Cyber Security News — Past 24 hours | 29.05.2021

Chinese Cyber Espionage Hackers Continue to Target Pulse Secure VPN Devices

At the heart of these intrusions lies CVE-2021–22893, a recently patched vulnerability in Pulse Secure VPN devices that the adversaries exploited to gain an initial foothold on the target network, using it to steal credentials, escalate privileges, conduct internal reconnaissance by moving laterally across the network, before maintaining long-term persistent access, and accessing sensitive data. «Both UNC2630 and UNC2717 display advanced tradecraft and go to impressive lengths to avoid detection. This tradecraft can make it difficult for network defenders to establish a complete list of tools used, credentials stolen, the initial intrusion vector, or the intrusion start date

Source —

SolarWinds Hackers Target Think Tanks With New ‘NativeZone’ Backdoor

Microsoft on Thursday disclosed that the threat actor behind the SolarWinds supply chain hack returned to the threat landscape to target government agencies, think tanks, consultants, and non-governmental organizations located across 24 countries, including the U. «This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations,» Tom Burt, Microsoft’s Corporate Vice President for Customer Security and Trust, said. «At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work». Microsoft attributed the intrusions to the Russian threat actor it tracks as Nobelium, and by the wider cybersecurity community under the monikers APT29, UNC2452 , SolarStorm , StellarParticle , and Dark Halo . «Nobelium launched this week’s attacks by gaining access to the Constant Contact account of USAID,» Burt said.

In another variation of the targeted attacks detected before April, Nobelium experimented with profiling the target machine after the email recipient clicked the link. Cybersecurity firm Volexity, which corroborated the findings, said the campaign singled out non-governmental organizations , research institutions, government entities, and international agencies situated in the U. The ever-evolving nature of Nobelium’s tradecraft is also likely to be a direct response to the highly publicized SolarWinds incident, suggesting the attackers could further continue to experiment with their methods to meet their objectives. «When coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers,» Burt said. «By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem».

Source —

Researchers Warn of Facefish Backdoor Spreading Linux Rootkits

The malware dropper has been dubbed «Facefish» by Qihoo 360 NETLAB team owing its capabilities to deliver different rootkits at different times and the use of Blowfish cipher to encrypt communications to the attacker-controlled server. Facefish goes through a multi-stage infection process, which commences with a command injection against CWP to retrieve a dropper from a remote server, which then releases a rootkit that ultimately takes charge of collecting and transmitting sensitive information back to the server, in addition to awaiting further instructions issued by the command-and-control server. Rootkits are particularly dangerous as they allow attackers to gain elevated privileges in the system, allowing them to interfere with core operations conducted by the underlying operating system. This ability of rootkits to camouflage into the fabric of the operating system gives attackers a high level of stealth and evasion.

Facefish also employs a complex communication protocol and encryption algorithm, using instructions starting with 0x2XX to exchange public keys and BlowFish for encrypting communication data with the C2 server.

Source —

Researchers Demonstrate 2 New Hacks to Modify Certified PDF Documents

Cybersecurity researchers have disclosed two new attack techniques on certified PDF documents that could potentially enable an attacker to alter a document’s visible content by displaying malicious content over the certified content without invalidating its signature. «By inserting a signature field, the signer can define the exact position of the field, and additionally its appearance and content, the researchers said. »This flexibility is necessary since each new signature could contain the signer’s information. «To fend off such attacks, the researchers recommend prohibiting FreeText, Stamp, and Redact annotations as well as ensuring that signature fields are set up at defined locations in the PDF document prior to certification, alongside penalizing any subsequent addition of signature fields with an invalid certification status.

The researchers have also created a Python-based utility called PDF-Detector, which parses certified documents to highlight any suspicious elements found in the PDF document.»Although neither EAA nor SSA can change the content itself — it always remains in the PDF — annotations and signature fields can be used as an overlay to add new content,« the researchers said.

Source —

Stay Focused. Stay Vigilant.

Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store