Israel Targeted With Cyberattacks! πŸͺ

Jul 03 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that never takes a day off because cybercrime doesn’t take a day off 😀πŸ’ͺ😑 Also, last night’s game got us nervous; we Austrian disappointment can lead to… πŸ’€ #EURO2024

Today’s hottest cybersecurity news stories:

  • 🎯 Israel struck by cyberattack using Donut, Sliver frameworks 🍩

  • πŸšͺ Xctdoor malware spreads via S. Korean ERP vendor server hack πŸ‘¨πŸ»β€πŸ’»

  • πŸ•΅ Chinese whispers! Cisco stops Chinese zero-day spies w/ patch 🩹

Whatever you do, Donut click the link 😏

🚨 Israel Targeted With Cyberattacks! πŸͺ

Cybersecurity researchers have uncovered a new attack campaign targeting various Israeli entities using public frameworks like Donut and Sliver. Here's a quick breakdown:

🎯 Highly Targeted Attack

The campaign focuses on Israeli entities across different sectors. It uses open-source malware such as Donut and Sliver.

πŸ•΅οΈβ€β™‚οΈ Supposed Grasshopper

Discovered by the French company HarfangLab, this campaign uses target-specific infrastructure and custom WordPress sites for payload delivery. The initial downloader, written in Nim, fetches malware from a server (auth.economy-gov-il[.]com/SUPPOSED_GRASSHOPPER.bin).

πŸ› οΈ Malware Delivery

In the first stage, a basic downloader fetches second-stage malware via virtual hard disk (VHD) files from custom WordPress sites. In the second stage, the Donut framework delivers Sliver, an open-source Cobalt Strike alternative.

πŸ€” Unknown Motives

Researchers suggest the campaign might be a legitimate penetration testing operation, raising transparency issues.

πŸ” Related Discovery

SonicWall Capture Labs found an infection chain using Excel files to drop the Orcinius trojan. This multi-stage trojan uses Dropbox and Google Docs, hooks into Windows to monitor activity, and creates persistence via registry keys.

Stay vigilant! πŸ›‘οΈ

Korea criminals rise again like Lazarus πŸ’€

🚨 ERP Server Compromised! ⚠️

A South Korean ERP vendor's product update server was found compromised, delivering a Go-based backdoor dubbed Xctdoor. Here's the scoop:

πŸ‘₯ Unidentified Attackers

The AhnLab Security Intelligence Center (ASEC) identified this attack in May 2024. While no specific threat actor has been named, the tactics resemble those of Andariel, a sub-group within the notorious Lazarus Group.

πŸ“… Malicious Similarities

This incident mirrors a 2017 attack where the Lazarus Group used ERP solutions to spread malware. In the latest attack, the executable was tampered with to run a DLL file via regsvr32.exe instead of launching a downloader.

πŸ› οΈ Xctdoor Capabilities

Xctdoor steals system information, including keystrokes, screenshots, and clipboard content, and executes commands from the threat actor. It communicates with a command-and-control server using HTTP, with packet encryption via the Mersenne Twister (MT19937) and Base64 algorithms.

πŸš› XcLoader Involvement

XcLoader, another malware used in this attack, injects Xctdoor into legitimate processes like "explorer.exe." Since March 2024, poorly secured web servers have been compromised to install XcLoader.

🌏 North Korean Connection

A similar attack involved Kimusky, a North Korea-linked threat actor, using a backdoor called HappyDoor since July 2021. Attack chains start with spear-phishing emails containing obfuscated JavaScript or droppers that deploy HappyDoor alongside decoy files.

🌐 Broader Campaigns

Another massive campaign by the Konni cyber espionage group targeted South Korea, using phishing lures mimicking the national tax service to distribute malware that steals sensitive information.

Stay vigilant! πŸ›‘οΈ

🎣 Catch of the Day!! 🌊🐟🦞

Stay ahead of the curve with Presspool.ai! πŸš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." πŸ€“πŸ’‘ That’s us, alright! 🀡 How about you? Visionary AI executive, much? πŸ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business πŸ€–πŸ‘©β€πŸ’»πŸŒ

Rest assured, the process is very straightforward.

You simply:

πŸ†• Sign Up & Create Campaign

πŸ“Š Define your audience, budget, and message to captivate your audience.

πŸš€ Launch your campaign, as Presspool’s AI matches it with ideal newsletter audiences for optimal reach and conversions. 🎯

πŸ•΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. πŸ“ˆ Elevate your marketing game and stay informed with Presspool.ai! 🌟 Simples! 🦦

Presspool.aiΒ πŸ“°πŸŠπŸ€– may just have what you need to succeed. And if the product isn’t for you, the newsletter alone is a gamechanger. And we know newsletters πŸ˜‰

Cisco catches, hatches, and patches 🩹

🚨 Cisco Patches NX-OS Zero-Day! 🩹

Cisco has patched a medium-severity zero-day vulnerability in the NX-OS software, exploited by China-linked cyberespionage group Velvet Ant. Here's the scoop:

πŸ’‰ Command Injection Flaw

The vulnerability, tracked as CVE-2024-20399 (CVSS score of 6), affects the command line interface of NX-OS. It allows a local attacker to execute arbitrary commands with root privileges due to insufficient validation of arguments in configuration CLI commands.

πŸ› οΈ Exploitation Details

To exploit this flaw, an attacker must be authenticated as an administrator on a vulnerable device. Cisco's Product Security Incident Response Team (PSIRT) became aware of attempted exploitation in April 2024. The vulnerability impacts several Cisco products, including the MDS 9000, Nexus 3000, 5500, 5600, 6000, 7000, and 9000 series switches. Cisco has released firmware updates for all affected devices.

🐜 Velvet Ant's Tactics

The vulnerability was discovered by cybersecurity firm Sygnia, which observed Velvet Ant using it in a cyberespionage campaign. Velvet Ant maintained network access by compromising internet-exposed legacy F5 BIG-IP appliances and using multiple tools for command-and-control communication.

πŸ’₯ Detailed Exploitation

Velvet Ant used outdated F5 BIG-IP equipment as internal C&C servers to stay undetected, maintaining multiple footholds and extracting private data, including financial and customer information. They exploited the Cisco NX-OS bug to deploy unknown malware, connect remotely, upload files, and execute additional code.

πŸ” Mitigation and Security

Sygnia emphasises that exploiting CVE-2024-20399 requires network access and administrator credentials, making initial network access essential for exploitation. This inherent difficulty reduces the overall risk but highlights the importance of securing network appliances. Updating affected devices is the primary mitigation strategy. Where updates aren't available, adopting security best practices is crucial to prevent access.

Stay vigilant! πŸ›‘οΈ

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles