C-MOR Video Surveillance version 5.2401 makes use of unmaintained vulnerability third-party components.

Advisory ID:               SYSS-2024-029  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401  
Tested Version(s):         5.2401  
Vulnerability Type:        Dependency on Vulnerable Third-Party   
Component (CWE-1395)  
                            Use of Unmaintained Third Party Components   
(CWE-1104)  
Risk Level:                High  
Solution Status:           Fixed  
Manufacturer Notification: 2024-04-05  
Solution Date:             2024-07-31  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2017-9798, CVE-2017-3167, and more  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

The C-MOR system uses several outdated third-party software components  
with known security vulnerabilities.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR system, it was found that the C-MOR system depends  
on several outdated third-party software components with known security  
vulnerabilities, for instance an old Linux kernel, Apache HTTP Server  
2.2.16, PHP 5.3.3, or Python 2.6.

Some of the used software components have also reached their end of life  
and are not supported anymore by a maintainer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following excerpt of the "dpkg-query" output illustrates some outdated  
third-party software components used on the C-MOR system:

$ sudo dpkg-query -l  
(...)  
ii  apache2                             2.2.16-6+squeeze10   
Apache HTTP Server metapackage  
ii  apache2-mpm-prefork                 2.2.16-6+squeeze10   
Apache HTTP Server - traditional non-threaded model  
ii  apache2-utils                       2.2.16-6+squeeze10   
utility programs for webservers  
ii  apache2.2-bin                       2.2.16-6+squeeze10   
Apache HTTP Server common binary files  
ii  apache2.2-common                    2.2.16-6+squeeze10   
Apache HTTP Server common files  
(...)  
ii  libapache2-mod-php5                 5.3.3-7+squeeze14   
server-side, HTML-embedded scripting language (Apache 2 module)  
(...)  
ii  libssl0.9.8                         0.9.8o-4squeeze14            SSL   
shared libraries  
(...)  
ii  linux-image-4.7.8                   c-mor-v5-00   
Linux kernel binary image for version 4.7.8  
(...)  
ii  php5                                5.3.3-7+squeeze14   
server-side, HTML-embedded scripting language (metapackage)  
rc  php5-cgi                            5.3.3-7+squeeze14   
server-side, HTML-embedded scripting language (CGI binary)  
ii  php5-cli                            5.3.3-7+squeeze14   
command-line interpreter for the php5 scripting language  
ii  php5-common                         5.3.3-7+squeeze14   
Common files for packages built from the php5 source  
ii  php5-gd                             5.3.3-7+squeeze14            GD   
module for php5  
ii  php5-mysql                          5.3.3-7+squeeze14   
MySQL module for php5  
ii  php5-suhosin                        0.9.32.1-1   
advanced protection module for php5  
(...)  
ii  python2.6                           2.6.6-8+b1                   An   
interactive high-level object-oriented language (version 2.6)  
ii  python2.6-minimal                   2.6.6-8+b1                   A   
minimal subset of the Python language (version 2.6)  
(...)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install C-MOR Video Surveillance version 6.00PL1.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-029

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-029.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, and Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 Insecure Third-Party Components

SonicWall has revealed that a recently patched critical security flaw impacting SonicOS may have come under active exploitation, making it essential that users apply the patches as soon as possible.
The vulnerability, tracked as CVE-2024-40766, carries a CVSS score of 9.3 out of a maximum of 10.
"An improper access control vulnerability has been identified in the SonicWall SonicOS management

Network Security / Threat Detection

SonicWall has revealed that a recently patched critical security flaw impacting SonicOS may have come under active exploitation, making it essential that users apply the patches as soon as possible.

The vulnerability, tracked as CVE-2024-40766, carries a CVSS score of 9.3 out of a maximum of 10.

"An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash," SonicWall said in an updated advisory.

With the latest development, the company has revealed that CVE-2024-40766 also impacts the firewall's SSLVPN feature. The issue has been addressed in the below versions -

*   SOHO (Gen 5 Firewalls) - 5.9.2.14-13o
*   Gen 6 Firewalls - 6.5.2.8-2n (for SM9800, NSsp 12400, and NSsp 12800) and 6.5.4.15.116n (for other Gen 6 Firewall appliances)

The network security vendor has since updated the bulletin to reflect the possibility that it may have been actively exploited.

"This vulnerability is potentially being exploited in the wild," it added. "Please apply the patch as soon as possible for affected products."

As temporary mitigations, it's recommended to restrict firewall management to trusted sources or disable firewall WAN management from Internet access. For SSLVPN, it's advised to limit access to trusted sources, or disable internet access altogether.

Additional mitigations include enabling multi-factor authentication (MFA) for all SSLVPN users using one-time passwords (OTPs) and recommending customers using GEN5 and GEN6 firewalls with SSLVPN users who have locally managed accounts to immediately update their passwords for preventing unauthorized access.

There are currently no details about how the flaw may have been weaponized in the wild, but Chinese threat actors have, in the past, unpatched SonicWall Secure Mobile Access (SMA) 100 appliances to establish long-term persistence.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SonicWall Urges Users to Patch Critical Firewall Flaw Amid Possible Exploitation

The funds from Germany's Sovereign Tech Fund will be used to integrate zero-trust capabilities, tools for software bill of materials, and other security features.

Source: Les Polders via Alamy Stock Photo

The health of the global Internet and digital infrastructure relies heavily on volunteer-maintained open source projects. Various organizations and initiatives now provide funding to make security fixes or improve features for some of these projects.

Last week, the FreeBSD Foundation announced a €686,400 (approximately $762,540) investment from Germany's Sovereign Tech Fund. The foundation drives development and maintenance of the FreeBSD operating system, a Unix-based operating system similar to Linux. The funding from STF is intended to cover work for the rest of 2024 and extend into 2025 and will focus on security features and improvements.

STF is supported by the German Federal Ministry for Economic Affairs and Climate Action (BMWK) and is hosted by the German Federal Agency for Disruptive Innovation (SPRIND). The fund has actively supported open source projects that are important components of the global digital infrastructure, such as €1 million ($1.1 million) for GNOME (a widely used desktop application for Linux operating systems) development at the end of last year and €203,000 ($225,487) to GStreamer (a multimedia framework used widely in streaming apps, embedded devices, and browsers) earlier this year. Several of STF's recent investments are tied to security improvements, such as making the encrypted home directory a GNOME feature and rewriting GStreamer's various Web and networking protocols (RTP/RTCP, RTSP, and WebRTC) from C to Rust to eliminate recurring memory-based vulnerabilities.

The FreeBSD investment will also focus on several security initiatives, such as zero-trust builds, continuous integration/continuous delivery (CI/CD) automation, reducing technical debt, enhancing security controls, and improving tools related to the software bill of materials. Reducing technical debt is important since many vulnerabilities linger on in years-old components that are no longer being maintained or even looked at.

Zero-trust builds refer to the ability to prove where all the source code and tooling used in FreeBSD came from and are trusted. This is necessary to ensure that the tools used (such as compilers) are not introducing backdoors or malware into the code.

The focus on CI/CD automation is necessary to streamlining software delivery and operations. It will allow for constantly running security tests to ensure that changes have not introduced vulnerabilities and fixing them as they are found.

"This investment in critical digital infrastructure will accelerate modernization of FreeBSD, enhance security hygiene, and improve developer experiences," said Fiona Krakenbürger, co-founder of STF, in a statement.

STF has supported a slew of other open source projects, including curl, FFmpeg, Rustls (a TLS library written in Rust), and Coreutils uutils (the coreutils library with basic file, shell, and text functions rewritten in Rust).

FreeBSD Gets €686,400 to Boost Security Features

Talos' Nick Biasini discusses the biggest shifts and trends in the threat landscape so far. We also focus on one state sponsored actor that has been particularly active this year, and talk about why defenders need to be paying closer attention to infostealers.

Friday, September 6, 2024 08:59

As we head into the final furlong of 2024, we caught up with Talos’ Head of Outreach Nick Biasini to ask him what sort of year it’s been so far in the threat landscape. 

In this video, Nick outlines his two major areas of concern. He also focusses on one state-sponsored actor that has been particularly active this year (Clue: It rhymes with “Bolt Teaspoon”), and we talk about why the infostealer market has gone through a maturing phase, and why that’s an issue for defenders.

After you’ve watched the video, I’ve highlighted some of our threat spotlight blogs from the year so far below, which may be worth a revisit.

**2024 in threat research:**

**Jan. 18:** **Exploring malicious Windows drivers**

Drivers have long been of interest to threat actors, whether they are exploiting vulnerable drivers or creating malicious ones. Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. Part 1 of our Driver series served as a starting point for learning about malicious drivers while part 2, released in June, covered the I/O system, IRPs, stack locations, IOCTLs and more.

**Feb. 8:** **New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization**

Talos discovered a new, stealthy espionage campaign that likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.” 

**Feb. 15:** **TinyTurla Next Generation — Turla APT spies on Polish NGOs**

This backdoor we called “TinyTurla-NG” (TTNG) was similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.

**Feb. 20:** **Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns**

Since September 2023, we observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans.

**Feb. 27:** **TimbreStealer campaign targets Mexican users with financial lures**

Talos observed a phishing spam campaign targeting victims in Mexico, luring users to download a new obfuscated information stealer we’re calling TimbreStealer, which has been active since at least November 2023.

**March 5:** **GhostSec’s joint ransomware operation and evolution of their arsenal**

We observed a surge in GhostSec’s malicious activities this past year. GhostSec evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.

**April 9:** **Starry Addax targets human rights defenders in North Africa with new malware**

We disclosed a new threat actor we deemed “Starry Addax” targeting mostly human rights activists, associated with the Sahrawi Arab Democratic Republic (SADR) cause with a novel mobile malware.

**April 16:** **Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials**

Talos actively monitored a global increase in brute-force attacks against a variety of targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024.  

**April 17:** **OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal**

During a threat-hunting exercise, Talos discovered documents with potentially confidential information originating from Ukraine. The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. 

**April 23:** **Suspected CoralRaider continues to expand victimology using three information stealers**

Talos discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.

**April 24:** **ArcaneDoor — New espionage-focused campaign found targeting perimeter network devices**

ArcaneDoor was a campaign that was the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.

**May 22:** **From trust to trickery: Brand impersonation over the email attack vector**

Cisco developed and released a new feature to detect brand impersonation in emails when adversaries pretend to be a legitimate corporation.

**May 31:** **New banking trojan “CarnavalHeist” targets Brazil with overlay attacks**

Since February 2024, Cisco Talos observed an active campaign targeting Brazilian users with a new banking trojan called “CarnavalHeist.” Many of the observed tactics, techniques and procedures (TTPs) were common among other banking trojans coming out of Brazil.

**June 5:** **DarkGate switches up its tactics with new payload, email templates**

DarkGate was observed distributing malware through Microsoft Teams and even via malvertising campaigns.

**Aug. 1:** **APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike**

ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups.

**Aug. 28:** **BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks**

In recent investigations, Talos Incident Response observed the BlackByte ransomware group using techniques that depart from their established tradecraft. 

You can always bookmark the Threat Source newsletter to keep up to date with all things Talos threat research.

The 2024 Threat Landscape State of Play

It’s been a decade since the National Institute of Standards and Technology (NIST) introduced its Cybersecurity Framework (CSF) 1.0. Created following a 2013 Executive Order, NIST was tasked with designing a voluntary cybersecurity framework that would help organizations manage cyber risk, providing guidance based on established standards and best practices. While this version was originally

It's been a decade since the National Institute of Standards and Technology (NIST) introduced its Cybersecurity Framework (CSF) 1.0. Created following a 2013 Executive Order, NIST was tasked with designing a voluntary cybersecurity framework that would help organizations manage cyber risk, providing guidance based on established standards and best practices. While this version was originally tailored for Critical infrastructure, 2018's version 1.1 was designed for any organization looking to address cybersecurity risk management.

CSF is a valuable tool for organizations looking to evaluate and enhance their security posture. The framework helps security stakeholders understand and assess their current security measures, organize and prioritize actions to manage risks, and improve communication within and outside organizations using a common language. It's a comprehensive collection of guidelines, best practices, and recommendations, divided into five core functions: Identify, Protect, Detect, Respond, and Recover. Each function includes several categories and subcategories, notably:

1.  **Identify** - Understand which assets need to be secured.
2.  **Protect** - Implement measures to ensure assets are properly and adequately secured.
3.  **Detect** - Set up mechanisms to detect attacks or weaknesses.
4.  **Respond** - Develop detailed plans for notifying individuals affected by data breaches, recent events that might jeopardize data, and regularly test response plans, to minimize impact of attacks.
5.  **Recover** - Establish processes to get back up and running post-attack.

(Want to learn more about CSF 1.1's 5 steps? Download our NIST CSF checklist here!)

****Changes to CSF 2.0, with a Focus on Continuous Improvement****

In February 2024, NIST released CSF 2.0. The goal of this new version is to help CCSF become more adaptable and thus widely adopted across a wider range of organizations. Any organization looking to adopt CSF for the first time should use this newer version and organizations already using it can continue to do so but with an eye to adopt 2.0 in the future.

2.0 brings with it some changes; among other advancements, it adds in "Govern" as a first step, because, according to ISC.2.org, "the CSF's governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders must consider alongside others such as finance and reputation. The objectives are to integrate cybersecurity with broader enterprise risk management, roles and responsibilities, policy and oversight at organizations, as well as better support the communication of cybersecurity risk to executives."

It also has an expanded scope, it's more clear and user-friendly, and most importantly (for the purposes of this article anyway), it strongly focuses on emerging threats and zero's-in on a continuous and proactive approach to cybersecurity via the newly added Improvement Category in the Identify Function. Taking a continuous approach means organizations are encouraged to assess, reassess, and then update cybersecurity practices on a regular basis. This means organizations can respond faster and with better accuracy to events for reduced impact.

****CSF and CTEM – Better Together****

Today, there are multiple actionable frameworks and tools designed to work within the parameters of the high-level CSF guidelines. For example, the Continuous Threat Exposure Management (CTEM) is highly complementary to CSF. Released in 2022 by Gartner, the CTEM framework is a major shift in how organizations handle threat exposure management. While CSF provides a high-level framework for identifying, assessing, and managing cyber _risks_, CTEM focuses on the continuous monitoring and assessment of _threats_ to the organization's security posture – the very threats that constitute risk itself.

CSF's core functions align well with the CTEM approach, which involves identifying and prioritizing threats, assessing the organization's vulnerability to those threats, and continuously monitoring for signs of compromise. Adopting CTEM empowers cybersecurity leaders to significantly mature their organization's NIST CSF compliance.

Prior to CTEM, periodic vulnerability assessments and penetration testing to find and fix vulnerabilities was considered the gold standard for threat exposure management. The problem was, of course, that these methods only offered a snapshot of security posture – one that was often outdated before it was even analyzed.

CTEM has come to change all this. The program delineates how to achieve continuous insights into the organizational attack surface, proactively identifying and mitigating vulnerabilities and exposures _before_ attackers exploit them. To make this happen, CTEM programs integrate advanced tech like exposure assessment, security validation, automated security validation, attack surface management, and risk prioritization. This aligns perfectly with NIST CSF 1.1, and provides tangible benefits across all five core CSF functions:

1.  **Identify** - CTEM demands that organizations rigorously identify and inventory assets, systems, and data. This often turns up unknown or forgotten assets that pose security risks. This enhanced visibility is essential for establishing a strong foundation for cybersecurity management, as outlined in the Identify function of the NIST CSF.
2.  **Protect** - CTEM programs proactively identify vulnerabilities and misconfigurations before they can be exploited. CTEM prioritizes risks based on their actual potential impact and their likelihood of exploitation. This helps organizations address the most critical vulnerabilities first. What's more, CTEM-dictated attack path modeling helps organizations reduce the risk of compromise. All this dramatically impacts the Protect function of the CSF program.
3.  **Detect** – CTEM requires continuous monitoring of the external attack surface, which impacts CSF's Detect function by providing early warnings of potential threats. By identifying changes in the attack surface, such as new vulnerabilities or exposed services, CTEM helps organizations quickly detect and respond to possible attacks _before_ they cause damage.
4.  **Respond** – When a security incident occurs, CTEM's risk prioritization stipulations are what help organizations prioritize response, ensuring that the most critical incidents are addressed first. Also, CTEM-mandated attack path modeling helps organizations understand how attackers may have gained access to their systems. This impacts the CSF Respond function by enabling organizations to take targeted actions to contain and eradicate the threat.
5.  **Recover** - CTEM's continuous monitoring and risk prioritization plays a crucial role in the CSF Recover function. CTEM enables organizations to quickly identify and address vulnerabilities, which minimizes the impact of security incidents and speeds up recovery. Also, attack path modeling helps organizations identify and address weaknesses in their recovery processes.

****The Bottom Line****

The NIST Cybersecurity Framework (CSF) and Continuous Threat Exposure Management (CTEM) program are truly brothers in arms - working together to defend organizations against cyberthreats. CSF provides a comprehensive roadmap for managing cybersecurity risks, while CTEM offers a dynamic and data-driven approach to threat detection and mitigation.

The CSF-CTEM alignment is especially evident in how CTEM's focus on continuous monitoring and threat assessment comes together seamlessly with CSF's core functions. By adopting CTEM, organizations significantly enhance their compliance with CSF – while also gaining valuable insights into their attack surface and proactively mitigating vulnerabilities.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

NIST Cybersecurity Framework (CSF) and CTEM – Better Together

The Chinese-speaking threat actor known as Earth Lusca has been observed using a new backdoor dubbed KTLVdoor as part of a cyber attack targeting an unnamed trading company based in China.

The previously unreported malware is written in Golang, and thus is a cross-platform weapon capable of targeting both Microsoft Windows and Linux systems.

"KTLVdoor is a highly obfuscated malware that

The Chinese-speaking threat actor known as Earth Lusca has been observed using a new backdoor dubbed KTLVdoor as part of a cyber attack targeting an unnamed trading company based in China.

The previously unreported malware is written in Golang, and thus is a cross-platform weapon capable of targeting both Microsoft Windows and Linux systems.

"KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning," Trend Micro researchers Cedric Pernet and Jaromir Horejsi said in an analysis published Wednesday.

Some of the tools KTLVdoor impersonates include sshd, Java, SQLite, bash, and edr-agent, among others, with the malware distributed in the form of dynamic-link library (.dll) or a shared object (.so).

Perhaps the most unusual aspect of the activity cluster is the discovery of more than 50 command-and-control (C&C) servers, all hosted at Chinese company Alibaba, that have been identified as communicating with variants of the malware, raising the possibility that the infrastructure could be shared with other Chinese threat actors.

Earth Lusca is known to be active since at least 2021, orchestrating cyber attacks against public and private sector entities across Asia, Australia, Europe, and North America. It's assessed to share some tactical overlaps with other intrusion sets tracked as RedHotel and APT27 (aka Budworm, Emissary Panda, and Iron Tiger).

KTLVdoor, the latest addition to the group's malware arsenal, is highly obfuscated and gets its name from the use of a marker called "KTLV" in its configuration file that includes various parameters necessary to meet its functions, including the C&C servers to connect to.

Once initialized, the malware initiates contact with the C&C server on a loop, awaiting further instructions to be executed on the compromised host. The supported commands allow it to download/upload files, enumerate the file system, launch an interactive shell, run shellcode, and initiate scanning using ScanTCP, ScanRDP, DialTLS, ScanPing, and ScanWeb, among others.

That having said, not much is known about how the malware is distributed and if it has been used to target other entities across the world.

"This new tool is used by Earth Lusca, but it might also be shared with other Chinese-speaking threat actors," the researchers noted. "Seeing that all C&C servers were on IP addresses from China-based provider Alibaba, we wonder if the whole appearance of this new malware and the C&C server could not be some early stage of testing new tooling."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Cross-Platform Malware KTLVdoor Discovered in Attack on Chinese Trading Firm

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide.

Tag

#ssl