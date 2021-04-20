In one look.

The threat actor exploits the new Pulse Secure vulnerability.

A threat actor exploited a recently discovered vulnerability in Pulse Secure VPNs to target the U.S. defense industry, according to to FireEye researchers. Pulse Secure says that the vulnerability (CVE-2021-22893) “allows a remote unauthenticated attacker to execute arbitrary code via unspecified vectors.” The company says a patch will be available in early May, and in the meantime sketch attenuations.

FireEye does not attribute the activity to any particular threat actor, but suspects the attackers are working on behalf of the Chinese government.

Primitive Bear targets Ukraine.

Anomaly described a phishing campaign targeting Ukrainian government officials. Researchers attribute the campaign to Russian cyberespionage group Primitive Bear (also known as Gamaredon) “with great confidence.” The researchers conclude that the threat actor stole Ukrainian documents and used them to create spear-phishing emails before the documents were released:

“Looking back, Primitive Bear’s decision to use a Ukrainian and Bulgarian themed thesis comes at an interesting time for Russian and Bulgarian relations. This is because the Bulgarian government has arrested six of its own accused members. spy on behalf of the Russians government, March 19, 2021, according to the statement of Bulgarian prosecutors. However, Russia is known to combine cyber and real operations, and uses this hybrid war to target Georgia in 2008 and the Ukraine since at least the 2014 annexation of Crimea. Therefore, it would not be unlikely that Primitive Bear was using Bulgaria-themed decoys before the media became aware of the events, thus making the information more relevant to Ukrainian officials who knew what was going on. “

The domains used in the campaign had been deleted by the time Anomali discovered the campaign, so researchers are unsure of the final payload.

Analysis of the Sunburst technique.

ExtraHop described how the Sunburst malware used in the SolarWinds attack relied on DNS to mask its command and control traffic. The researchers explain:

“Once installed, the SUNBURST Trojan masked its command and control (C2) activity by taking advantage of known weaknesses in corporate domain name systems (DNS). Attackers know that with millions of DNS queries and queries on any given day, DNS traffic and queries are hard to log and log management cannot scale, so they hid their DNS activities in all this noise and carefully timed queries and traffic to The SUNBURST Trojan also manipulated DNS queries to identify popular systems to copy out of the organization, exploit DNS resolution issues and data link libraries (DLLs), and route traffic exiting infected systems through apparently trustworthy registrars and domains. “

NAME: WRECK affects TCP / IP stacks.

Researchers at Forescout and JSOF discovered nine vulnerabilities affecting DNS implementations in four popular TCP / IP stacks. The set of vulnerabilities, dubbed “NAME: WRECK”, affects FreeBSD’s DHCP, IPnet, NetX, and Siemens Nucleus NET. The researchers note that “not all devices running Nucleus RTOS or FreeBSD are vulnerable to NAME: WRECK. However, if we conservatively assume that 1% of the over 10 billion deployments are vulnerable, we can estimate that at least 100 million devices are vulnerable. impacted by NAME: WRECK. “The flaws can be used to execute code remotely or to launch a denial of service attack.

The researchers place particular emphasis on the FreeBSD and Nucleus NET vulnerabilities, noting that “FreeBSD is widely known to be used for high performance servers on millions of computer networks, including major websites such as Netflix and Yahoo. FreeBSD is also the basis for other well-known open source projects. Nucleus NET has been used for decades in several critical OT and IoT devices. “

FreeBSD, Nucleus NET, and NetX have recently been patched, and vendors that use these stacks need to update their devices.

Criminals using Big Data.

Intel 471 broad outlines how the Chinese cybercriminal uses big data to make a profit. Criminals sell stolen data to crooks and other types of threat actors, as well as marketing companies. For example, one threat actor sold “real-time data for casino games, lottery and stocks”. The data was allegedly collected from two main Chinese mobile network providers. Intel 471 has observed “a clear division of labor, responsibility, and a delineated chain of command” among groups that steal and monetize data.

The researchers note that “Chinese authorities have reportedly adopted measures to crack down on the illegal trade in big data and tighten regulations governing personal data and confidentiality.” A series of regulatory measures concerning the protection of privacy on the Internet and the security of personal information have reportedly been introduced by the cyberspace administration. from China in addition to the large-scale crackdown. “

Lazarus Group continues to steal cryptocurrency.

Group-IB said North Korea’s Lazarus Group uses a newly discovered JavaScript sniffer called “BTC Changer” designed to steal cryptocurrency:

“Researchers at Group IB discovered that at the end of February 2020, Lazarus had started using a modified version of the malicious JavaScript script originally used during the clientToken = campaign while using the same infrastructure. The new version had the same function names. , but collecting bank cards was replaced by skimming cryptocurrencies and they started targeting companies that accepted payments in BTC. The new version of malicious JavaScript, which IB Group researchers named Lazarus BTC Change, was designed to transfer the destination payment address to attackers’ BTC Address. “

Decipher quote Viktor Okorokov, IB Group, said: “The campaign marks the first time Lazarus has used malicious JavaScript sniffers to steal cryptocurrency. This is definitely something worth attention as the technique has all the potential. to grow in scale and sophistication, as gangs continue to hunt. for cryptocurrency. “

Lazarus uses BMP image files to remove the malware loader.

The Lazarus group also uses BMP image files to deliver a Trojan horse, according to to researchers at Malwarebytes. The files are initially delivered via phishing documents with malicious macros. The researchers explain: “Because the BMP file format is an uncompressed graphics file format, converting a PNG file format to a BMP file format automatically decompresses the malicious zlib object embedded from PNG to BMP. of a smart method used by the actor to bypass security. mechanisms capable of detecting objects embedded in images. The reason is that the document contains a PNG image containing a zlib zlib malicious object compressed and that as it is compressed , it cannot be detected by static detections. Then the threat actor simply used a simple conversion mechanism to unzip the malicious content. “