At a glance.
- Salt Typhoon uses new backdoor to target Southeast Asian telcos.
- RomCom uses two zero-days to deliver malware.
- Microsoft sustains widespread outage affecting multiple products.
- Bangkok police arrest man who allegedly spammed smishing messages from a van.
Salt Typhoon uses new backdoor to target Southeast Asian telcos.
Trend Micro has published a report on a new strain of malware used by the Chinese state-sponsored threat actor Earth Estries (also known as "Salt Typhoon") to target Southeast Asian telecommunications companies. The malware, dubbed "GHOSTSPIDER," is "a sophisticated multi-modular backdoor designed with several layers to load different modules based on specific purposes." The backdoor is used alongside the DEMODEX rootkit for long-term espionage operations.
The researchers add, "[W]e observed that attackers targeted not only critical services (like database servers and cloud servers) used by the telecommunications company, but also their vendor network. We found that they implanted the DEMODEX rootkit on vendor machines. This vendor is a primary contractor for the region’s main telecommunications provider, and we believe that attackers use this approach to facilitate access to more targets."
In addition to telecommunications companies, the group has targeted entities in the technology, consulting, chemical, and transportation sectors, as well as government agencies and NGOs. Trend Micro says the campaign compromised more than twenty organizations across Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, the United States, and Vietnam. The researchers note that most of the victims had been compromised for several years.
RomCom uses two zero-days to deliver malware.
ESET warns that the RomCom threat actor exploited a critical zero-day affecting Mozilla products to install malware. The vulnerability (CVE-2024-9680) was assigned a CVSS score of 9.8, and "allows vulnerable versions of Firefox, Thunderbird, and the Tor Browser to execute code in the restricted context of the browser." RomCom chained this flaw with a Windows zero-day (CVE-2024-49039) to deliver malware via malicious web pages, with no user interaction required. Both vulnerabilities have since been patched.
RomCom is a Russia-aligned threat actor that conducts espionage alongside cybercrime operations.
Microsoft sustains widespread outage affecting multiple products.
Microsoft 365 sustained a widespread outage yesterday that affected multiple services, including Exchange, Teams, Outlook, and SharePoint, CNN reports. The outage appears to have been caused by a technical error in an update. Microsoft said yesterday afternoon, "We identified a change that caused an influx of retry requests routed through servers, impacting service availability. To address this, we implemented optimizations to enhance the infrastructure's processing capabilities. These changes have provided incremental relief, and we are closely monitoring the service to ensure stability." Most users were back online by last night, but Outlook and Teams were still experiencing some issues.
Bangkok police arrest man who allegedly spammed smishing messages from a van.
Police in Thailand have arrested a Chinese national who allegedly drove a van around Bangkok and used an SMS blaster device to send over 100,000 smishing messages per hour to people in the area, BleepingComputer reports. The smishing messages impersonated Thailand's largest mobile phone operator Advanced Info Service (AIS), telling recipients to visit a website designed to steal their credit card information. AIS assisted the police in locating the vehicle containing the SMS blaster. The Bangkok Post says the back of the van was fitted with a false base station, a mobile power source, a Wi-Fi router, and several smartphones.