Daily Drop (758): 14 Years Chinese Hacking Campaign, Active Exploitation of Fortinet and Ivanti, OFAC Cracks Down, CVE-2024-21762 PoC For Sale, Supply Chain Attack Targets GitHub Accounts, Minecraft
03-26-24
Tuesday, Mar 26 2024 // (IG): BB // ShadowNews // Coffee for Bob // Proxies
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
Massive Chinese Hacking Campaign Targets Millions of Americans and Global Democratic Institutions
Bottom Line Up Front (BLUF): In a significant cybersecurity breach, millions of Americans have become entangled in a Chinese hacking operation aimed at US officials and global democratic institutions. The United States, in coordination with the United Kingdom and other allies, has indicted seven Chinese nationals for their roles in a 14-year-long cyber espionage campaign. In response, sanctions and a rewards program have been implemented to curb these malicious activities, highlighting the growing tension between global powers over cybersecurity.
Analyst Comments: The revelation of this extensive Chinese hacking plot represents a stark reminder of the sophisticated cyber threats facing democratic institutions worldwide. By targeting individuals, businesses, and officials critical of China, this operation underscores the strategic use of cyber espionage to advance national interests and suppress dissent. The US and UK's coordinated response through sanctions and indictments signifies a firm stance against state-sponsored cyber attacks, emphasizing the importance of international collaboration in combating cyber threats. This incident will likely escalate tensions between China and the countries affected, prompting a reevaluation of cybersecurity policies and international cyber norms.
FROM THE MEDIA: The US Department of Justice and FBI disclosed a comprehensive Chinese cyber-attack campaign that compromised millions of American citizens' accounts and targeted US officials and global critics of China. According to BBC News, seven Chinese nationals have been indicted for their involvement in a cyber-attack campaign that persisted for 14 years, with the US State Department offering a reward of up to $10 million for information leading to their capture. This operation involved sending over 10,000 malicious emails to victims across continents, employing tactics like hidden tracking links in emails disguised as reputable news sources. Targets included not only individuals in the US, such as government officials and their spouses, but also foreign dissidents and companies in critical industries like defense and telecommunications.
READ THE STORY: CyberSecurityNews // The EurAsian // BBC // FT // THN
Active Exploitation of Fortinet, Ivanti, and Nice Linear Vulnerabilities
Bottom Line Up Front (BLUF): A cybersecurity warning from CISA alerts to active exploitation of three critical vulnerabilities in systems and software by Fortinet, Ivanti, and Nice Linear. The vulnerabilities, identified as CVE-2023-48788, CVE-2021-44529, and CVE-2019-7256, involve SQL injection, code injection, and OS command injection, posing severe risks to federal systems and potentially compromising sensitive information, allowing unauthorized data access, malware installation, or system disruptions.
Analyst Comments: The alert on these vulnerabilities underscores the perpetual cat-and-mouse game between cyber defenders and threat actors. The vulnerabilities span a broad spectrum of attack vectors, from SQL injection to OS command injection, illustrating the varied techniques employed by attackers. The affected software and systems—Fortinet FortiClient EMS, Ivanti Endpoint Manager Cloud Service Appliance, and Nice Linear eMerge E3-Series devices—highlight the critical importance of maintaining a robust cybersecurity posture across different technology stacks. This scenario also reflects the growing complexity of cybersecurity management, where a single overlooked.
FROM THE MEDIA: The Cybersecurity and Infrastructure Security Agency (CISA) has recently issued a warning regarding the active exploitation of three critical vulnerabilities affecting Fortinet, Ivanti, and Nice Linear systems. These vulnerabilities are highly critical, with potential impacts including unauthorized access to sensitive information, data modification, malware installation, and operational disruptions. Specifically, CVE-2023-48788, an SQL injection flaw in Fortinet's FortiClient EMS, allows attackers to insert malicious SQL code, leading to unauthorized access or data manipulation. CVE-2021-44529, a code injection vulnerability in Ivanti's Endpoint Manager Cloud Service Appliance, enables attackers to execute unauthorized code and potentially take control of affected systems.
READ THE STORY: GBhackers // THN // Security Week // PoC: CVE-2023-48788, CVE-2021-44529, and CVE-2019-7256
Treasury's OFAC Cracks Down on Blockchain and Virtual Currency Companies Aiding Russia
Bottom Line Up Front (BLUF): The United States has intensified its sanctions regime against Russia by targeting blockchain and virtual currency firms accused of assisting Russian entities in evading existing sanctions. This action, aligned with a G7 leaders' agreement, targets 13 entities and two individuals linked to fintech operations in Russia, demonstrating a concerted effort to close loopholes in the global financial system that could undermine sanctions against Russia for its aggression in Ukraine.
Analyst Comments: The Treasury's recent sanctions on crypto firms reveal a sophisticated understanding of modern financial technologies used to circumvent traditional financial controls. By targeting these firms, the US not only aims to hinder Russia's ability to fund its war efforts but also sends a strong message to the fintech industry about the consequences of facilitating sanction evasion. This move underscores the evolving nature of financial warfare and the increasing role of digital currencies in global geopolitics. It also highlights the challenges and opportunities for regulatory bodies in tracking and controlling the flow of digital assets across borders.
FROM THE MEDIA: The US Treasury's Office of Foreign Assets Control (OFAC) has sanctioned several blockchain and virtual currency firms and individuals for their role in aiding Russian sanction evasion efforts. Among those targeted are Moscow-based fintech companies B-Crypto, Masterchain, Laitkhaus, Atomaiz, Veb3 Tekhnologii, and Veb3 Integrator, which have established partnerships with OFAC-designated Russian banks like Rosbank, Sberbank, and VTB Bank to facilitate cross-border settlements and issue digital financial assets using virtual currencies. Other entities include the virtual currency exchanges TOEP (operating as Netexchange and Netex24), Bitpapa, and Crypto Explorer DMCC, which have enabled transactions with sanctioned Russian entities and the dark web marketplace Hydra Market.
READ THE STORY: InfoSecMag // THN
CVE-2024-21762: A Critical Exploit Sale Threatening Fortinet’s FortiOS and FortiProxy Systems
Bottom Line Up Front (BLUF): A newly discovered vulnerability, CVE-2024-21762, targeting Fortinet’s SSL VPN functionality within its FortiOS and FortiProxy systems, has been advertised for sale on the dark web. This exploit, which facilitates remote code execution, highlights the continuous need for vigilant cybersecurity measures and rapid response to emerging threats.
Analyst Comments: The sale of CVE-2024-21762 exploit on the dark web by Hunt3rkill3rs1 represents a significant threat to organizations relying on Fortinet’s FortiOS and FortiProxy systems. This exploit capitalizes on an out-of-bounds write vulnerability, emphasizing the criticality of addressing software vulnerabilities promptly to mitigate potential unauthorized access and data breaches. The exploit’s availability for purchase underscores the commercialization of cyber threats and the need for organizations to enhance their cybersecurity posture continuously.
FROM THE MEDIA: A report from The Cyber Express reveals the sale of an exploit targeting CVE-2024-21762, a critical vulnerability in Fortinet’s FortiOS and FortiProxy systems, on the dark web. This vulnerability allows for remote code execution through a flaw in the SSL VPN functionality. The exploit, offered by a user named Hunt3rkill3rs1 on a dark web forum, includes a proof-of-concept (PoC) and is sold for $315 in Bitcoin. The vulnerability was initially addressed by Fortinet in a February update; however, its exploitation could compromise the security of affected systems significantly. CISA has recognized the severity of CVE-2024-21762 by listing it in their Known Exploited Vulnerabilities catalog, indicating known instances of exploitation in the wild. This case highlights the ongoing challenges in protecting network infrastructures from sophisticated cyber threats and the importance of timely updates and security measures.
READ THE STORY: The Cyber Express // Greynoise // PoC: CVE-2024-21762 (Marketplace)
Supply Chain Attack Targets GitHub Accounts and Discord Bot Discovery Site Top.gg
Bottom Line Up Front (BLUF): A complex supply chain attack has compromised GitHub organization accounts, including that of Top.gg, a prominent Discord bot discovery site, leading to significant data theft. The attackers employed diverse tactics such as account takeovers, malicious code contributions, and the establishment of counterfeit PyPI domains to distribute trojanized software packages, demonstrating the sophisticated methods used to infiltrate and exploit software supply chains.
Analyst Comments: The use of stolen browser cookies for account takeovers, alongside the creation of a convincing typosquatting domain to distribute malicious code, underscores the need for heightened vigilance and robust security measures across the software development lifecycle. Particularly concerning is the hijacking of verified accounts to make malicious commits, which can severely undermine trust in open-source ecosystems.
FROM THE MEDIA: The recent supply chain attack, as reported by The Hacker News, involved the theft of sensitive data from individual developers and the GitHub account associated with Top.gg. Attackers utilized a typosquatted domain, "files.pypihosted[.]org," to host trojanized versions of popular packages, including colorama, which has over 150 million monthly downloads. This malicious version of colorama was disseminated through GitHub repositories, with requirements.txt files manipulated to include dependencies on the rogue packages. The compromised GitHub account "editor-syntax," a legitimate maintainer for Top.gg, was used to make malicious modifications, suggesting the attackers had access to session cookies, enabling them to bypass authentication mechanisms. The campaign, active since November 2022, has led to the publication of counterfeit packages on the PyPI repository, initiating a multi-stage infection process that steals data from web browsers, crypto wallets, and various messaging platforms. The attackers have employed file-sharing services and direct HTTP requests to exfiltrate the stolen data, including hardware identifiers and IP addresses, to their infrastructure.
READ THE STORY: THN // Checkmarx
Crafting Shields: Strategies for Defending Minecraft Servers Against DDoS Attacks
Bottom Line Up Front (BLUF): Minecraft, a colossal online gaming platform with over 500 million registered users and 166 million monthly players, has become a prime target for distributed denial-of-service (DDoS) attacks. These cyber assaults not only compromise the gaming experience by causing server downtime and gameplay disruptions but also pose significant financial and reputational risks to server owners and the wider Minecraft community. Recognizing the symptoms of a DDoS attack and implementing both basic and advanced protective measures are crucial steps toward safeguarding Minecraft servers and maintaining a seamless gaming environment.
Analyst Comments: The increasing frequency of DDoS attacks on Minecraft servers underscores the evolving threat landscape in online gaming. Attackers exploit vulnerabilities for various motives, ranging from competitive advantage to ransom demands. The reported attack on the Wynncraft Minecraft server in 2022, involving a 2.5 Tbps attack, highlights the scale and potential impact of such threats. Server owners and the gaming community must prioritize cybersecurity, adopting a layered defense strategy that includes both preventive measures and real-time attack mitigation solutions.
FROM THE MEDIA: DDoS attacks on Minecraft servers disrupt the gaming experience by overwhelming the server with malicious traffic, leading to issues such as login problems, latency, and, in severe cases, complete server unavailability. The Hacker News outlines key symptoms of an attack, including sudden spikes in traffic, port congestion, and unusual network slowness, which can help server administrators identify and respond to DDoS activities promptly. To combat these threats, basic protective measures such as installing antivirus software, securing SSH connections, and implementing allowlists for server access are recommended. For more robust defense, advanced solutions like Gcore DDoS Protection provide tailored, all-in-one protection against DDoS attacks, leveraging powerful infrastructure and specialized strategies to ensure uninterrupted gameplay and server stability.
New Zealand Accuses China of Hacking Parliament in State-Sponsored Cyberattack
Bottom Line Up Front (BLUF): New Zealand's government has formally accused Chinese state-sponsored hackers, known as "APT40," of orchestrating a cyberattack on the country's parliament in 2021. This accusation aligns New Zealand with the United States and the United Kingdom, both of which have recently condemned China for extensive cyber espionage campaigns. New Zealand's Foreign Minister Winston Peters has labeled the interference as "unacceptable" and has raised concerns with the Chinese government, urging them to refrain from such activities in the future.
Analyst Comments: The accusations by New Zealand against China signify a growing trend of state-sponsored cyber activities targeting democratic institutions globally. The identification of "APT40" as the group behind the attack underscores the sophisticated nature of these espionage efforts and their potential implications for national security. As geopolitical tensions continue to manifest in the digital realm, the international community's collective response highlights the importance of solidarity and cooperation in addressing cyber threats.
FROM THE MEDIA: According to Reuters and Al Jazeera, New Zealand's intelligence services uncovered a cyberattack on the country's parliamentary network in 2021, which was linked to the Chinese state-sponsored actor "APT40." New Zealand's Foreign Minister, Winston Peters, stated that foreign interference of this nature is unacceptable and has communicated the country's concerns to the Chinese ambassador. The Chinese Embassy in New Zealand has rejected the accusations, calling them "groundless and irresponsible." The Government Communications Security Bureau (GCSB) of New Zealand identified the intrusion, which targeted parliamentary services and counsel office, as part of a broader pattern of cyber espionage directed at democratic institutions. Although the compromised data was not of a sensitive or strategic nature, the incident has heightened concerns about foreign interference and the security of governmental operations.
READ THE STORY: Aljazeera // Reuters
Unknowing users' smartphones co-opted into clandestine proxy networks via deceptive apps
Bottom Line Up Front (BLUF): A significant security breach was identified as various mobile applications, available on Google Play, were found to covertly integrate users’ devices into proxy networks, facilitating ad fraud and potentially other malicious activities. HUMAN Security's Satori Threat Intelligence team discovered the issue, leading to Google's removal of the implicated apps, which misused the PROXYLIB library and LumiApps SDK for clandestine activities.
Analyst Comments: The revelation of mobile applications transforming user devices into nodes of a residential proxy network without their knowledge underscores a growing cyber threat landscape where the ubiquity and necessity of mobile apps are exploited for malicious intent. The practice of enrolling unsuspecting users’ devices into proxy networks not only compromises individual privacy but also highlights a sophisticated method of perpetuating ad fraud and potentially other cybercrimes. This situation illustrates the complex challenges facing cybersecurity professionals in safeguarding digital ecosystems against novel and evolving threats.
FROM THE MEDIA: Recent research by HUMAN Security's Satori Threat Intelligence team unveiled a concerning trend where apps, including a free VPN service, enrolled devices in a proxy network used for ad fraud. The investigation revealed that the issue stemmed from the misuse of the PROXYLIB library and its newer incarnation within the LumiApps SDK, both potentially developed by the same threat actor. These tools, freely available and promoted in various online forums, allow developers to monetize apps by surreptitiously integrating users' devices into a residential proxy network. This practice was facilitated through misleading or inadequate disclosure in app descriptions and privacy policies. Furthermore, the analysis shed light on the broader market for residential proxies, often operated with minimal transparency or legal oversight, complicating efforts to trace and mitigate misuse.
READ THE STORY: HelpNetSeurity
Finland Reports "Elevated" Risk of Russian Espionage and Influence Operations
Bottom Line Up Front (BLUF): Finland's Security and Intelligence Service (Supo) has declared an "elevated" risk of Russian espionage and influence operations targeting the country, particularly in the realms of cyber environments and critical infrastructure. This assessment comes despite a perceived decrease in Russia's capabilities for human intelligence operations. The primary objective of these influence operations appears to be deterring and shaping the nature of Finland's membership in NATO, which was finalized in April of the previous year.
Analyst Comments: Finland's elevated alert on Russian espionage and influence acts underscores a complex geopolitical tension point in the Nordic region, especially following Finland's NATO accession. The focus on cyber threats and critical infrastructure as primary vulnerabilities reflects a broader global trend where state actors leverage digital means for espionage and influence, recognizing their strategic value. This situation mirrors historical patterns of regional power dynamics and espionage, yet it is distinctly modern in its methods and implications for national security and international alliances. The Finnish response, through public acknowledgment and presumably enhanced countermeasures, illustrates the nuanced balance nations must strike between sovereignty, security, and diplomatic relations in an increasingly interconnected and digitally reliant world.
FROM THE MEDIA: According to the Finnish Security and Intelligence Service's latest annual report, Finland faces heightened risks from Russian spying and influence operations. Despite a noted decrease in Russia's capacity for human intelligence activities, the cyber domain and critical national infrastructure remain particularly vulnerable. The primary aim of these operations, as outlined by Supo, is to act as a deterrent and influence the character of Finland's recent NATO membership.
READ THE STORY: Bloomberg
APT29 Phishing Campaign Targets German Political Parties with Sophisticated Malware
Bottom Line Up Front (BLUF): APT29, a cyber espionage group associated with Russia's Foreign Intelligence Service (SVR), has initiated a phishing campaign targeting German political parties. This marks a strategic shift in the group's focus, potentially aiming to influence Western political dynamics amidst ongoing tensions related to Ukraine and other geopolitical concerns. The campaign utilized a new backdoor variant, dubbed WineLoader, to infiltrate and potentially extract sensitive information from the targeted parties.
Analyst Comments: The recent activities of APT29 underscore a significant pivot in cyber espionage tactics, highlighting an increased interest in the political frameworks of Western nations, particularly those related to foreign policy and security alignments like NATO. This shift not only emphasizes the evolving landscape of cyber threats but also signals the heightened stakes of digital warfare in the geopolitical arena. The targeting of political parties by APT29 could have profound implications for the integrity of democratic processes and the security of sensitive political information.
FROM THE MEDIA: In a late February operation, APT29 employed phishing emails to deploy a new backdoor variant targeting German political parties, notably marking its first direct engagement with political entities in the West. The phishing emails, cleverly disguised as invitations to a political event, contained malicious links that deployed the WineLoader malware upon clicking. This malware, associated with APT29's previous campaigns against diplomatic missions, showcases significant overlaps with other malware families linked to the group, indicating a shared development strategy. The campaign's focus on German political parties, particularly with themes related to the Christian Democratic Union (CDU), hints at a broader strategy by the SVR to infiltrate and gather intelligence from Western political entities, possibly to influence outcomes favorable to Moscow's geopolitical interests.
READ THE STORY: DUO // Computing (UK)
Items of interest
Simple Attack on Microsoft Highlights the Need for Comprehensive Account Security
Bottom Line Up Front (BLUF): In a sophisticated cyber-attack, Russian-state hackers identified as Midnight Blizzard (or Nobelium) successfully breached Microsoft's defenses in November 2023 through a password spray attack. This breach, which lasted seven weeks and compromised a small percentage of corporate emails, underscores the critical importance of securing every user account, regardless of its activity status or perceived importance.
Analyst Comments: The Midnight Blizzard attack on Microsoft exemplifies a growing trend in cybersecurity threats where attackers exploit the simplest vulnerabilities to gain significant access. This incident, far from requiring an advanced technical maneuver or exploiting a zero-day vulnerability, capitalized on a basic but effective brute force technique known as password spraying. By accessing a single legacy non-production account, the attackers managed to exfiltrate sensitive information, highlighting the often-overlooked risk posed by inactive or less secure accounts. This breach serves as a stark reminder of the necessity for organizations to enforce robust security measures across all user accounts to prevent unauthorized access and potential data breaches. It also emphasizes the importance of continuous monitoring and regular audits to identify and mitigate risks associated with inactive accounts.
FROM THE MEDIA: In January 2024, Microsoft disclosed a breach executed by the hacker group Midnight Blizzard using a password spray attack, emphasizing the vulnerability even leading tech companies face against seemingly basic attack methods. The attackers targeted a non-production test account, leveraging weak security practices to gain initial access and subsequently compromising sensitive internal information. Despite the account's non-privileged status, the hackers escalated their access, exposing the critical need for comprehensive account security. Microsoft's response involved immediate disruption of the attackers' activities and steps to bolster security measures, highlighting the ongoing challenge of safeguarding against evolving cyber threats.
READ THE STORY: THN
Understanding Loop DoS Attacks (Video)
FROM THE MEDIA: DDOS protection to your Minecraft server using TCPShield.
North Korea's secretive nuclear weapons program (Video)
FROM THE MEDIA: The hackers are back. In fact, the cyber criminals never went away. The Lazarus Heist Season 2 tells the story of the theft of billions of dollars around the globe. Investigators say a secretive, elite North Korean hacking ring is responsible. Nicknamed the Lazarus Group, it’s claimed they are becoming more ambitious, more audacious and more successful. North Korea says it has nothing to do with these cybercrimes, saying the United States is making these allegations to try and tarnish its image.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.