Security
Headlines
HeadlinesLatestCVEs

Headline

APT41 Hackers Use ShadowPad, Cobalt Strike in Taiwanese Institute Cyber Attack

A Taiwanese government-affiliated research institute that specializes in computing and associated technologies was breached by nation-state threat actors with ties to China, according to new findings from Cisco Talos. The unnamed organization was targeted as early as mid-July 2023 to deliver a variety of backdoors and post-compromise tools like ShadowPad and Cobalt Strike. It has been attributed

The Hacker News
#vulnerability#web#microsoft#cisco#backdoor#rce#The Hacker News

Cyber Espionage / Malware

A Taiwanese government-affiliated research institute that specializes in computing and associated technologies was breached by nation-state threat actors with ties to China, according to new findings from Cisco Talos.

The unnamed organization was targeted as early as mid-July 2023 to deliver a variety of backdoors and post-compromise tools like ShadowPad and Cobalt Strike. It has been attributed with medium confidence to a prolific hacking group tracked as APT41.

“The ShadowPad malware used in the current campaign exploited an outdated vulnerable version of Microsoft Office IME binary as a loader to load the customized second-stage loader for launching the payload,” security researchers Joey Chen, Ashley Shen, and Vitor Ventura said.

“The threat actor compromised three hosts in the targeted environment and was able to exfiltrate some documents from the network.”

Cisco Talos said it discovered the activity in August 2023 after detecting what it described were “abnormal PowerShell commands” that connected to an IP address to download and execute PowerShell scripts within the compromised environment.

The exact initial access vector used in the attack is not known, although it involved the use of a web shell to maintain persistent access and drop additional payloads like ShadowPad and Cobalt Strike, with the latter delivered by means a Go-based Cobalt Strike loader named CS-Avoid-Killing.

“The Cobalt Strike malware had been developed using an anti-AV loader to bypass AV detection and avoid the security product quarantine,” the researchers said.

Alternately, the threat actor was observed running PowerShell commands to launch scripts responsible for running ShadowPad in memory and fetch Cobalt Strike malware from a compromised command-and-control (C2) server. The DLL-based ShadowPad loader, also called ScatterBee, is executed via DLL side-loading.

Some of the other steps carried out as part of the intrusion comprised the use of Mimikatz to extract passwords and the execution of several commands to gather information on user accounts, directory structure, and network configurations.

“APT41 created a tailored loader to inject a proof-of-concept for CVE-2018-0824 directly into memory, utilizing a remote code execution vulnerability to achieve local privilege escalation,” Talos said, noting the final payload, UnmarshalPwn, is unleashed after passing through three different stages.

The cybersecurity outfit also pointed out the adversary’s attempts to avoid detection by halting its own activity upon detecting other users on the system. “Once the backdoors are deployed the malicious actor will delete the web shell and guest account that allowed the initial access,” the researchers said.

The disclosure comes as Germany revealed earlier this week that Chinese state actors were behind a 2021 cyber attack on the country’s national mapping agency, the Federal Office of Cartography and Geodesy (BKG), for espionage purposes.

Responding to the allegations, China’s embassy in Berlin said the accusation is unfounded and called on Germany “to stop the practice of using cybersecurity issues to smear China politically and in the media.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Google Patches New Android Kernel Vulnerability Exploited in the Wild

Google has addressed a high-severity security flaw impacting the Android kernel that it has been actively exploited in the wild. The vulnerability, tracked as CVE-2024-36971, has been described as a case of remote code execution impacting the kernel. "There are indications that CVE-2024-36971 may be under limited, targeted exploitation," the tech giant noted in its monthly Android security

China's APT41 Targets Taiwan Research Institute for Cyber Espionage

The state-sponsored Chinese threat actor gained access to three systems and stole at least some research data around computing and related technologies.

There is no real fix to the security issues recently found in GitHub and other similar software

The lesson for users, especially if you’re a private company that primarily uses GitHub, is just to understand the inherent dangers of using open-source software.

APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups.