Threat Landscape Bulletin -August 2, 2024

Security Advisory Hits: 223
August 2, 2024

Produced by Symantec's Threat Hunter Group, the Threat Landscape Bulletin brings you an up-to-date summary of all the news from the world of cybersecurity. Every weekday, we curate and deliver all the information you need to know directly to your inbox.

Check out the Threat Landscape Bulletin archive, which contains all previous editions and can be searched by keyword.

For updates on how Symantec products protect you against threats that are in the news, visit the Symantec Protection Bulletin.
 

Note: There will be no Threat Landscape Bulletin on Monday, August 5.

Taiwan government-backed research org targeted by Grayfly APT group

The Chinese advanced persistent threat (APT) group Grayfly (aka APT 41) compromised a Taiwanese government-affiliated research institute working on sensitive technologies, according to a report from Cisco Talos.

Grayfly breached the unnamed organization, which Cisco said “specializes in computing and associated technologies,” during a campaign that began in July 2023. “The nature of research and development work carried out by the entity makes it a valuable target for threat actors dedicated to obtaining proprietary and sensitive technologies of interest to them,” the researchers said.

Cisco tied the attack to Grayfly based on specific kinds of malware, tactics, and open-source tools used. The hackers deployed the ShadowPad malware — favored among China-based hackers — and several additional tools were written in Simplified Chinese.

The initial access method used by the attackers is unclear; however, Cisco said the hackers compromised at least three devices and were “able to exfiltrate some documents from the network.” The threat actors used backdoors and compression tools to exfiltrate stolen data. 

Protection
For the latest protection updates, please visit the Symantec Protection Bulletin.

Cloudflare Tunnels abused to spread malware

Threat actors are increasingly abusing the Cloudflare Tunnel service to spread malware, according to researchers. 

According to reports from eSentire and Proofpoint, malicious actors are using Cloudflare's TryCloudflare free service to create a one-time tunnel to relay traffic from an attacker-controlled server to a local machine through Cloudflare's infrastructure. 

Financially motivated campaigns taking advantage of this tactic have been seen delivering malware families such as AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm. 

The attackers gain initial access via phishing emails containing a ZIP archive, which includes a URL shortcut file that leads the email recipient to a Windows shortcut file hosted on a TryCloudflare-proxied WebDAV server. The shortcut file executes batch scripts that retrieve and execute additional Python payloads, while simultaneously displaying a decoy PDF document hosted on the same WebDAV server.

“A key element of their strategy was using direct syscalls to bypass security monitoring tools, decrypting layers of shellcode, and deploying the Early Bird APC queue injection to stealthily execute code and evade detection effectively,” explained eSentire

“The use of Cloudflare tunnels provide the threat actors a way to use temporary infrastructure to scale their operations providing flexibility to build and take down instances in a timely manner,” Proofpoint said.

Millions of domains at risk from “Sitting Duck” DNS hijack attack

Russia-based threat actors have hijacked over 30,000 domains since 2019 using a technique dubbed Sitting Duck. The attack name refers to how vulnerable domains are just sitting out in the open and at risk, just waiting for an attacker to discover and take them over.

The technique used to perform these attacks is not new, it was documented by Mathew Bryant of thehackerblog.com back in 2016. At the time, he disclosed some interesting issues with DNS service providers that could allow an attacker to take over virtually any domain due to a lack of verification of ownership in the registration/setup process. 

For an attack to be successful, a number of conditions have to be met:

  • A domain or subdomain owner delegates DNS to a different authoritative DNS service provider than their registrar.
  • The delegation is not effective and is considered “lame” because the delegated DNS provider does not have the necessary information to resolve the delegated domain.
  • The DNS provider is exploitable because they don’t have a domain ownership verification in their setup process for domains. This could allow an attacker to “claim” any susceptible domains without the domain owner knowing.

Despite requiring what seems like an unlikely confluence of conditions for the attack to be possible, it is estimated that there are over a million domains susceptible to the Sitting Duck attack just waiting to be discovered by an attacker.

Domain owners should check the recommendations outlined in this blog to mitigate the risk from this attack technique.

Attackers using fake answers on Stack Exchange to spread malware

Researchers have discovered an attack campaign that uses fake answer posts on Stack Exchange to spread malware. Stack Exchange is a popular online IT knowledge website that IT professionals often use to share and exchange knowledge for IT/development-related problems. 

In this particular malware campaign, the attackers appear to be focused on targeting cryptocurrency users and developers with a backdoor Trojan that can be used to steal information, particularly that which is related to cryptocurrencies. 

The attackers made posts on the website with information about how to use or perform certain actions using Raydium, a decentralized automated market maker protocol running on the Solana blockchain. Users targeted by these attackers are likely to be individuals who are interested in building trading bots and who are likely to have funds that could be targeted for theft.

The posts are often posted to answer specific questions and are carefully crafted to provide legitimate-looking information, but ultimately lead the reader to download and install fake Python packages hosted on PyPi. The packages were named as raydium, raydium-sdk, sol-instruct, sol-structs, and spy-types. While these packages are no longer available, they racked up over 2,000 downloads in total while they were still available. 

Attackers develop technique to easily hide bytecode malcode

A group of researchers from NTT Security Holdings Corp are planning to demonstrate a new technique to make it easier to hide malicious code on a computer by hijacking the memory used by software interpreters.

The technique, dubbed Bytecode Jiu-Jitsu, involves feeding malicious bytecode into the interpreter by replacing existing bytecode already present in memory and used by the interpreter. By doing this, when the interpreter goes to fetch and execute the expected bytecode from memory, it receives the injected code instead and executes it. 

One drawback of bytecode hijacking is its difficulty but the researchers have created an automated technique that can be used to analyze interpreter executables to find the necessary injection points for a successful attack on many different interpreters. This technique makes it considerably easier to carry out such an attack. 

The researchers have confirmed their technique works with VBScript, Python, and Lua interpreters and will demonstrate it at the upcoming Black Hat 2024 security conference.

Legal sector hit hard by ransomware – report

The legal sector is struggling to deal with a barrage of ransomware attacks, with more legal records stolen in 2023 than in the previous five years combined.

According to a new report from Comparitech, the legal sector has faced astronomical ransom demands in recent years; however, “many organizations remain tight-lipped on the details of such attacks.” Using data from its worldwide ransomware tracker, Comparitech looked at the increasing threat of ransomware on legal firms and its consequences. 

From the beginning of 2018 to June 2024, Comparitech found:

  • 138 individual ransomware attacks on legal organizations with peaks in 2023 (45) and 2021 (44).
  • 2,907,031 individual records were impacted in these attacks. 2023 accounts for more than half of this figure with 1.56 million records affected in total representing an increase of 615% from 218,473 records in 2022.
  • Ransom demands varied from $30,000 to $21 million.
  • The average ransom demand on legal entities is just under $2.5 million.
  • Black Basta conducted the highest number of attacks in recent years with three attacks so far for 2024 and 10 attacks in 2023. LockBit carried out nine attacks in 2023 while ALPHV/BlackCat and Darkside dominated in 2022 and 2021, respectively.

The researchers highlighted that the report only focused on publicly confirmed ransomware attacks, warning that the findings “only scratch the surface.”
 
You can control who receives email notifications for a specific report type in the ICDm console.
See this topic for more details: Managing and configuring report recipients

This is an automated message. Please do not reply to this email.

Copyright © 2024 Broadcom. All rights reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Other names may be trademarks of their respective owners.

Related Articles

Threat Landscape Bulletin - July 31, 2024

admin

Threat Landscape Bulletin - August 1, 2024

admin

Attack Vectors: How Malicious Actors Penetrate Networks

admin

INFINITY CYBERSEC

Infinity Cybersec Pte Ltd, also known as iCyber, is a cybersecurity services provider based in Singapore, delivering comprehensive cybersecurity solutions across the Asia region.

ATSOC, operated by iCyber in Singapore, functions as a Security Operations Center, offering SOC, MDR, and MSS services to both partners and customers.

Infinity Cybersec holds licenses in Singapore to provide services for SOC (License No. CS/SOC/C-2022-0089R) and PTS (License No. CS/PTS/C-2022-0089R).

Latest News

Corporate

Certificates