Connecting Busy IT and Business Leaders to the Most Important Cyber News and Threats twice-weekly
The Ankura FLASH Update is prepared by the Cyber Threat Investigations and Expert Services (CTIX) team to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. Questions about the Flash Update? Send an email directly to the Ankura CTIX Team for additional context or insight.
Malware Activity
GhostSpider Backdoor Deployed by Salt Typhoon in SE Asia Telecom Attacks
Cybersecurity researchers at Trend Micro have recently released an analysis on two (2) campaigns attributed to threat group Salt Typhoon targeting the Taiwanese government and Southeast Asian telecommunications networks. This analysis is released on the heels of recent reports of Salt Typhoon attacks against U.S. telecommunication service providers and U.S. government officials. Salt Typhoon, also known as Earth Estries, FamousSparrow, and GhostEmperor, is a China-attributed advanced persistent threat (APT) that primarily targets telecommunications and government entities. In the campaigns analyzed by researchers, initial access was achieved through the exploitation of vulnerabilities including CVE-2023-46805 and CVE-2024-2187 (Ivanti Connect Secure VPN), CVE-2023-48788 (Fortinet FortiClient EMS), CVE-2022-3236 (Sophos Firewall), and CVE 2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 (Microsoft Exchange – ProxyLogon). Researchers highlight three (3) forms of malware leveraged by Salt Typhoon including “Demodex”, “SnappyBee”, and “GhostSpider”. GhostSpider is a newly discovered backdoor that is designed for long-term espionage campaigns. GhostSpider is loaded to the victim system using DLL hijacking and registered as a service via regsvr32.exe. A secondary module loads encrypted payloads into memory which serves as the malware beacon. GhostSpider receives commands sent via HTTP headers or cookies to stealthily blend in with normal network traffic. The backdoor can upload, activate, execute, and remove malicious modules as well as adjust the malware’s behavior to evade detection. CTIX analysts recommend that high risk organizations in related industries perform threat hunting based on available IOCs and ensure network assets are updated with the latest patches. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Russian APT28 Linked to 'Nearest Neighbor Attack' WiFi Breach
A Russian cyberespionage group, identified as APT28 (also known as Fancy Bear, Forest Blizzard, or Sofacy), has been implicated in a sophisticated attack on a U.S. organization using a technique dubbed the "Nearest Neighbor Attack." This attack, discovered in early 2022, involved exploiting Wi-Fi networks to gain unauthorized access to sensitive data related to Ukrainian projects. The cybercriminals first breached a nearby organization's network, leveraging its Wi-Fi capabilities to pivot and infiltrate the target's enterprise network. The attackers initially obtained credentials through password spraying on internet-facing services. However, multi-factor authentication (MFA) protected these services, preventing immediate access. To circumvent this, the hackers compromised a neighboring organization's network, gaining access to dual-home devices with both wired and wireless connections. By using the wireless adapter of such a device, they connected to the target's Wi-Fi network, bypassing the need for MFA. Once inside the network, APT28 utilized native Windows tools to maintain a low profile and executed a series of steps, including lateral movement and data exfiltration. They specifically targeted devices within Wi-Fi range, accessing sensitive information through remote desktop connections. The attackers employed Windows utilities, such as Cipher.exe and servtask.bat, to cover their tracks and extract valuable data, including registry hives. The attack's complexity and the use of living-off-the-land techniques initially made attribution challenging. However, an April 2024 report provided indicators of compromise (IOCs) that linked the attack to APT28. The report suggested the group may have exploited a zero-day vulnerability in the Windows Print Spooler service to escalate privileges and execute critical payloads.
Vulnerabilities
Palo Alto Firewall Vulnerabilities Hacked After Being Patched for Bugs
Recent cyberattacks have compromised thousands of Palo Alto Networks firewalls, exploiting two (2) newly patched zero-day vulnerabilities. These vulnerabilities, identified as CVE-2024-0012 and CVE-2024-9474, involve an authentication bypass and privilege escalation within the PAN-OS management web interface. These flaws allow remote attackers to gain administrator privileges and execute commands with root access on the firewalls. The exploitation of these vulnerabilities has primarily been used to install malware, including web shells, Sliver implants, and crypto miners. The Shadowserver Foundation reported that approximately two thousand (2,000) devices have been compromised, mostly within the U.S. and India. Another company identified over thirteen thousand (13,000) publicly exposed next-generation firewall management interfaces, but not all are vulnerable. Palo Alto Networks has acknowledged the active exploitation of these vulnerabilities under the campaign name "Operation Lunar Peek" and has issued warnings about potential escalations due to the availability of a proof-of-concept (PoC) exploit. Palo Alto Networks has asserted that the actual number of compromised devices is lower than reported by Shadowserver, attributing discrepancies to differences in exposure reporting. They emphasize that a majority of their customers adhere to best practices by securing their management interfaces. However, they continue to work with affected clients and recommend immediate patching and restricting access to trusted internal IP addresses to mitigate risks. In response to the attacks, the Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to patch affected systems promptly. This follows a series of vulnerabilities affecting Palo Alto Networks devices this year. Palo Alto Networks urges customers to follow recommended deployment guidelines to reduce risks, with an emphasis of securing management interfaces by restricting access solely to trusted internal IPs.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
