Mar 22, 2024NewsroomCyber Defense / Vulnerability

A China-linked threat cluster leveraged security flaws in Connectwise ScreenConnect and F5 BIG-IP software to deliver custom malware capable of delivering additional backdoors on compromised Linux hosts as part of an “aggressive” campaign.

Google-owned Mandiant is tracking the activity under its uncategorized moniker UNC5174 (aka Uteus or Uetus), describing it as a “former member of Chinese hacktivist collectives that has since shown indications of acting as a contractor for China’s Ministry of State Security (MSS) focused on executing access operations.”

The threat actor is believed to have orchestrated widespread attacks against Southeast Asian and U.S. research and education institutions, Hong Kong businesses, charities and non-governmental organizations (NGOs), and U.S. and U.K. government organizations between October and November 2023, and again in February 2024 using the ScreenConnect bug.

Initial access to target environments is facilitated by the exploitation of known security flaws in Atlassian Confluence (CVE-2023-22518), ConnectWise ScreenConnect (CVE-2024-1709), F5 BIG-IP (CVE-2023-46747), Linux Kernel (CVE-2022-0185), and Zyxel (CVE-2022-3052).

A successful foothold is followed by extensive reconnaissance and scanning of internet-facing systems for security vulnerabilities, with UNC5174 also creating administrative user accounts to execute malicious actions with elevated privileges, including dropping a C-based ELF downloader dubbed SNOWLIGHT.

SNOWLIGHT is designed to download the next-stage payload, an obfuscated Golang backdoor named GOREVERSE, from a remote URL that’s related to SUPERSHELL, an open-source command-and-control (C2) framework that allows attackers to establish a reverse SSH tunnel and launch interactive shell sessions to execute arbitrary code.

Also put to use by the threat actor is a Golang-based tunneling tool known as GOHEAVY, which is likely employed to facilitate lateral movement within compromised networks, as well as other programs like afrog, DirBuster, Metasploit, Sliver, and sqlmap.

In one unusual instance spotted by the threat intelligence firm, the threat actors have been found to apply mitigations for CVE-2023-46747 in a likely attempt to prevent other unrelated adversaries from weaponizing the same loophole to obtain access.

“UNC5174 (aka Uteus) was previously a member of Chinese hacktivist collectives ‘Dawn Calvary’ and has collaborated with ‘Genesis Day”https://thehackernews.com/”Xiaoqiying’ and ‘Teng Snake,'” Mandiant assessed. “This individual appears to have departed these groups in mid-2023 and has since focused on executing access operations with the intention of brokering access to compromised environments.”

There is evidence to suggest that the threat actor may be an initial access broker, even claiming to be affiliated with the MSS in dark web forums. This is bolstered by the fact some of the U.S. defense and U.K. government entities were simultaneously targeted by another access broker referred to as UNC302.

The findings once again underscore Chinese nation-state groups’ continued efforts to breach edge appliances by swiftly co-opting recently disclosed vulnerabilities into their arsenal in order to conduct cyber espionage operations at scale.

“UNC5174 has been observed attempting to sell access to U.S. defense contractor appliances, U.K. government entities, and institutions in Asia in late 2023 following CVE-2023-46747 exploitation,” Mandiant researchers said.

“There are similarities between UNC5174 and UNC302, which suggests they operate within an MSS initial access broker landscape. These similarities suggest possible shared exploits and operational priorities between these threat actors, although further investigation is required for definitive attribution.”

The disclosure comes as the MSS warned that an unnamed foreign hacking group had infiltrated “hundreds” of Chinese business and government organizations by leveraging phishing emails and known security bugs to breach networks. It did not reveal the threat actor’s name or origin.

Mar 16, 2024NewsroomMalware / Cybercrime

Cybersecurity researchers have found a number of GitHub repositories offering cracked software that are used to deliver an information stealer called RisePro.

The campaign, codenamed gitgub, includes 17 repositories associated with 11 different accounts, according to G DATA. The repositories in question have since been taken down by the Microsoft-owned subsidiary.

“The repositories look similar, featuring a README.md file with the promise of free cracked software,” the German cybersecurity company said.

“Green and red circles are commonly used on Github to display the status of automatic builds. Gitgub threat actors added four green Unicode circles to their README.md that pretend to display a status alongside a current date and provide a sense of legitimacy and recency.”

The list of repositories is as follows, with each of them pointing to a download link (“digitalxnetwork[.]com”) containing a RAR archive file –

• andreastanaj/AVAST
• andreastanaj/Sound-Booster
• aymenkort1990/fabfilter
• BenWebsite/-IObit-Smart-Defrag-Crack
• Faharnaqvi/VueScan-Crack
• javisolis123/Voicemod
• lolusuary/AOMEI-Backupper
• lolusuary/Daemon-Tools
• lolusuary/EaseUS-Partition-Master
• lolusuary/SOOTHE-2
• mostofakamaljoy/ccleaner
• rik0v/ManyCam
• Roccinhu/Tenorshare-Reiboot
• Roccinhu/Tenorshare-iCareFone
• True-Oblivion/AOMEI-Partition-Assistant
• vaibhavshiledar/droidkit
• vaibhavshiledar/TOON-BOOM-HARMONY

The RAR archive, which requires the victims to supply a password mentioned in the repository’s README.md file, contains an installer file, which unpacks the next-stage payload, an executable file that’s inflated to 699 MB in an effort to crash analysis tools like IDA Pro.

The actual contents of the file – amounting to a mere 3.43 MB – act as a loader to inject RisePro (version 1.6) into either AppLaunch.exe or RegAsm.exe.

RisePro burst into the spotlight in late 2022 when it was distributed using a pay-per-install (PPI) malware downloader service known as PrivateLoader.

Written in C++, it’s designed to gather sensitive information from infected hosts and exfiltrate it to two Telegram channels, which are often used by threat actors to extract victims’ data. Interestingly, recent research from Checkmarx showed that it’s possible to infiltrate and forward messages from an attacker’s bot to another Telegram account.

The development comes as Splunk detailed the tactics and techniques adopted by Snake Keylogger, describing it as a stealer malware that “employs a multifaceted approach to data exfiltration.”

“The use of FTP facilitates the secure transfer of files, while SMTP enables the sending of emails containing sensitive information,” Splunk said. “Additionally, integration with Telegram offers a real-time communication platform, allowing for immediate transmission of stolen data.”

Stealer malware have become increasingly popular, often becoming the primary vector for ransomware and other high impact data breaches. According to a report from Specops published this week, RedLine, Vidar, and Raccoon have emerged as the most widely-used stealers, with RedLine alone accounting for the theft of more than 170.3 million passwords in the last six months.

“The current rise of information-stealing malware is a stark reminder of constantly evolving digital threats,” Flashpoint noted in January 2024. “While the motivations behind its use is almost always rooted in financial gain, stealers are continually adapting while being more accessible and easier to use.”

Mar 14, 2024The Hacker NewsVulnerability / Network Security

Fortinet has warned of a critical security flaw impacting its FortiClientEMS software that could allow attackers to achieve code execution on affected systems.

“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests,” the company said in an advisory.

The vulnerability, tracked as CVE-2023-48788, carries a CVSS rating of 9.3 out of a maximum of 10. It impacts the following versions –

• FortiClientEMS 7.2.0 through 7.2.2 (Upgrade to 7.2.3 or above)
• FortiClientEMS 7.0.1 through 7.0.10 (Upgrade to 7.0.11 or above)

Horizon3.ai, which plans to release additional technical details and a proof-of-concept (PoC) exploit next week, said the shortcoming could be exploited to obtain remote code execution as SYSTEM on the server.

Fortinet has credited Thiago Santana From the ForticlientEMS development team and the U.K. National Cyber Security Centre (NCSC) for discovering and reporting the flaw.

Also fixed by the company two other critical bugs in FortiOS and FortiProxy (CVE-2023-42789 and CVE-2023-42790, CVSS scores: 9.3) that could permit an attacker with access to the captive portal to execute arbitrary code or commands via specially crafted HTTP requests.

The below product versions are impacted by the flaws –

• FortiOS version 7.4.0 through 7.4.1 (Upgrade to FortiOS version 7.4.2 or above)
• FortiOS version 7.2.0 through 7.2.5 (Upgrade to FortiOS version 7.2.6 or above)
• FortiOS version 7.0.0 through 7.0.12 (Upgrade to FortiOS version 7.0.13 or above)
• FortiOS version 6.4.0 through 6.4.14 (Upgrade to FortiOS version 6.4.15 or above)
• FortiOS version 6.2.0 through 6.2.15 (Upgrade to FortiOS version 6.2.16 or above)
• FortiProxy version 7.4.0 (Upgrade to FortiProxy version 7.4.1 or above)
• FortiProxy version 7.2.0 through 7.2.6 (Upgrade to FortiProxy version 7.2.7 or above)
• FortiProxy version 7.0.0 through 7.0.12 (Upgrade to FortiProxy version 7.0.13 or above)
• FortiProxy version 2.0.0 through 2.0.13 (Upgrade to FortiProxy version 2.0.14 or above)

While there is no evidence that the aforementioned flaws have come under active exploitation, unpatched Fortinet appliances have been repeatedly abused by threat actors, making it imperative that users move quickly to apply the updates.

Mar 11, 2024NewsroomNetwork Security / Vulnerability

Technical specifics and a proof-of-concept (PoC) exploit have been made available for a recently disclosed critical security flaw in Progress Software OpenEdge Authentication Gateway and AdminServer, which could be potentially exploited to bypass authentication protections.

Tracked as CVE-2024-1403, the vulnerability has a maximum severity rating of 10.0 on the CVSS scoring system. It impacts OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0.

“When the OpenEdge Authentication Gateway (OEAG) is configured with an OpenEdge Domain that uses the OS local authentication provider to grant user-id and password logins on operating platforms supported by active releases of OpenEdge, a vulnerability in the authentication routines may lead to unauthorized access on attempted logins,” the company said in an advisory released late last month.

“Similarly, when an AdminServer connection is made by OpenEdge Explorer (OEE) and OpenEdge Management (OEM), it also utilizes the OS local authentication provider on supported platforms to grant user-id and password logins that may also lead to unauthorized login access.”

Progress Software said the vulnerability incorrectly returns authentication success from an OpenEdge local domain if unexpected types of usernames and passwords are not appropriately handled, leading to unauthorized access sans proper authentication.

The flaw has been addressed in versions OpenEdge LTS Update 11.7.19, 12.2.14, and 12.8.1.

Horizon3.ai, which reverse-engineered the vulnerable AdminServer service, has since released a PoC for CVE-2024-1403, stating the issue is rooted in a function called connect() that’s invoked when a remote connection is made.

This function, in turn, calls another function called authorizeUser() that validates that the supplied credentials meet certain criteria, and passes control to another part of the code that directly authenticates the user if the provided username matches “NT AUTHORITY\SYSTEM.”

“Deeper attacker surface looks like it may allow a user to deploy new applications via remote WAR file references, but the complexity increased dramatically in order to reach this attack surface because of the use of internal service message brokers and custom messages,” security researcher Zach Hanley said.

“We believe there is again likely an avenue to remote code execution via built in functionality given enough research effort.”

Feb 22, 2024NewsroomMalware / Cyber Espionage

An installer for a tool likely used by the Russian Consular Department of the Ministry of Foreign Affairs (MID) has been backdoored to deliver a remote access trojan called Konni RAT (aka UpDog).

The findings come from German cybersecurity company DCSO, which linked the activity as originating from the Democratic People’s Republic of Korea (DPRK)-nexus actors targeting Russia.

The Konni (aka Opal Sleet, Osmium, or TA406) activity cluster has an established pattern of deploying Konni RAT against Russian entities, with the threat actor also linked to attacks directed against MID at least since October 2021.

In November 2023, Fortinet FortiGuard Labs revealed the use of Russian-language Microsoft Word documents to deliver malware capable of harvesting sensitive information from compromised Windows hosts.

DCSO said the packaging of Konni RAT within software installers is a technique previously adopted by the group in October 2023, when it was found to leverage a backdoored Russian tax filing software named Spravki BK to distribute the trojan.

“In this instance, the backdoored installer appears to be for a tool named ‘Statistika KZU’ (Cтатистика КЗУ),” the Berlin-based company said.

“On the basis of install paths, file metadata, and user manuals bundled into the installer, […] the software is intended for internal use within the Russian Ministry of Foreign Affairs (MID), specifically for the relaying of annual report files from overseas consular posts (КЗУ — консульские загранучреждения) to the Consular Department of the MID via a secure channel.”

The trojanized installer is an MSI file that, when launched, initiates the infection sequence to establish contact with a command-and-control (C2) server to await further instructions.

The remote access trojan, which comes with capabilities for file transfers and command execution, is believed to have been put to use as early as 2014, and has also been utilized by other North Korean threat actors known as Kimsuky and ScarCruft (aka APT37).

It’s currently not clear how the threat actors managed to obtain the installer, given that it’s not publicly obtainable. But it’s suspected that the long history of espionage operations targeting Russia may have helped them identify prospective tools for subsequent attacks.

While North Korea’s targeting of Russia is not new, the development comes amid growing geopolitical proximity between the two countries. State media from the Hermit Kingdom reported this week that Russian President Vladimir Putin has given leader Kim Jong Un a luxury Russian-made car.

“To some extent, this should not come as a surprise; increasing strategic proximity would not be expected to fully overwrite extant DPRK collection needs, with an ongoing need on the part of the DPRK to be able to assess and verify Russian foreign policy planning and objectives,” DCSO said.

Feb 20, 2024NewsroomVulnerability / Network Security

ConnectWise has released software updates to address two security flaws in its ScreenConnect remote desktop and access software, including a critical bug that could enable remote code execution on affected systems.

The vulnerabilities, which currently lack CVE identifiers, are listed below –

• Authentication bypass using an alternate path or channel (CVSS score: 10.0)
• Improper limitation of a pathname to a restricted directory aka “path traversal” (CVSS score: 8.4)

The company deemed the severity of the issues as critical, citing they “could allow the ability to execute remote code or directly impact confidential data or critical systems.”

Both the vulnerabilities impact ScreenConnect versions 23.9.7 and prior, with fixes available in version 23.9.8. The flaws were reported to the company on February 13, 2024.

While there is no evidence that the shortcomings have been exploited in the wild, users who are running self-hosted or on-premise versions are recommended to update to the latest version as soon as possible.

“ConnectWise will also provide updated versions of releases 22.4 through 23.9.7 for the critical issue, but strongly recommend that partners update to ScreenConnect version 23.9.8,” ConnectWise said.

Feb 03, 2024NewsroomCyber Attack / Software Security

Remote desktop software maker AnyDesk disclosed on Friday that it suffered a cyber attack that led to a compromise of its production systems.

The German company said the incident, which it discovered following a security audit, is not a ransomware attack and that it has notified relevant authorities.

“We have revoked all security-related certificates and systems have been remediated or replaced where necessary,” the company said in a statement. “We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one.”

Out of an abundance of caution, AnyDesk has also revoked all passwords to its web portal, my.anydesk[.]com, and it’s urging users to change their passwords if the same passwords have been reused on other online services.

It’s also recommending that users download the latest version of the software, which comes with a new code signing certificate.

AnyDesk did not disclose when and how its production systems were breached. It’s currently not known if any information was stolen following the hack. However, it emphasized there is no evidence that any end-user systems have been affected.

Earlier this week, Günter Born of BornCity disclosed that AnyDesk had been under maintenance on January 29. The issue was addressed on February 1. Previously, on January 24, the company also alerted users of “intermittent timeouts” and “service degradation” with its Customer Portal.

AnyDesk boasts over 170,000 customers, including Amedes, AutoForm Engineering, LG Electronics, Samsung Electronics, Spidercam, and Thales.

The disclosure comes a day after Cloudflare said it was breached by a suspected nation-state attacker using stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documentation and a limited amount of source code.

A previously undocumented China-aligned threat actor has been linked to a set of adversary-in-the-middle (AitM) attacks that hijack update requests from legitimate software to deliver a sophisticated implant named NSPX30.

Slovak cybersecurity firm ESET is tracking the advanced persistent threat (APT) group under the name Blackwood. It’s said to be active since at least 2018.

The NSPX30 implant has been observed deployed via the update mechanisms of known software such as Tencent QQ, WPS Office, and Sogou Pinyin, with the attacks targeting Chinese and Japanese manufacturing, trading, and engineering companies as well as individuals located in China, Japan, and the U.K.

“NSPX30 is a multistage implant that includes several components such as a dropper, an installer, loaders, an orchestrator, and a backdoor,” security researcher Facundo Muñoz said. “Both of the latter two have their own sets of plugins.”

“The implant was designed around the attackers’ capability to conduct packet interception, enabling NSPX30 operators to hide their infrastructure.”

The origins of the backdoor, which is also capable of bypassing several Chinese anti-malware solutions by allowlisting itself, can be traced to another malware from January 2005 codenamed Project Wood, which is designed to harvest system and network information, record keystrokes, and take screenshots from victim systems.

Project Wood’s codebase has acted as the foundation for several implants, including spawning variants like DCM (aka Dark Specter) in 2008, with the malware subsequently used in attacks targeting individuals of interest in Hong Kong and the Greater China area in 2012 and 2014.

NSPX30, the latest iteration of the implant, is delivered when attempts to download software updates from legitimate servers using the (unencrypted) HTTP protocol results in a system compromise, paving the way for the deployment of a dropper DLL file.

The malicious dropper deployed as part of the compromised update process creates several files on disk and executes “RsStub.exe,” a binary associated with the Rising Antivirus software so as to launch “comx3.dll” by taking advantage of the fact the former is susceptible to DLL side-loading.

“comx3.dll” functions as a loader to execute a third file named “comx3.dll.txt,” which is an installer library responsible for activating the next-stage attack chain that culminates in the execution of the orchestrator component (“WIN.cfg”).

It’s currently not known how the threat actors deliver the dropper in the form of malicious updates, but Chinese threat actors like BlackTech, Evasive Panda, and Mustang Panda have leveraged compromised routers as a channel to distribute malware in the past.

ESET speculates that the attackers “are deploying a network implant in the networks of the victims, possibly on vulnerable network appliances such as routers or gateways.”

“The fact that we found no indications of traffic redirection via DNS might indicate that when the hypothesized network implant intercepts unencrypted HTTP traffic related to updates, it replies with the NSPX30 implant’s dropper in the form of a DLL, an executable file, or a ZIP archive containing the DLL.”

The orchestrator then proceeds to create two threads, one to obtain the backdoor (“msfmtkl.dat”) and another to load its plugins and add exclusions to allowlist the loader DLLs to bypass Chinese anti-malware solutions.

The backdoor is downloaded via an HTTP request to Baidu’s website www.baidu[.]com, a legitimate Chinese search engine, with an unusual User-Agent string that masquerades the request as originating from the Internet Explorer browser on Windows 98.

The response from the server is then saved to a file from which the backdoor component is extracted and loaded into memory.

NSPX30, as part of its initialization phase, also creates a passive UDP listening socket for receiving commands from the controller and exfiltrating data by likely intercepting DNS query packets in order to anonymize its command-and-control (C2) infrastructure.

The instructions allow the backdoor to create a reverse shell, collect file information, terminate specific processes, capture screenshots, log keystrokes, and even uninstall itself from the infected machine.

The disclosure comes weeks after SecurityScorecard revealed new infrastructure connected to another Beijing-nexus cyber espionage group known as Volt Typhoon (aka Bronze Silhouette) that leverages a botnet created by exploiting known security flaws in end-of-life Cisco RV320/325 routers (CVE-2019-1652 and CVE-2019-1653) operating across Europe, North America, and Asia Pacific.

“Approximately 30% of them (325 of 1,116 devices) communicated with two IP addresses previously named as proxy routers used for command-and-control (C2) communications, 174.138.56[.]21 and 159.203.113[.]25, in a thirty-day period,” the company said.

“Volt Typhoon may aim to use these compromised devices to transfer stolen data or connect to target organizations’ networks.”

Jan 24, 2024The Hacker NewsVulnerability / Software Security

In a world where more & more organizations are adopting open-source components as foundational blocks in their application’s infrastructure, it’s difficult to consider traditional SCAs as complete protection mechanisms against open-source threats.

Using open-source libraries saves tons of coding and debugging time, and by that – shortens the time to deliver our applications. But, as codebases become increasingly composed of open-source software, it’s time to respect the entire attack surface – including attacks on the supply chain itself – when choosing an SCA platform to depend upon.

The Impact of One Dependency

When a company adds an open-source library, they are probably adding not just the library they intended to, but also many other libraries as well. This is due to the way open-source libraries are built: just like every other application on the planet, they aim for a speed of delivery and development and, as such, rely on code other people built – i.e., other open-source libraries.

The actual terms are direct dependency – a package you add to your application, and a transitive dependency – which is a package added implicitly by your dependencies. If your application uses package A, and package A uses package B, then your application indirectly depends on package B.

And if package B is vulnerable, your project is vulnerable, too. This problem gave rise to the world of SCAs – Software Composition Analysis platforms – that can help with detecting vulnerabilities and suggesting fixes.

However, SCAs solve only the problem of vulnerabilities. What about supply chain attacks?

Attacks VS. Vulnerabilities

It might not be obvious what we mean by an “unknown” risk. Before we dive into the differentiation, let’s first consider the difference between vulnerabilities and attacks:

A vulnerability:

• A non-deliberate mistake (aside from very specific sophisticated attacks)
• Identified by a CVE
• Recorded in public databases
• Defense possible before exploitation
• Includes both regular vulns and zero-day ones
• Example: Log4Shell is a vulnerability

A supply chain attack:

• A deliberate malicious activity
• Lacks specific CVE identification
• Untracked by standard SCAs and public DBs
• Typically already attempted to be exploited or activated by default.
• Example: SolarWinds is a supply chain attack

An unknown risk is, almost by definition, an attack on the supply chain that is not easily detectable by your SCA platform.

SCA Tools Aren’t Enough!

SCA tools might seem to solve the issue of protecting you from supply chain risks, but they do not address any of the unknown risks – including all major supply chain attacks – and leave you exposed in one of the most critical pieces of your infrastructure.

Thus, a new approach is needed to mitigate the known and unknown risks in the ever-evolving supply chain landscape. This guide reviews all the known and unknown risks in your supply chain, suggests a new way to look at things, and provides a great reference (or introduction!) to the world of supply chain risks.

Jan 19, 2024NewsroomMalware / Endpoint Security

Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines.

“These applications are being hosted on Chinese pirating websites in order to gain victims,” Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said.

“Once detonated, the malware will download and execute multiple payloads in the background in order to secretly compromise the victim’s machine.”

The backdoored disk image (DMG) files, which have been modified to establish communications with actor-controlled infrastructure, include legitimate software like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.

The unsigned applications, besides being hosted on a Chinese website named macyy[.]cn, incorporate a dropper component called “dylib” that’s executed every time the application is opened.

The dropper then acts as a conduit to fetch a backdoor (“bd.log”) as well as a downloader (“fl01.log”) from a remote server, which is used to set up persistence and fetch additional payloads on the compromised machine.

The backdoor – written to the path “/tmp/.test” – is fully-featured and built atop an open-source post-exploitation toolkit called Khepri. The fact that it is located in the “/tmp” directory means it will be deleted when the system shuts down.

That said, it will be created again at the same location the next time the pirated application is loaded and the dropper is executed.

On the other hand, the downloader is written to the hidden path “/Users/Shared/.fseventsd,” following which it creates a LaunchAgent to ensure persistence and sends an HTTP GET request to an actor-controlled server.

While the server is no longer accessible, the downloader is designed to write the HTTP response to a new file located at /tmp/.fseventsds and then launch it.

Jamf said the malware shares several similarities with ZuRu, which has been observed in the past spreading via pirated applications on Chinese sites.

“It’s possible that this malware is a successor to the ZuRu malware given its targeted applications, modified load commands and attacker infrastructure,” the researchers said.