At a glance.
- New Lazarus Group activity discovered.
- Chinese operators intrude into infrastructure.
- Cyber action connected with the war between Hamas and Israel.
- Cyber action in Russia’s hybrid war against Ukraine.
- Apache Struts vulnerability exploited in the wild.
- USPS impersonation.
- 5Ghoul: a chip risk.
- Autofill risk.
- MrAnon infostealer and a malicious booking app.
- BatLoader and FakeBat.
- Holiday fraud services for sale in the C2C market.
- BazarCall phishes with Google Forms.
- New threat actor discovered: "GambleForce."
- Malicious ads associated with Zoom.
New Lazarus Group activity discovered.
Cisco Talos says North Korea’s Lazarus Group is conducting a new campaign dubbed “Operation Blacksmith,” targeting companies in the manufacturing, agricultural, and physical security sectors. The threat actor is “employing at least three new DLang-based malware families, two of which are remote access trojans (RATs), where one of these uses Telegram Bots and channels as a medium of Command and Control (C2) communications.” The researchers observed overlaps with previous activity by the Lazarus sub-group “Andariel,” noting that “Andariel is typically tasked with initial access, reconnaissance and establishing long-term access for espionage in support of the North Korean government’s national interests.”
Chinese operators intrude into infrastructure.
In what appears to be a staging and battlespace preparation effort, China's People's Liberation Army cyber operators have intruded into infrastructure in several countries, with, the Washington Post reports, special attention to the United states. The incursions, US officials say, are "part of a broader effort to develop ways to sow panic and chaos or snarl logistics in the event of a U.S.-China conflict in the Pacific." The staging forms part of the ongoing Volt Typhoon campaign; the latest US disclosures build on February's annual assessment by the Office of the Director of National Intelligence. The Post quotes CISA Executive Director Brandon Wales, as saying, “It is very clear that Chinese attempts to compromise critical infrastructure are in part to pre-position themselves to be able to disrupt or destroy that critical infrastructure in the event of a conflict, to either prevent the United States from being able to project power into Asia or to cause societal chaos inside the United States — to affect our decision-making around a crisis. That is a significant change from Chinese cyber activity from seven to 10 years ago that was focused primarily on political and economic espionage.”
Volt Typhoon has been found actively exploiting vulnerabilities in SOHO (small office/home office) routers produced by Cisco, Netgear and Fortinet. The routers are at their end-of-life, outdated and no longer supported. Lumen's Black Lotus Labs has found and disrupted Volt Typhoon activity exploiting these devices in the KV-botnet that was used earlier this year to attack infrastructure in Guam. They believe the activity suggests battlespace preparation and staging for further infrastructure attacks against US targets. The researchers also recommend, SecurityWeek reports, replacing vulnerable devices.
Sandman APT linked to a Chinese threat actor.
Researchers from SentinelOne, Microsoft, and PwC have published research outlining links between the Sandman APT and the suspected Chinese threat actor STORM-0866/Red Dev 40. The links include “victimology overlaps, cohabitation, and sharing C2 infrastructure control and management practices.”
The researchers conclude, “The findings we present are yet another showcase of the complex nature of the China-based threat landscape. As exemplified by Sandman and STORM-0866/Red Dev 40, this landscape is marked by substantial cooperation and coordination among its constituent threat groups, along with the possibility of third-party vendors supplying the operational teams with tooling. This makes accurate clustering challenging. Therefore, while acknowledging the association of Sandman with the suspected China-based adversaries using KEYPLUG, we continue to track Sandman as a distinct cluster until further conclusive information suggesting otherwise becomes available.”