media outlets and civil society organizations face severe restrictions on their ability to report on events, organize, and communicate, further eroding democratic engagement and accountability.
READ THE STORY: CIPE
Machine Learning Model Repositories: A New Frontier for Supply Chain Cybersecurity Threats
Bottom Line Up Front (BLUF): Machine learning model repositories, such as Hugging Face, have become the latest target for supply chain cyberattacks, posing significant security risks akin to those seen with traditional open source code repositories like npm and PyPI. Researchers at Dropbox have demonstrated multiple techniques for distributing malware via ML models, underscoring the urgent need for organizations to implement robust inspection and security controls for ML models before deployment.
Analyst Comments: The shift towards integrating machine learning (ML) models into development environments has opened up new avenues for cyberattacks, mirroring historical threats seen in open source repositories. This trend underscores the complexity and evolving nature of supply chain security in the digital age. ML models, by virtue of their access to sensitive information and environments, offer a potent vector for malware distribution, necessitating a reevaluation of security strategies. The case of Hugging Face, a popular repository for ML tools and models, exemplifies the susceptibility of ML ecosystems to these risks. The ease with which attackers can impersonate legitimate organizations or exploit model naming conventions to deliver malware highlights a critical vulnerability within the ML supply chain.
FROM THE MEDIA: In the realm of cybersecurity, ML model repositories have emerged as the next battleground for supply chain attacks, with Hugging Face drawing particular attention due to its widespread use among developers. Despite efforts to secure these platforms, including malware scans and the introduction of safer data storage formats like Safetensors, the threat persists. Researchers have exposed vulnerabilities that could allow attackers to execute malware, gain unauthorized access, and compromise sensitive data by exploiting the inherent trust in these repositories. Notably, attackers have begun to explore sophisticated techniques for embedding malicious code within ML models, demonstrating the capability to execute arbitrary code under the guise of legitimate model functionality.
READ THE STORY: DarkReading
Cybersecurity Experts Uncover North Korean-Linked Operation Using Advanced Techniques for Data Harvesting
Bottom Line Up Front (BLUF): Cybersecurity firm Securonix has uncovered an elaborate cyberattack campaign named DEEP#GOSU, utilizing PowerShell and VBScript to compromise Windows systems. Attributed to the North Korean state-sponsored group Kimsuky, this campaign employs a multi-stage infection process designed for stealthy operation and extensive data harvesting. Utilizing legitimate cloud services for command-and-control, DEEP#GOSU highlights the evolving sophistication of cyber threats and the critical need for advanced defensive strategies.
Analyst Comments: The DEEP#GOSU campaign represents a significant evolution in cyberattack methodologies, leveraging the credibility of legitimate cloud services like Dropbox and Google Docs to evade detection. This approach allows the attackers to blend seamlessly into normal network traffic, complicating the task of cybersecurity defenses. The campaign's multi-stage payload delivery system, incorporating tools for keylogging, clipboard monitoring, and data exfiltration, underscores the increasing complexity and stealth of modern cyber threats. Particularly concerning is the use of open-source RAT software for remote access, enabling attackers to execute commands and retrieve additional malicious payloads. This case study reinforces the necessity for organizations to adopt multi-layered security measures, including enhanced monitoring of cloud services and network traffic, to defend against such sophisticated threats.
FROM THE MEDIA: This approach allows the attackers to blend seamlessly into normal network traffic, complicating the task of cybersecurity defenses. The campaign's multi-stage payload delivery system, incorporating tools for keylogging, clipboard monitoring, and data exfiltration, underscores the increasing complexity and stealth of modern cyber threats. Particularly concerning is the use of open-source RAT software for remote access, enabling attackers to execute commands and retrieve additional malicious payloads.
FROM THE MEDIA: The DEEP#GOSU campaign initiates with a phishing email containing a malicious ZIP archive, deceiving users with a rogue .LNK file disguised as a PDF. This initial breach leverages embedded PowerShell scripts to fetch further payloads from Dropbox, including a .NET assembly file functioning as a RAT and additional VBScript for further system manipulation and persistence. The integration of cloud services for malware command-and-control and data exfiltration mechanisms illustrates a deliberate strategy to exploit trusted platforms for malicious purposes.
READ THE STORY: THN
Items of interest
Fancy Bear (APT28): Targets Entities Across Multiple Continents
Bottom Line Up Front (BLUF): APT28, a cyber espionage group with ties to Russia, has been implicated in a series of sophisticated phishing campaigns targeting government and non-governmental organizations across Europe, the South Caucasus, Central Asia, and the Americas. Employing lure documents that mimic official communications, APT28 aims to infiltrate systems and steal sensitive information. IBM X-Force's recent findings highlight the group's adaptability and persistent threat to global cybersecurity.
Analyst Comments: By exploiting current geopolitical tensions and impersonating a variety of entities, APT28 demonstrates a high degree of strategic planning and technical prowess. The use of compromised infrastructure, such as Ubiquiti routers, for command and control further reveals the group's capability to leverage existing networks for malicious purposes. The deployment of custom backdoors and information stealers, coupled with advanced evasion techniques, points to a well-resourced and highly skilled adversary.
FROM THE MEDIA: Fancy Bears’s phishing campaigns have been noted for their complexity, utilizing documents related to finance, critical infrastructure, and defense among others, to deliver malware. Noteworthy is the group's use of the "search-ms:" URI protocol handler, illustrating innovative methods to bypass security measures and deploy malware. This activity, tracked by IBM X-Force from late 2023 to early 2024, signifies the persistent and evolving threat posed by APT28 to global security. The campaigns not only aim to gather intelligence but also potentially prepare the ground for more disruptive cyber operations.
READ THE STORY: THN
The Russian Cyber Espionage Group 'Fancy Bear' Revealed (Video)
FROM THE MEDIA: Fancy Bear, also known as APT28 (by Mandiant), Pawn Storm, Sofacy Group (by Kaspersky), Sednit, Tsar Team (by FireEye) and STRONTIUM or Forest Blizzard (by Microsoft),[2][4] is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU.
APT29: Unmasking The Cozy Bear Hackers Global Campaign (Video)
FROM THE MEDIA: Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR),[5] a view shared by the United States.[4
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.