This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Social Media Links

| 3 minutes read

Ankura CTIX FLASH Update - January 20, 2023

Malware Activity

PayPal Discloses December 2022 Security Incident Involving Credential Stuffing Attacks

PayPal has begun sending out notification letters to individuals impacted by a security incident that occurred in early December 2022. On December 20, 2022, PayPal confirmed that unauthorized third-party actors had access to customer accounts using login credentials between December 6 and December 8. The actors obtained access through credential stuffing attacks, in which previously compromised usernames and password pairs are used by actors to attempt to access various accounts. This type of attack is significant to users who use the same password for multiple accounts and do not change their passwords upon being notified of a breach. The actors were able to view and potentially exfiltrate personal information from certain users, which could contain users' names, addresses, Social Security numbers (SSNs), individual tax identification numbers, and/or dates of birth. PayPal emphasized that there is no evidence that any personal information accessed has been misused and there is no evidence that login credentials were obtained from a PayPal system, meaning that their platform was not breached. Approximately 35,000 users have been impacted by this incident and the compromised accounts' passwords have been reset by PayPal. CTIX analysts will continue to monitor for advancements regarding this incident.

Threat Actor Activity

BackdoorDiplomacy Targets Iranian Government Networks

Chinese threat actors conducted a cyberespionage campaign targeting Iranian government entities in the second half of 2022. Tracked as BackdoorDiplomacy, these threat actors have been active since 2017 and often target foreign affairs and telecommunications companies throughout Europe, Asia, Middle East, and Africa. In previous operations, these actors utilized several proxy/tunneling tools, a variant of the “Quarian” backdoor, and lateral movement techniques to further their espionage capabilities. This recent cyberespionage campaign was in operation between July 2022 through December 2022 and compromised several Iranian government networks, including the network tied to the Ministry of Foreign Affairs and the Natural Resources Organization. BackdoorDiplomacy actors utilized variants of the “Turian” backdoor which included upgraded obfuscation tactics, decryption algorithms, and the ability to execute remote commands and spin up reverse shells. As this cyberespionage campaign aged on, the threat actors continued to update their Turian backdoor variant to adapt to new environments and establish stealthy command-and-control (C2) communications. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.


Hackers Exploiting a Critical Vulnerability in ManageEngine Products by Zoho

Security researchers at Rapid7 have published a blog post warning that they have observed the active exploitation of a critical vulnerability affecting specific ManageEngine on-premise products by Zoho. ManageEngine is an IT service management solution used by hundreds of companies for monitoring and managing all of the hardware and software devices on their networks. The flaw, tracked as CVE-2022-47966, is a pre-authentication remote code execution (RCE) vulnerability stemming from a vulnerable third-party dependency on Apache Santuario for XML signature validation. Specifically, the flaw is exploitable if a user has enabled Security Assertion Markup Language (SAML) single-sign-on, authorizing access to multiple web applications with a single credential set. Attackers could exploit this vulnerability by issuing an HTTP POST request that contains a maliciously crafted SAML response, allowing for RCE. If successfully exploited, an attacker could take complete control of the system that a vulnerable ManageEngine project is running on, steal credentials, deploy malware, and pivot laterally across the network. This product is very popular, being utilized by nine (9) out of every ten (10) Fortune 100 companies, making these vulnerable organizations a very lucrative target for threat actors. Researchers from have published a working proof-of-concept (PoC) for exploiting this vulnerability and state that the attack is easy to exploit, making it even more likely that there will be exploitation attempts by sophisticated nation state hackers, financially motivated threat groups, and unsophisticated attackers with limited skills. This vulnerability was patched in October and November of 2022, and CTIX analysts recommend that organizations leveraging any of the products listed in ManageEngine's security advisory upgrade their infrastructure immediately to prevent exploitation attempts.

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team ( if additional context is needed.

© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.


cyber response, cybersecurity & data privacy, data & technology, data privacy & cyber risk, f-risk, memo, technology media telecoms

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with