Adam Tyra’s Post

Chinese Hackers Exploiting Ivanti VPN Flaws to Deploy New Malware. At least two different suspected China-linked cyber espionage clusters, tracked as UNC5325 and UNC3886, have been attributed to the exploitation of security flaws in Ivanti Connect Secure VPN appliances. UNC5325 abused CVE-2024-21893 to deliver a wide range of new malware called LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK, as well as attempted to maintain persistent access to compromised appliances, Mandiant said. The Google-owned threat intelligence firm has assessed with moderate confidence that UNC5325 is associated with UNC3886 owing to source code overlaps in LITTLELAMB.WOOLTEA and PITHOOK with malware used by the latter. https://lnkd.in/dY5Vbkzs

At least two different suspected China-linked cyber espionage clusters, tracked as UNC5325 and UNC3886, have been attributed to the exploitation of security flaws in Ivanti Connect Secure VPN appliances. UNC5325 abused CVE-2024-21893 to deliver a wide range of new malware called LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK, as well as attempted to maintain persistent access to compromised appliances, Mandiant said. The Google-owned threat intelligence firm has assessed with moderate confidence that UNC5325 is associated with UNC3886 owing to source code overlaps in LITTLELAMB.WOOLTEA and PITHOOK with malware used by the latter. https://lnkd.in/ggTPpDsb

China state hackers infected 20,000 Fortinet VPNs, Dutch spy service says https://ift.tt/FX6BQR9 Enlarge Hackers working for the Chinese government gained access to more than 20,000 VPN appliances sold by Fortinet using a critical vulnerability that the company failed to disclose for two weeks after fixing it, Netherlands government officials said. The vulnerability, tracked as CVE-2022-42475, is a heap-based buffer overflow that allows hackers to remotely execute malicious code. It carries a severity rating of 9.8 out of 10. A maker of network security software, Fortinet silently fixed the vulnerability on November 28, 2022, but failed to mention the threat until December 12 of that year, when the company said it became aware of an “instance where this vulnerability was exploited in the wild.” On January 11, 2023—more than six weeks after the vulnerability was fixed—Fortinet warned a threat actor was exploiting it to infect government and government-related organizations with advanced custom-made malware. Enter CoatHanger The Netherlands officials first reported in February that Chinese state hackers had exploited CVE-2022-42475 to install an advanced and stealthy backdoor tracked as CoatHanger on Fortigate appliances inside the Dutch Ministry of Defence. Once installed, the never-before-seen malware, specifically designed for the underlying FortiOS operating system, was able to permanently reside on devices even when rebooted or receiving a firmware update. CoatHanger could also escape traditional detection measures, the officials warned. The damage resulting from the breach was limited, however, because infections were contained inside a segment reserved for non-classified uses. Read 6 remaining paragraphs | Comments via Biz & IT – Ars Technica https://arstechnica.com June 11, 2024 at 06:56PM

Chinese Hackers Exploiting Ivanti VPN Flaws to Deploy New Malware: At least two different suspected China-linked cyber espionage clusters, tracked as UNC5325 and UNC3886, have been attributed to the exploitation of security flaws in Ivanti Connect Secure VPN appliances. UNC5325 abused CVE-2024-21893 to deliver a wide range of new malware called LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK, as well as maintain persistent

New Malware on the Block "A new malware named 'Cuttlefish' has been spotted infecting enterprise-grade and small office/home office (SOHO) routers to monitor data that passes through them and steal authentication information. Lumen Technologies' Black Lotus Labs examined the new malware and reports that Cuttlefish creates a proxy or VPN tunnel on the compromised router to exfiltrate data discreetly while bypassing security measures that detect unusual sign-ins. The malware can also perform DNS and HTTP hijacking within private IP spaces, interfering with internal communications and possibly introducing more payloads." Like this? Subscribe to Cyberwarfare, Espionage & Extortion for more: https://bit.ly/3HnJbKx

Breaking News: Operation Crimson Palace 🚨 According to the Sophos report, Operation Crimson Palace was marked by the use of new malware tools, over 15 dynamic link library (DLL) sideloading efforts, and innovative evasion techniques. The attackers, organised into three distinct threat clusters, each played specialised roles in the broader attack chain, likely under the direction of a single entity. This meticulous teamwork enabled the theft of a significant volume of files and emails, including strategic documents related to the contested South China Sea—a region of long-standing territorial disputes between the unidentified government and China. Chinese APTs have historically shared infrastructure and malicious code, but the level of inter-APT collaboration seen in Operation Crimson Palace is unprecedented. The operation’s origins trace back to March 2022, when the Mustang Panda group deployed the “Nupakage” data exfiltration tool on the victim’s network. In December of the same year, DLL stitching was used to covertly deploy backdoors against targeted domain controllers. Cluster Alpha: From March to August 2023, this group conducted reconnaissance, mapping server subnets, identifying administrator accounts, and probing Active Directory infrastructure. They disabled antivirus protections using a variant of the Eagerbee backdoor from Emissary Panda and leveraged five different malware tools for command and control (C2). Cluster Bravo: Active for only a few weeks in March 2023, Cluster Bravo spread laterally using legitimate accounts, establishing C2 communications and dumping credentials with a novel backdoor called CCoreDoor. Cluster Charlie: Operating from March 2023 to April 2024, this group specialised in access management, performing network ping sweeps to map users and endpoints, and capturing credentials from domain controllers. They used a novel backdoor named PocoProxy for C2 purposes and exfiltrated large volumes of sensitive data. Sophos researchers noted that the tools and infrastructure used in Operation Crimson Palace overlap with those of several known Chinese threat actors, including Worok and the APT41 subgroup Earth Longzhi. While the evidence strongly suggests Chinese government involvement, Sophos refrained from attributing the attack to a specific group. Chester Wisniewski, director and global field CTO at Sophos, emphasised that focusing too much on attribution can be counterproductive. He pointed out that multiple groups might share stolen credentials and tools, making it difficult to predict future attacks based on past activity. “Once you’re breached by one of these adversaries, all bets are off,” Wisniewski said. “You have to assume all those things are happening.” Visit www.convergex.co.uk for expert cybersecurity services including malware detection, security training, and more. #Convergex #WebDevelopment #CybersecurityAwareness #CyberEssentials #SecurityTraining #MalwareDetection

At least two different suspected China-linked cyber espionage clusters, tracked as UNC5325 and UNC3886, have been attributed to the exploitation of security flaws in Ivanti Connect Secure VPN appliances. UNC5325 abused CVE-2024-21893 to deliver a wide range of new malware called LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK, as well as maintain persistent

Chinese Hackers Deliver #Malware to Barracuda Email Security Appliances via New Zero-Day Chinese hackers exploited a zero-day tracked as CVE-2023-7102 to deliver malware to Barracuda Email Security Gateway (ESG) appliances. https://lnkd.in/gsTQiTPz

Netherlands reveals Chinese attack on defence servers using CoatHanger malware on Fortinet Devices - a real pain to remove - Dutch authorities are lifting the curtain on an attempted cyberattack last year at its Ministry of Defense (MoD), blaming Chinese state-sponsored attackers for the espionage-focused intrusion. Specialists from the Netherlands' Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) were called in to investigate an intrusion at an MOD network last year, uncovering a previously unseen malware they're calling Coathanger. The name, authorities said, was conjured up based on the "peculiar phrase" displayed by the malware when encrypting the configuration on disk: "She took his coat and hung it up." A deep dive into Coathanger's code revealed the remote access trojan (RAT) was purpose-built for Fortinet's FortiGate next-generation firewalls (NGFWs) and the initial access to the MoD's network was gained through exploiting CVE-2022-42475. According to the MIVD and AIVD, the RAT operates outside of traditional detection measures and acts as a second-stage malware, mainly to establish persistent access for attackers, surviving reboots and firmware upgrades. Even fully patched FortiGate devices could still have Coathanger installed if they were compromised before upgrading. In the cybersecurity advisory published today, authorities said the malware was highly stealthy and difficult to detect using default FortiGate CLI commands, since Coathanger hooks most system calls that could identify it as malicious. They also made clear that Coathanger is definitely different from BOLDMOVE, another RAT targeting FortiGate appliances. "For the first time, the MIVD has chosen to make public a technical report on the working methods of Chinese hackers. It is important to attribute such espionage activities by China," said defense minister Kajsa Ollongren in an automatically translated statement. "In this way, we increase international resilience against this type of cyber espionage." The advisory also noted that Dutch authorities had previously spotted Coathanger present on other victims' networks too, prior to the incident at the MOD. As for attribution, MIVD and AIVD said they can pin Coathanger to Chinese state-sponsored attackers with "high confidence." "MIVD and AIVD emphasize that this incident does not stand on its own, but is part of a wider trend of Chinese political espionage against the Netherlands and its allies," the advisory reads. The attackers responsible for the attack were known for conducting "wide and opportunistic" scans for exposed FortiGate appliances vulnerable to CVE-2022-42475 and then exploiting it using an obfuscated connection. After gaining an initial foothold inside the network, which was used by the MOD's research and development division, the attackers performed reconnaissance and stole a list of user ...

Summary of The Hacker News article: The article reports that suspected nation-state actors have exploited two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances, deploying as many as five different malware families as part of their post-exploitation activities since early December 2023. These malware families enable the threat actors to bypass authentication and gain backdoor access to the compromised devices. Mandiant has been tracking these attacks, identifying the threat actor as UNC5221. The attack leverages an exploit chain that includes an authentication bypass flaw (CVE-2023-46805) and a code injection vulnerability (CVE-2024-21887) to compromise vulnerable instances. Please read the article for more details: https://lnkd.in/d5mkdvU3 #cybersecuritythreats #zerodayvulnerabilities #NationStateActors #IvantiVPN #malwareattacks