At a glance.
- Cyberespionage campaign by Earth Estries.
- China's GREF deploys tools used against Uyghurs in broader espionage.
- New malware exploits OpenFire vulnerability.
- VMConnect supply chain attack connected to DPRK.
- DB#JAMMER brute-forces exposed MSSQL databases.
- New ransomware threat.
- Spring-Kafka zero-day discovered.
- “Prolific” threat actor targets the crypto sector.
- Adversary-in-the-middle attacks.
Cyberespionage campaign by Earth Estries.
Trend Micro describes a cyberespionage campaign by a cybercriminal group the researchers call “Earth Estries.” The threat actor is targeting “organizations in the government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US.” Trend Micro states, “[W]e believe the threat actors behind Earth Estries are working with high-level resources and functioning with sophisticated skills and experience in cyberespionage and illicit activities.”
The researchers refrain from making any attributions, but they note that there are some overlaps between Earth Estries and the China-linked FamousSparrow APT.
China's GREF deploys tools used against Uyghurs in broader espionage.
ESET says the China-linked threat actor “GREF” is distributing the BadBazaar Android malware via Trojanized versions of Telegram and Signal in the Google Play store and the Samsung Galaxy Store. Both stores have since removed the malicious apps. ESET notes that BadBazaar has been used in the past to target Uyghurs and other Turkic ethnic minorities. In this case, the malicious Telegram app, called “FlyGram,” was shared in a Uyghur Telegram group.
The researchers add that the malicious Signal app, called “Signal Plus Messenger,” “represents the first documented case of spying on a victim’s Signal communications by secretly autolinking the compromised device to the attacker’s Signal device.”
New malware exploits OpenFire vulnerability.
Researchers at Aqua have discovered a new malware campaign exploiting an Openfire vulnerability (CVE-2023-32315) that was disclosed in May 2023. The attackers are using the vulnerability to deliver the Kinsing malware, as well as a cryptominer: “This vulnerability leads to a path traversal attack, which grants an unauthenticated user access to the Openfire setup environment. This then allows the threat actor to create a new admin user and upload malicious plugins.”
The researchers note that there are still 984 vulnerable OpenFire servers connected to the internet, most of which are located in the US, China, and Brazil.
VMConnect supply chain attack connected to DPRK.
ReversingLabs continues to track “VMConnect,” a supply chain attack involving malicious packages posted to the PyPI package repository: “The research team...has identified three more malicious Python packages that are believed to be a continuation of the VMConnect campaign: tablediter, request-plus, and requestspro. As happened with the ReversingLabs team's earlier VMConnect research, the team was unable to obtain copies of the Stage 2 malware used in this campaign.” The researchers note that the campaign has overlaps with previous attacks attributed to Labyrinth Chollima, a branch of North Korea’s Lazarus Group.
DB#JAMMER brute-forces exposed MSSQL databases.
Securonix warns that DB#JAMMER attack campaigns are targeting exposed MSSQL databases with brute-force attacks in order to deliver the FreeWorld ransomware. The researchers note, “One of the things that makes DB#JAMMER stand out is how the attacker’s tooling infrastructure and payloads are used. Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads.”
Securonix adds, “FreeWorld ransomware appears to be a variant of Mimic ransomware as it follows many similar TTPs in order to carry out its goals. Both variants appear to abuse the legitimate application Everything to query and locate target files to be encrypted.”
New ransomware threat.
Flashpoint is tracking a new threat actor called “Ransomed” that conducts data theft and uses a new tactic to coerce victims into paying the ransom: “Ransomed is leveraging an extortion tactic that has not been observed before—according to communications from the group, they use data protection laws like the EU’s GDPR to threaten victims with fines if they do not pay the ransom. This tactic marks a departure from typical extortionist operations by twisting protective laws against victims to justify their illegal attacks.”
The group sets ransom demands between €50,000 and €200,000—relatively low compared to the fines typically imposed under GDPR. It’s worth noting that this tactic depends on the victim concealing the breach, which could lead to even heftier fines if this comes to light later on.
Spring-Kafka zero-day discovered.
Contrast Security has discovered a deserialization vulnerability (CVE-2023-34040) affecting Spring-Kafka, a project used for the development of Kafka-based messaging services. Contrast explains, “Insecure deserialization...occurs when a vulnerability allows untrusted or unknown data to be passed, enabling a denial-of-service (DoS) attack, code execution, authentication bypass or other types of abuse to an application’s logic.” The researchers were able to develop a proof-of-concept that could conduct remote code execution or denial-of-service attacks.
VMware has issued a patch for the vulnerability.
“Prolific” threat actor targets the crypto sector.
Checkmarx describes an ongoing campaign that’s been targeting cryptocurrency developers since at least 2021. The threat actor behind the campaign “has been publishing malicious NPM packages with the purpose of exfiltrating sensitive data such as source code and configuration files from the victim’s machines.” The researchers note, “The packages are tied to the cryptocurrency domain further solidifying their financial motives, with clear references to entities like CryptoRocket and Binarium.”
Adversary-in-the-middle attacks.
The Microsoft Threat Intelligence team has warned of a rise in adversary-in-the-middle (AiTM) phishing attacks, The Hacker News reports. These attacks are launched via phishing-as-a-service (PhaaS) offerings. Microsoft said in a post on X (formerly known as Twitter), “This development in the PhaaS ecosystem enables attackers to conduct high-volume phishing campaigns that attempt to circumvent MFA protections at scale.” The researchers add, “Circumventing MFA is the objective that motivated attackers to develop AiTM session cookie theft techniques. Unlike traditional phishing attacks, incident response procedures for AiTM require revocation of stolen session cookies.”