At a glance.
- Mustang Panda targets European diplomatic entities.
- China's APT41 breaches US state governments.
- Vulnerabilities affecting medical infusion pumps.
- TCP middlebox reflection.
Mustang Panda targets European diplomatic entities.
Proofpoint says the China-linked threat actor TA416 (also known as "Mustang Panda" and "RedDelta") is conducting email reconnaissance campaigns against European diplomatic entities. The threat actor is using tracking pixels in benign emails to identify potential targets for future spearphishing attacks:
"Since 2020, Proofpoint researchers have observed TA416, an actor assessed to be aligned with the Chinese state, utilizing web bugs to profile their targets. Commonly referred to as tracking pixels, web bugs embed a hyperlinked non-visible object within the body of an email that, when enabled, will attempt to retrieve a benign image file from an actor-controlled server. This provides a 'sign of life' to threat actors and indicates that the targeted account is valid with the user being inclined to open emails that utilize social engineering content. TA416 has been using web bugs to target victims prior to delivering malicious URLs that have installed a variety of PlugX malware payloads. The operational tempo of these campaigns, specifically those against European governments, have increased sharply since Russian troops began amassing on the border of Ukraine."
"The use of the web bug reconnaissance technique suggests TA416 is being more discerning about which targets the group chooses to deliver malware payloads. Historically, the group primarily delivered web bug URLs alongside malware URLs to confirm receipt. In 2022, the group started to first profile users and then deliver malware URLs. This may be an attempt by TA416 to avoid having their malicious tools discovered and publicly disclosed. By narrowing the lens of targeting from broad phishing campaigns to focus on targets that have proven to be active and willing to open emails, TA416 increases its chance of success when following up with malicious malware payloads."
Google's Threat Analysis Group (TAG) has observed similar activity, stating, "Mustang Panda or Temp.Hex, a China-based threat actor, targeted European entities with lures related to the Ukrainian invasion. TAG identified malicious attachments with file names such as 'Situation at the EU borders with Ukraine.zip'. Contained within the zip file is an executable of the same name that is a basic downloader and when executed, downloads several additional files that load the final payload. To mitigate harm, TAG alerted relevant authorities of its findings. Targeting of European organizations has represented a shift from Mustang Panda’s regularly observed Southeast Asian targets."
China's APT41 breaches US state governments.
Researchers at Mandiant say that the Chinese state-sponsored actor APT41 breached six US state government networks between May 2021 and February 2022. The threat actor gained access via "vulnerable Internet facing web applications, including using a zero-day vulnerability in the USAHerds application (CVE-2021-44207) as well as the now infamous zero-day in Log4j (CVE-2021-44228)":
"Although APT41 has historically performed mass scanning and exploitation of vulnerabilities, our investigations into APT41 activity between May 2021 and February 2022 uncovered evidence of a deliberate campaign targeting U.S. state governments. During this timeframe, APT41 successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications, often written in ASP.NET. In most of the web application compromises, APT41 conducted .NET deserialization attacks; however, we have also observed APT41 exploiting SQL injection and directory traversal vulnerabilities."
The researchers add, "The goals of this campaign are currently unknown, though Mandiant has observed evidence of APT41 exfiltrating Personal Identifiable Information (PII). Although the victimology and targeting of PII data is consistent with an espionage operation, Mandiant cannot make a definitive assessment at this time given APT41’s history of moonlighting for personal financial gain."
Vulnerabilities affecting medical infusion pumps.
Palo Alto Networks' Unit 42 has published a report on vulnerabilities affecting medical infusion pumps, analyzing more than 200,000 pumps from seven different vendors. The researchers identified "over 40 different vulnerabilities and over 70 different security alerts among the devices, with one or more affecting 75% of the infusion pump devices we analyzed." More than half (52%) of the vulnerable pumps were affected by CVE-2019-12255, a buffer overflow vulnerability with a severity score of 9.8.
TCP middlebox reflection.
Akamai researchers have recently observed DDoS attacks using a new technique called "TCP Middlebox Reflection" to amplify the amount of traffic they can send. The researchers explain that "[t]his type of attack dangerously lowers the bar for DDoS attacks, as the attacker needs as little as 1/75th (in some cases) the amount of bandwidth from a volumetric standpoint." This technique was first discovered last year by researchers at the University of Maryland and the University of Colorado Boulder.