By the CyberWire staff
At a glance.
- Suspected Chinese threat actor exploits F5 BIG-IP and ScreenConnect flaws for initial access.
- AcidPour wiper may have been used against Ukrainian internet providers.
- More details on Turla's targeting of European NGOs.
- Earth Krahang targets government entities around the world.
- Five Eyes issue another advisory on Volt Typhoon.
- Privilege escalation technique affects Active Directory environments.
- North Korea's Kimsuky group launches new malware campaign.
- An analysis of the Smoke Loader malware.
Suspected Chinese threat actor exploits F5 BIG-IP and ScreenConnect flaws for initial access.
Mandiant has published a report on UNC5174, a suspected Chinese threat actor that appears to work as an initial access broker for China's Ministry of State Security (MSS). In October 2023, the threat actor exploited a remote command execution vulnerability (CVE-2023-46747) affecting F5 BIG-IP Traffic Management User Interface. Following this campaign, UNC5174 was observed "attempting to sell access to U.S. defense contractor appliances, UK government entities, and institutions in Asia." In February 2024, the threat actor was seen exploiting an authentication bypass vulnerability (CVE-2024-1709) affecting ConnectWise ScreenConnect to "compromise hundreds of institutions primarily in the U.S. and Canada."
Mandiant notes, "China-nexus actors continue to conduct vulnerability research on widely deployed edge appliances like F5 BIG-IP and ScreenConnect to enable espionage operations at scale. These operations often include rapid exploitation of recently disclosed vulnerabilities using custom or publicly available proof-of-concept exploits. UNC5174 and UNC302 operate within this model, and their operations provide insight into the initial access broker ecosystem leveraged by the MSS to target strategically interesting global organizations. Mandiant believes that UNC5174 will continue to pose a threat to organizations in the academic, NGO, and government sectors specifically in the United States, Canada, Southeast Asia, Hong Kong, and the United Kingdom."
AcidPour wiper may have been used against Ukrainian internet providers.
Researchers at SentinelOne have discovered a new version of AcidRain, a wiper malware that was used against modems across Ukraine at the beginning of the Russian invasion in February 2022. The researchers have dubbed the new variant "AcidPour," noting that it "expands upon AcidRain’s capabilities and destructive potential to now include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic, better targeting RAID arrays and large storage devices."
SentinelOne adds that the discovery of AcidPour coincides with the disruptions of four Ukrainian internet providers that began on March 13th: "At this time, we cannot confirm that AcidPour was used to disrupt these ISPs. The longevity of the disruption suggests a more complex attack than a simple DDoS or nuisance disruption. AcidPour, uploaded 3 days after this disruption started, would fit the bill for the requisite toolkit. If that’s the case, it could serve as another link between this hacktivist persona and specific GRU operations."
Keep your teams performing at their best and stay ahead of the curve.
N2K’s Strategic Cyber Workforce Intelligence offers an all-in-one solution for security leaders to enhance hiring, development, and retention strategies. With our workforce experts and data-driven framework, we can help you benchmark skills, revamp job profiles, create configured training paths, and much more. Click here to learn more.
More details on Turla's targeting of European NGOs.
Cisco Talos has published an update to its previous reports on a cyberespionage campaign by the Russian threat actor Turla. The campaign, which used a new backdoor dubbed "TinyTurla-NG," targeted a "Polish non-governmental organization (NGO) working on improving Polish democracy and supporting Ukraine during the Russian invasion." Talos describes the full kill chain used by the threat actor, noting that "Before deploying TinyTurla-NG, Turla will attempt to configure anti-virus software exclusions to evade detection of their backdoor. Once exclusions have been set up, TTNG is written to the disk, and persistence is established by creating a malicious service."
Earth Krahang targets government entities around the world.
Researchers at Trend Micro are tracking a cyberespionage campaign by a China-nexus threat actor they've dubbed "Earth Krahang." The campaign has breached seventy government organizations in twenty-three different countries, with a strong focus on Southeast Asia. In total, the group has targeted one-hundred-sixteen government entities across forty-five countries. Trend Micro states, "[I]n the case of one country, we found that the threat actor compromised a diverse range of organizations belonging to 11 different government ministries. We found that at least 48 government organizations were compromised, with a further 49 other government entities being targeted. Foreign Affairs ministries and departments were a top target, compromising 10 such organizations and targeting five others."
The researchers believe Earth Krahang may be tied to Chinese government contractor I-Soon, which recently sustained a major data breach that exposed its operations. Trend Micro previously linked the company to a separate China-nexus threat actor dubbed "Earth Lusca." The researchers note, "Using this leaked information, we found that the company organized their penetration team into two different subgroups. This could be the possible reason why we saw two independent clusters of activities active in the wild but with limited association. Earth Krahang could be another penetration team under the same company."
Secure your legacy apps at scale — with zero coding and zero hassle.
Modernize your identity infrastructure and get rid of technical debt without sacrificing your complex access policies. Use Strata to integrate non-standard apps with any identity service while using any vendor, standard, or app architecture. Or use it to migrate away from outdated identity providers and consolidate IDPs. It’s seamless, simple and code-free. Share your top identity security priorities, and receive a pair of complimentary AirPods Pro.
Five Eyes issue another advisory on Volt Typhoon.
The US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and other Five Eyes partners yesterday issued another advisory concerning the China-affiliated threat actor Volt Typhoon. The new advisory is designed to "provide leaders of critical infrastructure entities with guidance to help prioritize the protection of critical infrastructure and functions."
Privilege escalation technique affects Active Directory environments.
Akamai this morning released a report describing "a new privilege escalation technique affecting Active Directory (AD) environments that leverages the DHCP administrators group." The researchers explain, "In cases where the DHCP server role is installed on a Domain Controller (DC), this could enable them to gain domain admin privileges." Akamai notes, "The technique is based on abuse of legitimate features and doesn’t rely on any vulnerability. Therefore, a fix for it doesn’t exist."
Create your own luck. 25% off top cert prep.
Boost confidence without relying on luck! N2K's practice tests offer a comprehensive toolkit for ultimate success, including a vast question Qbank for custom quizzes, final exam simulations, performance tracking, and more in our robust LMS. Visit n2k.com/certify, use code NETWORK, and save 25% on our top practice tests. Don't miss out - offer ends 3/27.
North Korea's Kimsuky group launches new malware campaign.
Securonix has published a report on a new campaign tracked as DEEP#GOSU that's likely tied to North Korea's Kimsuky group. The researchers note, "While the targeting of South Korean victims by the Kimsuky group happened before, from the tradecraft observed it’s apparent that the group has shifted to using a new script-based attack chain that leverages multiple PowerShell and VBScript stagers to quietly infect systems. The later-stage scripts allow the attackers to monitor clipboard, keystroke, and other session activity."
The attackers use a large shortcut file to hide a PowerShell script and an entire PDF file. Securonix states, "What makes this tactic clever is that there is technically no PDF file contained within the initial zip file sent to the victim. When the user clicks the PDF lure (shortcut file) they’re immediately presented with a PDF file thus removing any concern that anything unexpected happened. The PDF lure document is in Korean and appears to be an announcement regarding the son of Korean Airlines CEO Choi Hyun (the late Choi Yul) and states that the son has passed away due to a car accident. The rest contains details and dates of the funeral hall."
An analysis of the Smoke Loader malware.
Palo Alto Networks's Unit 42 has published a joint research report with the State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP), focusing on Smoke Loader malware activity targeting Ukrainian entities. The report notes, "Primarily a loader with added information-stealing capabilities, Smoke Loader has been linked to Russian cybercrime operations and is readily available on Russian cybercrime forums. Ukrainian officials have highlighted a surge in Smoke Loader attacks targeting the country’s financial institutions and government organizations. While Ukraine has seen a rise in Smoke Loader attacks, this malware remains a global threat and continues to be seen in multiple campaigns targeting other countries. However, this surge of attacks suggests a coordinated effort to disrupt Ukrainian systems and extract valuable data."
RSA Conference™ 2024—Where the Cybersecurity Community Unites
Cybercrime knows no bounds, and a united front is our strongest defense. At RSA Conference™ 2024, May 6 – 9, we unite in San Francisco as a cybersecurity community, fostering learning, networking, idea exchange, and exploration of cutting-edge innovations. Join us as we face the future of cybersecurity head on. Learn more and register.
Patch news.
Ivanti has issued a patch for a critical remote code execution vulnerability (CVE-2023-41724) affecting its Standalone Sentry appliances, BleepingComputer reports. The company stated, "This vulnerability impacts all supported versions 9.17.0, 9.18.0, and 9.19.0. Older versions are also at risk. There is a patch available now via the standard download portal. We strongly encourage customers to act immediately to ensure they are fully protected. We are not aware of any customers being exploited by this vulnerability at the time of disclosure. By exploiting CVE-2023-41724, an unauthenticated threat actor can execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network."
Crime and punishment.
A former manager of a telecommunications company in New Jersey has pleaded guilty to carrying out SIM-swapping attacks, the Trentonian reports. The US Attorney's Office for the District of New Jersey said in a press release, "In May 2021, [Jonathan Katz] was employed as a manager at a telecommunications store and accessed several customer accounts by using managerial credentials. Katz swapped the SIM numbers associated with the customers’ phone numbers into mobile devices controlled by another individual, enabling this other individual to control the customers’ phones and access the customers’ electronic accounts – including email, social media, and cryptocurrency accounts. In exchange for the swaps, Katz was paid in Bitcoin, which was traced back to Katz’s cryptocurrency account."
Policies, procurements, and agency equities.
The US House of Representatives on Wednesday unanimously passed a bill that would prevent data brokers from selling Americans’ sensitive data to foreign adversaries, the Record reports. House Energy and Commerce Committee leaders Cathy McMorris Rodgers (Republican of Washington) and Frank Pallone (Democrat of New Jersey) noted in a joint statement that the legislation is an "important complement to more comprehensive national data privacy legislation, which we remain committed to working together on."