CYFIRMA: Cybersecurity Dossier Aug 12, 2024

Threat Actor in Focus - APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

APT41, a Chinese hacking group known for its sophisticated cyber espionage activities, compromised a Taiwanese government-affiliated research institute starting in July 2023. The attack began with the deployment of the ShadowPad malware and Cobalt Strike, leveraging an outdated Microsoft Office IME binary as a loader to bypass security measures. Once inside the network, the attackers used advanced techniques such as remote code execution and privilege escalation to maintain persistence and avoid detection. The group utilized a variety of tools, including Mimikatz for credential harvesting, Web Browser Pass View for extracting passwords from web browsers, and 7zip for compressing and exfiltrating stolen data. They also exploited a remote code execution vulnerability CVE-2018-0824 CVSS 7.5 to further infiltrate the system. READ MORE?

Hamas Leadership Assassination Explainer

IThe death of Hamas leader Ismail Haniyeh in Tehran and the announcement of the death of Hamas military wing commander Muhhamad Daif occurred on the same day, almost ten months after Hamas attacked Israel on 7 October. Haniyeh was in Tehran to attend the inauguration of the new Iranian president, Massoud Pesekhian, who pledged support to Hezbollah and various anti-Israeli Iranian-backed groups. Prime Minister Netanyahu has not commented on the attack itself, warning instead of “difficult days ahead”, implying potential retaliation from Iran. The assassination on such a high-profile day is arguably embarrassing for Iran, even though Haniyeh was not Iranian (or even Shiite). Moreover, it follows the killing of senior Iranian Revolutionary Guard officers at the Iranian Embassy in Damascus earlier this year, and demonstrates Israel’s ability to carry out effective intelligence-led operations in Iran. READ MORE

CrowdStrike Falcon Sensor Update: Worldwide Blue Screen of Death (BSOD) Incident Update – II

On July 19, 2024, CrowdStrike experienced a significant outage due to issues in a software update for its Falcon sensor. The update, intended to enhance functionality or security, contained a flaw that caused the sensor to malfunction on Windows operating systems, resulting in systems crashing or becoming stuck in a continuous boot loop. The outage had widespread impacts, disrupting critical servers and endpoints globally for many organizations that rely on CrowdStrike Falcon. In response, CrowdStrike quickly deployed a corrective update to address the issue and restore normal functionality, but not before threat actors exploited the situation through attacks or phishing campaigns. The incident underscored the crucial role of EDR solutions in cybersecurity and the need for effective incident response and communication strategies. READ MORE

OpenSSH RCE (CVE-2024-6387) : Vulnerability Analysis and Exploitation

CVE-2024-6387, known as regreSSHion, is a high-severity vulnerability in OpenSSH’s server (sshd) that involves a sophisticated race condition during the authentication phase, allowing unauthenticated remote code execution with root privileges. This flaw impacts most Linux distributions due to their default OpenSSH installation, with older versions being particularly vulnerable. The severity is rated at CVSS 8.1, indicating significant risk. The vulnerability is actively discussed on the Deep/Dark Web, and reports suggest that affected device IP addresses are being circulated in underground forums. It is currently being exploited in the wild, as documented by CISA’s Known Exploited Vulnerabilities Catalog. Immediate action is essential to address this critical threat. CVE-2024-6387 is a critical vulnerability in OpenSSH’s server (sshd) that allows unauthenticated remote code execution with root access. READ MORE

Ransomware of the Week

CYFIRMA Research and Advisory Team has found LostInfo ransomware while monitoring various underground forums as part of our Threat Discovery Process. Researchers discovered the LostInfo ransomware by late July 2024. This malicious software encrypts files and demands a ransom for their decryption. Upon execution, the LostInfo ransomware initiates an encryption process and alters their original names by appending a unique ID and the “.lostinfo” extension. Following the completion of encryption, it generates a file named “README.TXT,” which contains instructions for a ransom payment to restore access to the encrypted files. The ransom note left by ransomware informs victims that their files have been encrypted. It assures them of decryption after ransom payment and advises against seeking help from third parties. To recover their data, victims are required to pay a ransom, though the amount is unspecified. READ MORE

Trending Malware of the Week

This week “BlankBot” is trending. Researchers have discovered a new Android banking trojan called BlankBot that impersonates utility applications and is not associated with any known malware families, targeting Turkish users to steal financial information. As identified on July 24, 2024, BlankBot is actively under development. It exploits Android’s accessibility service permissions to gain full control over infected devices, posing a significant threat to users’ financial security. The malware logs everything on the device, including SMS texts, sensitive information, and a list of applications used. It also conducts custom injections to steal banking information, such as payment card data and device lock patterns. Initial communication with its controller starts with a “GET” request, where HTTP headers provide device details like battery level, screen size, model, manufacturer, and OS version, followed by communication over port 8080 via a WebSocket connection. READ MORE

CYFIRMA is a?threat?discovery?and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence. We combine cyber-intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. We have built the next generation of AI-powered threat intelligence platform called External Threat Landscape Management (ETLM) to provide cyber defenders with the hacker’s view to help clients prepare for impending attacks.

SCHEDULE A DEMO HERE

Visit www.cyfirma.com

Message sent by CYFIRMA at 16 Raffles Quay #09-01 S(048581), Singapore, Singapore.