TIDRONE targets military and satellite industries in Taiwan
Trend Micro researchers identified a new threat actor, dubbed TIDRONE, that is linked to Chinese-speaking groups and targets military-related industries in Taiwan, in particular manufacturers of drones. TIDRONE uses enterprise resource planning software and remote desktops to deploy newly discovered backdoors, dubbed CXCLNT and CLNTEND. CXCLNT has basic upload and download file capabilities, as well as features for clearing traces, collecting victim information, and downloading additional portable executable files for execution. CLNTEND is a remote access tool that supports a wider range of network protocols for communication, including TCO, HTTP, HTTPS, TLS, and SMB.
Earth Preta uses new techniques and malware in attacks against Southeast Asian governments
Trend Micro researchers analysed the latest strategies and malware employed by the Chinese threat actor, Earth Preta. Its attacks now include the propagation of PUBLOAD via a variant of the HIUPAN worm, with PUBLOAD also used to load additional tools, including FDMTP, which serves as a secondary control tool, and PTSOCKET, used as an alternative exfiltration option. Rather than using its typical spear phishing tactics, HIUPAN was delivered via removable drives. A recent spear phishing campaign additionally involved multi-stage downloaders like DOWNBAIT and PULLBAIT. The researchers also identified a WebDAV server hosting numerous decoy documents that potentially target Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan, with a strong focus on government.
New Veaty and Spearal backdoors linked Iran used in attack against Iraqi government
Check Point researchers discovered two new malware, dubbed Veaty and Spearal, that were used in attacks against Iraqi organisations, including government networks. The malware was delivered via a series of executable files masquerading as PDF files by using double extensions. The malware were found to be similar to Karkoff and Saitama, two malware families previously attributed to Iranian threat actor APT34. The researchers additionally identified an IIS module backdoor, named CacheHTTP, that is a newer version of one previously attributed to Iranian threat actor GreenBug. Some changes were made in the malware’s communication technique that aligns with that of RGDoor, another IIS backdoor attributed to APT34. The researchers assess that RGDoor and CacheHTTP might be variants of the same tool due to the close relationship between APT34 and GreenBug, as well as overlaps in tactics and targeting.
Tropic Trooper targets Middle East with new China Chopper variant
Kaspersky researchers observed the Chinese-speaking advanced persistent threat (APT) group Tropic Trooper shift its targeting to the Middle East. Starting in June 2023, the group engaged in persistent campaigns against a government entity to deploy a new China Chopper web shell variant. China Chopper was identified on a public web server hosting the open-source content management system, Umbraco, with the malware compiled as a .NET module of Umbraco. The same server hosted other suspicious implants and malware clusters, including post-exploitation tools and Crowdoor loaders, used to drop CobaltStrike via DLL sideloading.
Increase in cyberattacks observed ahead of Brazil’s Independence Day
CloudSEK researchers observed a surge in cyberattacks targeting Brazil ahead of its Independence Day on September 7th, 2024, with over 300 attacks observed in the three months prior. The most common attacks were defacement attacks targeting government websites and critical infrastructure, including the finance and gambling and betting industries. Other attacks included data breaches, distributed denial-of-service attacks, ransomware, and phishing. The most active group was Team R70, who mostly engaged in defacement attacks against government websites to promote their agenda.
Ransomware
Volume of blog posts by operators during the last week.
RansomHub ransomware abuses Kaspersky TDSSKiller to disable EDR softwareBleepingComputer – Sep 10 2024Ransomware in the Cloud: Scattered Spider Targeting Insurance and Financial IndustriesEclecticIQ Blog – Sep 10 2024CosmicBeetle steps up: Probation period at RansomHubWeLiveSecurity – Sep 10 2024Akira Ransomware Targets SonicWall Vulnerability (CVE-2024-40766) – Immediate Patching Required SOCRadar – Sep 09 2024Fog Ransomware Now Targeting the Financial Sector; Adlumin Thwarts AttackITSecurityNews.info – Sep 06 2024
Financial Services
‘Hunters International’ Ransomware Gang Hits Chinese ICBC Bank’s London HeadquartersTechNadu – Sep 12 2024A new TrickMo saga: from Banking Trojan to Victim’s Data LeakCleafy Labs – Sep 10 2024Payment gateway data breach affects 1.7 million credit card ownersBleeping Computer – Sep 09 2024BlindEagle Targets Colombian Insurance Sector with BlotchyQuasarResearch Blog – Sep 05 2024Banking Trojans: Mekotio Looks to Expand Targets, BBTok Abuses Utility CommandTrend Micro Research News Perspectives – Sep 05 2024
Geopolitics
Crimson Palace returns: New Tools, Tactics, and Targets Sophos – Sep 10 2024Kremlin-linked COLDRIVER crooks take pro-democracy NGOs for phishy rideTheRegister.com – Sep 09 2024Chinese APT Abuses VSCode to Target Government in AsiaUnit42 Palo Alto – Sep 06 2024Gamaredon’s Spear-Phishing Assault On Ukraine’s Military Cyble Blog – Sep 06 2024Russian Military Cyber Actors Target US and Global Critical InfrastructureCISA Cybersecurity Advisories – Sep 04 2024
High Priority Vulnerabilities
Name | Software | Base Score |
Temp Score |
|
---|---|---|---|---|
CVE-2024-43491 | Windows | 9.8 | 8.5 | |
Related: Microsoft fixes at least four zero-days in September Patch Tuesday | ||||
CVE-2024-36401 | GeoServer | 9.8 | 9.4 | |
Related: Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 | ||||
CVE-2024-30051 | Windows | 7.8 | 7.5 | |
Related: PoC published for former zero-day in Windows DWM Core Library | ||||
CVE-2024-32113 | OFBiz | 9.8 | 6.0 | |
Related: The Re-Emergence Of CVE-2024-32113: How CVE-2024-45195 Has Amplified Exploitation Risks | ||||
CVE-2021-20123 | VigorConnect | 7.5 | 4.2 | |
Related: DrayTek Vulnerabilities Added to CISA KEV Catalog Exploited in Global Campaign |