Request demo

The Weekly Silobreaker Geopolitical Risk Briefs

Download brief

Weekly Cyber Round-up

Intelligence Report

September 12, 2024

TIDRONE targets military and satellite industries in Taiwan 

Trend Micro researchers identified a new threat actor, dubbed TIDRONE, that is linked to Chinese-speaking groups and targets military-related industries in Taiwan, in particular manufacturers of drones. TIDRONE uses enterprise resource planning software and remote desktops to deploy newly discovered backdoors, dubbed CXCLNT and CLNTEND. CXCLNT has basic upload and download file capabilities, as well as features for clearing traces, collecting victim information, and downloading additional portable executable files for execution. CLNTEND is a remote access tool that supports a wider range of network protocols for communication, including TCO, HTTP, HTTPS, TLS, and SMB.

Get the alert delivered directly to your inbox

Earth Preta uses new techniques and malware in attacks against Southeast Asian governments

Trend Micro researchers analysed the latest strategies and malware employed by the Chinese threat actor, Earth Preta. Its attacks now include the propagation of PUBLOAD via a variant of the HIUPAN worm, with PUBLOAD also used to load additional tools, including FDMTP, which serves as a secondary control tool, and PTSOCKET, used as an alternative exfiltration option. Rather than using its typical spear phishing tactics, HIUPAN was delivered via removable drives. A recent spear phishing campaign additionally involved multi-stage downloaders like DOWNBAIT and PULLBAIT. The researchers also identified a WebDAV server hosting numerous decoy documents that potentially target Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan, with a strong focus on government. 

New Veaty and Spearal backdoors linked Iran used in attack against Iraqi government

Check Point researchers discovered two new malware, dubbed Veaty and Spearal, that were used in attacks against Iraqi organisations, including government networks. The malware was delivered via a series of executable files masquerading as PDF files by using double extensions. The malware were found to be similar to Karkoff and Saitama, two malware families previously attributed to Iranian threat actor APT34. The researchers additionally identified an IIS module backdoor, named CacheHTTP, that is a newer version of one previously attributed to Iranian threat actor GreenBug. Some changes were made in the malware’s communication technique that aligns with that of RGDoor, another IIS backdoor attributed to APT34. The researchers assess that RGDoor and CacheHTTP might be variants of the same tool due to the close relationship between APT34 and GreenBug, as well as overlaps in tactics and targeting.

Tropic Trooper targets Middle East with new China Chopper variant

Kaspersky researchers observed the Chinese-speaking advanced persistent threat (APT) group Tropic Trooper shift its targeting to the Middle East. Starting in June 2023, the group engaged in persistent campaigns against a government entity to deploy a new China Chopper web shell variant. China Chopper was identified on a public web server hosting the open-source content management system, Umbraco, with the malware compiled as a .NET module of Umbraco. The same server hosted other suspicious implants and malware clusters, including post-exploitation tools and Crowdoor loaders, used to drop CobaltStrike via DLL sideloading. 

Increase in cyberattacks observed ahead of Brazil’s Independence Day 

CloudSEK researchers observed a surge in cyberattacks targeting Brazil ahead of its Independence Day on September 7th, 2024, with over 300 attacks observed in the three months prior. The most common attacks were defacement attacks targeting government websites and critical infrastructure, including the finance and gambling and betting industries. Other attacks included data breaches, distributed denial-of-service attacks, ransomware, and phishing. The most active group was Team R70, who mostly engaged in defacement attacks against government websites to promote their agenda. 

High Priority Vulnerabilities

Name Software Base
Score
Temp
Score
CVE-2024-43491 Windows 9.8 8.5
Related: Microsoft fixes at least four zero-days in September Patch Tuesday
CVE-2024-36401 GeoServer 9.8 9.4
Related: Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401
CVE-2024-30051 Windows 7.8 7.5
Related: PoC published for former zero-day in Windows DWM Core Library
CVE-2024-32113 OFBiz 9.8 6.0
Related: The Re-Emergence Of CVE-2024-32113: How CVE-2024-45195 Has Amplified Exploitation Risks
CVE-2021-20123 VigorConnect 7.5 4.2
Related: DrayTek Vulnerabilities Added to CISA KEV Catalog Exploited in Global Campaign

Get the full report
delivered to your inbox​

By filling out and submitting this request you give us your consent to use and store the information  you have provided for the purpose set out above or in connection with it. For more information, see our Privacy Policy.