Jul 03 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that never takes a day off because cybercrime doesnβt take a day off π€πͺπ‘ Also, last nightβs game got us nervous; we Austrian disappointment can lead toβ¦ π #EURO2024
Todayβs hottest cybersecurity news stories:
π― Israel struck by cyberattack using Donut, Sliver frameworks π©
πͺ Xctdoor malware spreads via S. Korean ERP vendor server hack π¨π»βπ»
π΅ Chinese whispers! Cisco stops Chinese zero-day spies w/ patch π©Ή
Cybersecurity researchers have uncovered a new attack campaign targeting various Israeli entities using public frameworks like Donut and Sliver. Here's a quick breakdown:
π― Highly Targeted Attack
The campaign focuses on Israeli entities across different sectors. It uses open-source malware such as Donut and Sliver.
π΅οΈββοΈ Supposed Grasshopper
Discovered by the French company HarfangLab, this campaign uses target-specific infrastructure and custom WordPress sites for payload delivery. The initial downloader, written in Nim, fetches malware from a server (auth.economy-gov-il[.]com/SUPPOSED_GRASSHOPPER.bin).
π οΈ Malware Delivery
In the first stage, a basic downloader fetches second-stage malware via virtual hard disk (VHD) files from custom WordPress sites. In the second stage, the Donut framework delivers Sliver, an open-source Cobalt Strike alternative.
π€ Unknown Motives
Researchers suggest the campaign might be a legitimate penetration testing operation, raising transparency issues.
π Related Discovery
SonicWall Capture Labs found an infection chain using Excel files to drop the Orcinius trojan. This multi-stage trojan uses Dropbox and Google Docs, hooks into Windows to monitor activity, and creates persistence via registry keys.
Stay vigilant! π‘οΈ
A South Korean ERP vendor's product update server was found compromised, delivering a Go-based backdoor dubbed Xctdoor. Here's the scoop:
π₯ Unidentified Attackers
The AhnLab Security Intelligence Center (ASEC) identified this attack in May 2024. While no specific threat actor has been named, the tactics resemble those of Andariel, a sub-group within the notorious Lazarus Group.
π Malicious Similarities
This incident mirrors a 2017 attack where the Lazarus Group used ERP solutions to spread malware. In the latest attack, the executable was tampered with to run a DLL file via regsvr32.exe instead of launching a downloader.
π οΈ Xctdoor Capabilities
Xctdoor steals system information, including keystrokes, screenshots, and clipboard content, and executes commands from the threat actor. It communicates with a command-and-control server using HTTP, with packet encryption via the Mersenne Twister (MT19937) and Base64 algorithms.
π XcLoader Involvement
XcLoader, another malware used in this attack, injects Xctdoor into legitimate processes like "explorer.exe." Since March 2024, poorly secured web servers have been compromised to install XcLoader.
π North Korean Connection
A similar attack involved Kimusky, a North Korea-linked threat actor, using a backdoor called HappyDoor since July 2021. Attack chains start with spear-phishing emails containing obfuscated JavaScript or droppers that deploy HappyDoor alongside decoy files.
π Broader Campaigns
Another massive campaign by the Konni cyber espionage group targeted South Korea, using phishing lures mimicking the national tax service to distribute malware that steals sensitive information.
Stay vigilant! π‘οΈ
Stay ahead of the curve with Presspool.ai! π Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." π€π‘ Thatβs us, alright! π€΅ How about you? Visionary AI executive, much? π
And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business π€π©βπ»π
Rest assured, the process is very straightforward.
You simply:
π Sign Up & Create Campaign
π Define your audience, budget, and message to captivate your audience.
π Launch your campaign, as Presspoolβs AI matches it with ideal newsletter audiences for optimal reach and conversions. π―
π΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. π Elevate your marketing game and stay informed with Presspool.ai! π Simples! π¦¦
Presspool.aiΒ π°ππ€ may just have what you need to succeed. And if the product isnβt for you, the newsletter alone is a gamechanger. And we know newsletters π
Cisco has patched a medium-severity zero-day vulnerability in the NX-OS software, exploited by China-linked cyberespionage group Velvet Ant. Here's the scoop:
π Command Injection Flaw
The vulnerability, tracked as CVE-2024-20399 (CVSS score of 6), affects the command line interface of NX-OS. It allows a local attacker to execute arbitrary commands with root privileges due to insufficient validation of arguments in configuration CLI commands.
π οΈ Exploitation Details
To exploit this flaw, an attacker must be authenticated as an administrator on a vulnerable device. Cisco's Product Security Incident Response Team (PSIRT) became aware of attempted exploitation in April 2024. The vulnerability impacts several Cisco products, including the MDS 9000, Nexus 3000, 5500, 5600, 6000, 7000, and 9000 series switches. Cisco has released firmware updates for all affected devices.
π Velvet Ant's Tactics
The vulnerability was discovered by cybersecurity firm Sygnia, which observed Velvet Ant using it in a cyberespionage campaign. Velvet Ant maintained network access by compromising internet-exposed legacy F5 BIG-IP appliances and using multiple tools for command-and-control communication.
π₯ Detailed Exploitation
Velvet Ant used outdated F5 BIG-IP equipment as internal C&C servers to stay undetected, maintaining multiple footholds and extracting private data, including financial and customer information. They exploited the Cisco NX-OS bug to deploy unknown malware, connect remotely, upload files, and execute additional code.
π Mitigation and Security
Sygnia emphasises that exploiting CVE-2024-20399 requires network access and administrator credentials, making initial network access essential for exploitation. This inherent difficulty reduces the overall risk but highlights the importance of securing network appliances. Updating affected devices is the primary mitigation strategy. Where updates aren't available, adopting security best practices is crucial to prevent access.
Stay vigilant! π‘οΈ
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!