Check Point highlights the persistent threat of malicious Word/Excel Documents (maldocs):
Old Vulnerabilities Still Pose Risks: Despite being several years old, CVEs from 2017 and 2018 in Microsoft Word and Excel remain active threats in the cybersecurity landscape. Examples include CVE-2017-11882, CVE-2017-0199, and CVE-2018-0802.
Widespread Use by Cybercriminals: These vulnerabilities are exploited by well-known malware such as GuLoader, Agent Tesla, Formbook, and others. APT groups also got on the list, with Gamaredon APT being a notable example. They target lucrative sectors like finance, government, and healthcare, indicating a strategic approach by attackers.
Challenges in Detection: Despite their age, these MalDocs can evade detection due to their sophisticated construction and the use of various tricks to bypass security measures.
The Record: Chinese state-sponsored hackers broke into an internal computer network used by the Dutch Ministry of Defence last year, according to the Netherlands. Both the country’s military (MIVD) and civilian (AIVD) security services said the ministry had been hacked for espionage purposes after the threat actor exploited a vulnerability in FortiGate devices.
🔗 https://therecord.media/dutch-find-chinese-hackers-networks-fortinet
Cloudflare blog on Thanksgiving 2023 security incident:
"Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation state attacker with the goal of obtaining persistent and widespread access to Cloudflare’s global network."
The Record: Hackers working for Russia’s intelligence services (Star Blizzard is attributed to FSB Center 18) are impersonating researchers and academics in an ongoing campaign to gain access to their colleagues’ email accounts, according to messages and files seen by Recorded Future News and independently analyzed by two cybersecurity companies.
🔗 https://therecord.media/russian-campaign-impersonating-western-researchers-academics
Ukraine's CERT-UA provides IOC and technical instructions for removing DIRTYMOE malware, which has worm-like capabilities and creates a DDoS botnet. The DIRTYMOE/Purple Fox infection of 2000+ affected computers and activity is tracked by the identifier UAC-0027.
🔗https://cert.gov.ua/article/6277422
🕵️♂️ #Russian state-backed #APT29 hacker group breached HP Enterprise's cloud emails, stealing confidential data from cybersecurity and key departments.
Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign, Mint Sandstorm used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files. In a handful of cases, Microsoft observed new post-intrusion tradecraft including the use of a new, custom backdoor called MediaPl.
🔗 https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
BlackBerry reported on a new commercial cyberespionage group called AeroBlade specifically targeting the U.S. Aerospace industry. With network infrastructure and weaponization that became operational in September 2022 and an offensive phase that began July 2023, this threat actor has improved their toolset for successful data exfiltration. IOC provided.
🔗 https://blogs.blackberry.com/en/2023/11/aeroblade-on-the-hunt-targeting-us-aerospace-industry
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #46/2023 is out! It includes the following and much more:
➝ 🔓 🇯🇵 #Toyota confirms breach after Medusa #ransomware threatens to leak data
➝ 🇺🇸 😂 Ransomware gang files #SEC complaint over victim’s undisclosed #breach
➝ 🔓 🪶 Attackers claim Plume Design, Inc data breach
➝ 🇺🇸 💰 #ICBC paid ransom after hack that disrupted markets, #cybercriminals say
➝ 🔓 #Dragos Says No Evidence of Breach After Ransomware Gang Claims Hack via Third Party
➝ 🔓 ✈️ Hackers swipe Booking.com, damage from attack is global
➝ 🇷🇺 🇺🇦 Russian #CyberEspionage Group Deploys #LitterDrifter USB #Worm in Targeted Attacks
➝ 🇮🇱 🇺🇸 Israeli Man Who Made $5M From Hacking Scheme Sentenced to Prison in US
➝ 🇫🇮 ⚖️ Alleged Extortioner of Psychotherapy Patients Faces Trial
➝ 🇺🇸 💸 #LockBit ransomware exploits #CitrixBleed in attacks, 10K servers exposed
➝ 🇺🇸 ⚖️ #IPStorm botnet with 23,000 proxies for malicious traffic dismantled
➝ 👶🏻 🧨 Teens with “digital bazookas” are winning the ransomware war, researcher laments
➝ 💸 #Ethereum feature abused to steal $60 million from 99K victims
➝ 🇩🇰 🇷🇺 #Denmark Hit With Largest #Cyberattack on Record
➝ 🇨🇳 🇰🇭 Chinese Hackers Launch Covert #Espionage Attacks on 24 Cambodian Organizations
➝ 🇲🇾 Major Phishing-as-a-Service Syndicate '#BulletProofLink' Dismantled by Malaysian Authorities
➝ 🇪🇺 🥳 EU Parliament committee rejects mass scanning of private and encrypted communications
➝ 🩹 #ICS Patch Tuesday: 90 Vulnerabilities Addressed by Siemens and Schneider Electric
➝ 🦠 🐍 27 Malicious #PyPI Packages with Thousands of Downloads Found Targeting IT Experts
🇻🇳 🇮🇳 Vietnamese Hackers Using New #Delphi-Powered #Malware to Target Indian Marketers
➝ 🔐 #Google Adds #Passkey Support to New Titan Security Key
➝ 🐛 Zero-Day Flaw in #Zimbra Email Software Exploited by Four Hacker Groups
➝ 🩹 #SAP Patches Critical Vulnerability in Business One Product
➝ 🐛 New #Reptar CPU flaw impacts Intel desktop and server systems
➝ 🐛 New #CacheWarp AMD #CPU attack lets hackers gain root in Linux VMs
📚 This week's recommended reading is: "Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World" by @marcusjcarey and Jennifer Jin
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
Censys assesses that Russian company Raccoon Security is a brand of NTC Vulkan, an IT company contracted by Russian intelligence to create offensive cyber tools. NTC Vulkan documents were leaked, and they detail project requirements contracted with the Russian Ministry of Defense, including in at least one instance for GRU Unit 74455, also known as Sandworm Team, according to Mandiant. Censys assesses with high confidence that the NTC Vulkan hosts, certificates, and domains identified in this report belong to the same NTC Vulkan, and that Raccoon Security, and its related domains, host, and certificates belong to the Moscow-based cybersecurity development brand of the same name. Links:https://censys.com/discovery-of-ntc-vulkan-infrastructure/ and see semi-related Mandiant article.
Denmark's CERT (SektorCERT) reported that 22 companies that operate parts of Danish energy infrastructure were compromised in a May 2023 coordinated attack, linked to SANDWORM actors. Sandworm is a state-sponsored APT publicly attributed to Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies (GTsST) by the U.S. government. The attackers leveraged a Zyxel vulnerability CVE-2023-28771 (9.8 critical) to gain control of the firewall. SektorCERT's incident response report includes a detailed analysis and timeline of the attack, recommendations and IOC. Link:https://media.licdn.com/dms/document/media/D4D1FAQG-Qsry8BH9dg/feedshare-document-pdf-analyzed/0/1699785104486?e=1700697600&v=beta&t=icNMQ-rDYgeSojoaax-1KpC7YrCF7MVtkrDClSFiKIY
The Australian Cyber Security Centre (ACSC) Australian Signals Directorate (ASD) released the ASD Cyber Threat Report 2022-2023. Their executive summary notes that Australian networks were regularly targeted by both opportunistic and more deliberate malicious cyber activity.
State actors focused on critical infrastructure, data theft, and disruption of business. Notably "The AUKUS partnership, with its focus on nuclear submarines and other advanced military capabilities, is likely a target for state actors looking to steal intellectual property for their own military programs." They call out China and Russia specifically.
Australian critical infrastructure was targeted via increasingly interconnected systems.
Cybercriminals continued to adapt tactics to extract maximum payment from victims.
Data breaches impacted many Australians.
1 in 5 critical vulnerabilities was exploited within 48 hours.
Recorded Future: Chinese state-sponsored cyber operations have evolved into a more mature and coordinated threat, focusing on exploiting both known and zero-day vulnerabilities in public-facing security and network appliances. Their cyber operations focus on targets that align with China's military, political, economic, and domestic security priorities. No IOCs. Link:https://www.recordedfuture.com/charting-chinas-climb-leading-global-cyber-power
Unit 42 reported on the Kazuar .NET backdoor used by Turla (attributed to Russia's Federal Security Service (FSB)) as a second stage payload. Unit 42 provides a technical analysis of Kazuar, including metadata, configuration, infrastructure and C2 communication. Also noteworthy are its anti-analysis features, system profiling capabilities, and specific targeting of cloud apps. IOC provided. Link:https://unit42.paloaltonetworks.com/pensive-ursa-uses-upgraded-kazuar-backdoor/
CISA adds CVE-2023-5631 (Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability, CVSS 5.4 medium severity, disclosed by ESET as an exploited zero-day by APT Winter Vivern) to the Known Exploited Vulnerabilities Catalog.
Kaspersky elaborates on Operation Triangulation in which domestic subscribers, diplomatic missions, and embassies were targeted with Apple iOS zero-days (Russia’s FSB accused the USA for Operation Triangulation). The threat actors introduced two validators in the infection chain in order to ensure that the exploits and the implant do not get delivered to security researchers. Additionally, microphone recording could be tuned in such a way that it stopped when the screen was being used. They used private undocumented APIs in the course of the attack, indicating a great understanding of iOS internals. They additionally implemented in some modules support for iOS versions prior to 8.0, suggesting access for years. Link:https://securelist.com/triangulation-validators-modules/110847/
Trellix: Threat actors, including APTs, are abusing the Discord application for payload delivery, information stealing and data exfiltration. Trellix identified several malware families leveraging Discord's capabilities to conduct their operations, uncovering when they started abusing them. IOC provided. Link:https://www.trellix.com/en-us/about/newsroom/stories/research/discord-i-want-to-play-a-game.html
Cluster25: low-medium confidence that Russian state-sponsored APT28 Fancy Bear attributed to CVE-2023-38831 exploitation as part of a phishing campaign designed to harvest credentials from compromised systems. CVE2-2023-38831 is a 7.8 high severity vulnerability in WinRAR that was exploited as a Zero-Day by cybercriminals, and disclosed by Group-IB on 23 August 2023. Link:https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack
**Symantec:**new APT Grayling targets Taiwanese organizations in manufacturing, IT, and biomedical... as well as Pacific Island government org, Vietnam and U.S. orgs. Activity from February to May 2023. They exploit public facing applications, use DLL side-loading, and load custom malware and multiple publicly available tools. IOC provided. Link:https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks