The Black Basta ransomware group is using advanced social engineering tactics and a multi-stage infection process to target organizations.

****SUMMARY****

*   **Black Basta Campaign Resurgence:** Rapid7 researchers report a sophisticated social engineering campaign by the Black Basta ransomware group, refining tactics and targeting organizations globally.

*   **Enhanced Tactics:** Attackers use email bombing, impersonation via Microsoft Teams, and tools like QuickAssist and AnyDesk to gain remote access, bypass MFA, and execute malicious payloads.

*   **Malicious Tools:** Threat actors deploy tools like Zbot and DarkGate for credential harvesting, data exfiltration, and persistence before delivering Black Basta ransomware.

*   **Improved Payload Delivery:** Updated techniques include obfuscation with custom packers, DLL execution via rundll32.exe, and advanced evasion strategies.

*   **Mitigation Strategies:** Organizations should adopt stronger password policies, provide security training, and implement advanced defences to mitigate ransomware threats.

Cybersecurity researchers at Rapid7 have released a new report detailing its investigation of a sophisticated social engineering campaign launched by the infamous Black Basta ransomware group (aka UNC4393), threatening organizations worldwide. 

Researchers have observed a resurgence of activity in relation to Black Basta ransomware operators’ currently ongoing social engineering campaign, first reported in May 2024 and updated in August 2024.

The attackers have now refined their early stages procedures, including new malware payloads, improved delivery, and increased defence evasion, with lures sent via Microsoft Teams.

Reportedly, the campaign begins with email bombing in which a series of emails are sent to overwhelm potential victims, typically achieved by signing up users’ emails to multiple mailing lists simultaneously. Attackers impersonate IT support personnel offering assistance and tricking users into granting remote access to their systems. Microsoft Teams is used to establish initial contact whereas Azure/Entra tenant subdomains and custom domains are utilized as account domains.

Potential targets are tricked into installing/executing remote management tools like QuickAssist, AnyDesk, TeamViewer, Level, or ScreenConnect. Threat actors also use the OpenSSH client to establish a reverse shell, or, share a QR code with the user, probably to bypass MFA (multi-factor authentication) after stealing their credentials.

As soon as they gain access, the attackers deploy a range of malicious tools for credential harvesting, lateral movement, and data exfiltration.  A custom packer is used to obfuscate various payloads, including Zbot, and DarkGate, to steal sensitive information and establish persistence on the system. The ultimate goal, however, is to deploy the Black Basta ransomware itself, to encrypt critical data and demand a ransom payment. 

One of the malicious QR codes used by the attackes (Via Rapid7)

For your information, DarkGate is a powerful malicious shellcode that can perform a wide range of malicious actions, including stealing information, establishing persistence, and re-infecting compromised machines by establishing a backdoor.

Zloader/Zbot, conversely, is a sophisticated trojan that steals login credentials, credit card information, and personal data, downloads and executes additional malware payloads, establishes persistence on the infected system and communicates with command-and-control servers.

Compared to Rapid7’s previously detected attacks, researchers noted some similarities and some unique approaches in this campaign:

“Rapid7 has observed usage of the same credential harvesting executable, previously reported as AntiSpam.exe, though it is now delivered in the form of a DLL and most commonly executed via rundll32.exe. Whereas before it was an unobfuscated .NET executable, the program is now commonly contained within a compiled 64-bit DLL loader,” the blog post revealed.

To mitigate the risk of such attacks, organizations must improve their security measures, including implementing stronger password protection mechanisms, regular security awareness training for employees, and advanced security solutions.

1.  **Telecom Gian****t** **BT Group Hit by Black Basta Ransomware**
2.  **Russian Midnight Blizzard Hits MS Teams in Precision Attack**
3.  **Iranian Hackers Target Microsoft 365 with MFA Push Bombing**
4.  **Storm-0324 Exploits MS Teams Chats for Ransomware Attacks**
5.  **Vietnamese DarkGate Malware Targets META Accounts Worldwide**

Black Basta Ransomware Uses MS Teams, Email Bombing to Spread Malware

A Chinese threat actor infiltrated several IT and security companies in a bring-your-own VS code, with an eye to carrying out a supply-chain-based espionage attack.

Source: Araki Illustrations via Alamy Stock Photo

Chinese hackers almost breached critical European supply chain companies by disguising their malicious activities behind native Microsoft technologies.

It happened during a three-week period, from late June to July, according to researchers from SentinelLabs. A threat actor tied to China's diverse and thriving cyberattack scene targeted large business-to-business (B2B) IT service providers throughout southern Europe, such as cybersecurity vendors and data and infrastructure solutions providers, with the presumed goal of downstream supply chain espionage.

To penetrate these IT vendors — and, presumably, the many clients across the continent to which they enjoy privileged access — the attackers masked their malicious activity behind everyday business tools like Visual Studio Code and Microsoft Azure. And to confuse attribution, they used the same tactics, techniques, procedures (TTPs), and tooling observed across a number of other known Chinese threat actors.

**Malware via Microsoft**

Infections in the campaign, which researchers dubbed "Operation Digital Eye," began with SQL injections against vulnerable, Internet-facing Web and database servers. Then the attackers dropped PHP Web shells, using filenames specially tailored to the target's environment in order to avoid raising any suspicion. Reconnaissance, lateral movement, and credentials theft followed.

The highlight of the attacks, though, came innocuously packaged as "code.exe." Digitally signed by Microsoft and run as a service using the Windows Service Wrapper, the attackers brought to each of their victims their own portable copy of the Visual Studio Code (VS Code). VS Code is a free, open source editor developed by Microsoft, by far the most popular integrated development environment (IDE) among both new and seasoned developers.

VS Code has also become a proven weapon of Chinese threat actors as of late, thanks to its Remote Tunnels feature. Remote Tunnels is designed to allow developers to access and work on code on remote machines. In a different light, though, it's a perfect malicious payload, enabling command execution and file editing on remote systems in the context of a seemingly innocuous Microsoft program. The attackers behind Operation Digital Eye intended to use VS Code to maintain persistent backdoor access to victims, using innocuous file and service names and storing it in the Temp folder to further blend in with victims' normal business operations.

Tunneling with VS Code isn't quite as simple as loading malware onto a victim's machine, though — it requires a GitHub account and connection with an Azure server. Researchers aren't sure whether the attackers used stolen GitHub and Azure credentials, or registered their own accounts.

What is clear is that they turned this potential roadblock into an advantage, leveraging public cloud infrastructure in Western Europe to make their otherwise suspicious traffic look more legitimate, and more likely to evade notice by security tools. VS Code and Azure network traffic tends to avoid close scrutiny, the researchers noted, and are commonly allowed by application controls and firewall rules. "Combined with the full endpoint access it provides, this makes Visual Studio Code tunneling an attractive and powerful capability for threat actors to exploit," they wrote.

**The Trouble in Attributing Chinese Attackers**

The actual malware used in Operation Digital Eye did less to clarify than to confuse who, exactly, was behind the attacks.

The most notable tool in the mix, "bK2o.exe," is a modified version of the open source credential stealing tool Mimikatz, designed for pass-the-hash attacks. Its aim is to snag a New Technology LAN Manager (NTLM) hash, in lieu of the targeted user's actual password, to enable the further execution of processes within the user's security context.

BK2o.exe is just one among many Mimikatz variants deployed by several Chinese advanced persistent threats (APTs). Related variants have been observed in Operations Soft Cell and Tainted Love, associated with groups like APT41 and APT10. Researchers from SentinelLabs concluded that there is likely a shared vendor supplying many groups at once, as evidenced by the recent case of iSoon.

Also common to these many groups, besides their malware, is the intent behind their cyberespionage. In the case of Digital Eye, "Southern Europe's role as a Mediterranean hub intersects with China's Belt and Road Initiative, particularly in infrastructure investments like Greece's Port of Piraeus," notes SentinelLabs principal threat researcher Tom Hegel. "Cyber operations in this area likely support China's efforts to safeguard these investments, gain leverage in energy transit routes, and monitor naval activities critical to global trade and security. Economically, Southern Europe offers access to critical industries such as energy, shipping, aerospace, and agriculture, as well as opportunities for scientific and technological espionage, particularly in aerospace and renewable energy. Politically, the region's challenges provide opportunities for influence, allowing China to exploit economic dependencies, shape public sentiment, and potentially weaken EU and NATO unity."

He concludes that "In targeting Southern Europe, China seeks not only to secure competitive advantages but also to deepen its influence in a region vital to global trade, energy flows, and Western alliances."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Sprawling 'Operation Digital Eye' Attack Targets European IT Orgs

Protect your systems with automated patching and server hardening strategies to defend against vulnerabilities like the NTLM zero-day.…

Protect your systems with automated patching and server hardening strategies to defend against vulnerabilities like the NTLM zero-day. Stay proactive and secure your business.

A newly discovered Windows zero-day vulnerability exposes users across multiple Windows versions to credential theft. Discovered by 0patch researchers, this critical security flaw allows attackers to steal NTLM credentials through a deceptive yet simple method.

****What Makes This Vulnerability Dangerous?****

**Widespread Impact**

The vulnerability affects a wide range of Windows systems, including:

*   Windows Server 2022
*   Windows 11 (up to v24H2)
*   Windows 10 (multiple versions)
*   Windows 7 and Server 2008 R2

**Exploitation Mechanism**

Technical details of the vulnerability are withheld to minimize exploitation risk until Microsoft issues a fix to minimize any further risk of exploitation. 

The vulnerability enables attackers to steal a user’s NTLM credentials by luring them into opening a malicious file in Windows Explorer.

Attackers can trigger the vulnerability through minimal user interaction:

*   Opening a shared folder
*   Accessing a USB disk
*   Simply viewing a malicious file in Windows Explorer
*   Accessing the Downloads folder with a strategically placed file

****The Broader Context of Unpatched Vulnerabilities****

This isn’t an isolated incident. The same research team has previously identified multiple unresolved Windows vulnerabilities, including:

*   Windows Theme file issue
*   “Mark of the Web” vulnerability
*   “EventLogCrasher” vulnerability
*   Three NTLM-related vulnerabilities (PetitPotam, PrinterBug/SpoolSample, and DFSCoerce)

****0patch Micropatches****

0patch is offering a free micropatch for the latest NTLM zero-day to all users registered on its platform until Microsoft releases an official fix. The security micropatch has already been automatically deployed to PRO and Enterprise accounts, except in cases where configurations explicitly block automatic updates.

“The impact on enterprises using outdated and legacy infrastructure is more significant than the simple impact on operating costs, said Jim Routh,” Chief Trust Officer at cybersecurity company Saviynt. “In this case, the obsolete authentication application (NTLM) from MS enables threat actors to steal Windows credentials potentially compromising customer experience.”

****Focusing on the proactive approach****

Automated patch management, like the protection provided to PRO and Enterprise accounts through 0patch, is a great start, but organizations need to do more. Implementing strong server-hardening strategies can add multiple layers of defence by setting consistent security configurations across all systems.

This proactive approach goes beyond simply reacting to vulnerabilities, helping businesses stay protected against threats like the recent NTLM zero-day vulnerability.

1.  Hackers Use Excel Files for Remcos RAT Variant on Windows
2.  Godot Engine Exploited for Malware on Windows, macOS, Linux
3.  Windows SmartScreen Flaw Enabling Data Theft in Stealer Attack
4.  Windows Vulnerable to Command Injection via “BatBadBut” Flaw
5.  Russian Hackers Exploit Firefox and Windows 0-Days for Backdoor

Critical Windows Zero-Day Alert: No Patch Available Yet for Users

Another day, another supply chain attack!

****KEY POINTS****

*   **Cybersecurity researchers at ReversingLabs found that hackers used malicious code to combine the Ultralytics AI library to mine cryptocurrency.**

*   **Hackers exploited the library’s build system and injected XMRig mining software into updates 8.3.41 and 8.3.42.**

*   **The attack used GitHub Actions Script Injection and fake pull requests to gain access to the system.**

*   **With over 60 million downloads, the compromised library posed a risk, though the damage was limited to mining.**

*   **Developers and users must verify software updates and sources to avoid similar incidents.**

The latest research from ReversingLabs (RL) shared with Hackread.com, reveals that a popular AI library called _“_Ultralytics_“_ has been secretly mining cryptocurrency for someone else. This follows the recent discovery of the malicious aiocpa Python package, which was spreading an infostealer.  

On December 4th, an update (version 8.3.41) for Ultralytics hit the Python Package Index (PyPI), a repository for Python software. However, something else also hit the repository: Hackers had infiltrated the project’s build environment, which prepares the software for release. 

The content in the GitHub repository did not match the content of the matching PyPI package, as malicious actors compromised the build environment and injected malicious code after the code review process was completed.

The tampered code downloaded a program called XMRig, a cryptocurrency miner. The worst part, according to RL’s report, is that even a supposed “fix” (version 8.3.42) released the next day was also infected.

That’s because the project’s maintainers failed to locate the compromise, resulting in version 8.3.42, intended to address the incident and serve as a safe upgrade, containing the same malicious code. A clean version, 8.3.43, was released on the same day, resolving this supply chain attack.

In case you are wondering how the hackers got in, it all started with exploiting a GitHub Actions Script Injection to enter the build environment of a trusted npm package, @solana/web3.js. This injection allowed a malicious actor to create a fork of any repository using ultralytics/actions and craft a pull request from a branch with injection payload code in its title.

Next, two maliciously crafted pull requests, #18018 and #18020, were designed to enable backdoor access to the compromised environment. The user account behind this pull request, openimbot, and the remote connection established after the execution of the malicious payload were initiated from Hong Kong, based on information provided by ultralytics maintainers. By creating fake pull requests with cleverly crafted titles, actors tricked the system into running their malicious code.

A GitHub comment explaining what happened and limited details about the user involved in the hack (Screenshots via RL)

****Impact: 60 million downloads and 30,000 GitHub stars****

This attack had the potential to impact millions considering that Ultralytics boasts over 60 million downloads and 30,000 GitHub stars, indicating its widespread use. Thankfully, the damage seems limited to cryptocurrency mining.

However, this incident shows how vulnerable software supply chains can be. Malicious actors could have easily injected more dangerous code, like backdoors or remote access tools. This means, developers must be cautious at all stages to protect AI projects. 

It also shows the importance of software security, emphasizing the need for developers to double-check code changes from untrusted sources, and users to download software from trusted sources and keep it updated.

1.  **ChatGPT Sandbox Flaws Enabling Python Execution**
2.  **PyPI Exploited to Infiltrate Systems Through Python Packages**
3.  **PythonAnywhere** **Cloud Platform Abused to Host Ransomware**
4.  **Qubitstrike Malware Hits Jupyter Notebooks for Cryptojacking**
5.  **VMCONNECT: Malicious PyPI Package Mimicking Python Tools**

Ultralytics AI Library with 60M Downloads Compromised for Cryptomining

Plus: Russian spies keep hijacking other hackers’ infrastructure, Hydra dark web market admin gets life sentence in Russia, and more of the week’s top security news.

A consortium of global law enforcement agencies led by Britain’s National Crime Agency announced a takedown operation this week against two major Russian money-laundering networks that process billions of dollars each year in more than 30 locations around the world. WIRED had exclusive access to the investigation, which uncovered new and troubling laundering techniques, particularly schemes to directly change cryptocurrency for cash. As the United States government scrambles to address China’s “Salt Typhoon” digital espionage campaign into US telecoms, two senators demanded this week that the Department of Defense investigate its failure to secure its own communications and address known vulnerabilities in US telecom infrastructure. Meanwhile, Signal Foundation president Meredith Whittaker spoke at WIRED’s The Big Interview event in San Francisco this week about Signal’s enduring commitment to bring private, end-to-end encrypted communication services to people all over the world regardless of geopolitical climate.

A new smartphone scanner from the mobile device security firm iVerify can quickly and easily detect spyware and has already flagged seven devices infected with the invasive Pegasus surveillance tool. Programmer Micah Lee built a tool to help you save and delete your X posts after he offended Elon Musk and was banned from the platform. And privacy advocate Nighat Dad is fighting to protect women from digital harassment in Pakistan after escaping from an abusive marriage.

The US Federal Trade Commission is targeting data brokers who it says unlawfully tracked protesters and US military personnel, but the enforcement efforts seem likely to trail off under the Trump administration. Similarly, the US Consumer Financial Protection Bureau has devised a strategy to impose new oversight on predatory data brokers, but the new administration may not continue the initiative. Some new laws are finally coming around the world in 2025 that will attempt to regulate the dysfunction of the digital advertising industry, but malicious advertising is still booming around the world and continues to play a big role in global scamming.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in-depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**US Officials Urge Americans to Encrypt Calls and Texts After Chinese Telecom Hacking**

Remember how the US federal government spent much of the last three decades periodically decrying the dangers of strong, freely available encryption tools, arguing that because they enable criminals and terrorists, they should be outlawed or required to implement government-approved backdoors? As of this week, the government will never again be able to make that argument without privacy advocates pointing to a particular phone call where two officials recommended Americans use exactly those encryption tools to protect themselves amidst an ongoing massive breach of US telecoms by Chinese hackers.

In a briefing with reporters about the breach of no fewer than eight phone companies by the Chinese state-sponsored espionage hackers known as Salt Typhoon, officials from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI both said that amid the still-uncontrolled infiltration of US telecoms that have exposed calls and texts, Americans should use encryption apps to safeguard their privacy. “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication,” said Jeff Greene, CISA’s executive assistant director for cybersecurity. (Signal and WhatsApp, for instance, end-to-end encrypt calls and texts, though the officials didn’t name any particular apps.)

The recommendation amid what one senator has called “the worst telecom hack in our nation’s history” represents a stunning reversal from previous US officials’ rhetoric on encryption, and in particular the FBI’s repeated calls for access to backdoors in encryption. In fact, it was exactly this sort of government-approved wiretap capability requirement for US telecoms that the Salt Typhoon hackers in some cases exploited to access Americans communications.

**Russia’s FSB Hackers Keep Hijacking Other Hackers’ Infrastructure for Spying**

The hacker group known as Secret Blizzard, Snake, or Turla, widely believed to work for Russia’s FSB intelligence agency, is known for using some of the most ingenious hacking techniques ever seen to spy on its victims. One of the tricks that’s now become its signature move: hacking the infrastructure of other hackers to stealthily piggyback on their access. This week Microsoft’s threat intelligence researchers and security firm Lumen Technologies revealed that Turla gained access to the servers of a Pakistan-based hacker group and used its visibility into victim networks to spy on government, military and intelligence targets in India and Afghanistan of interest to the Kremlin. In some cases, Turla hijacked the Pakistani hackers’ access to install their own malware, while in other instances they appear to have used the other group’s tools for even greater stealth and deniability. The incident marks the fourth known time since 2017, when it penetrated an Iranian hacker group’s command-and-control servers, that Turla has freeloaded on another hacker group’s infrastructure and tooling, according to Lumen.

**Admin of Russian Dark Web Market Hydra Sentenced to Life in Prison**

The Russian government is known for turning a blind eye to cybercrime—until it doesn’t. This week 15 convicted members of the notorious dark web market Hydra learned the limits of that forbearance when they reportedly received prison sentences ranging from 8 years to 23 years, as well an unprecedented life sentence for the site’s creator Stanislav Moiseyev. Before it was taken down two years ago in a law enforcement operation led by IRS criminal investigators in the US and Germany’s BKA police agency, Hydra was a uniquely sprawling dark web marketplace, one that not only served as the post-Soviet world’s biggest online bazaar for narcotics but also a vast money laundering machine for crimes including ransomware, scams, and sanctions evasion. In total, Hydra enabled more than $5 billion dollars in dirty cryptocurrency transactions since 2015, according to crypto tracing firm Elliptic.

**Suspected Ransomware Actor “Wazawaka” Reportedly Charged and Apprehended by Russia**

Russian law enforcement charged and arrested a software developer last week who is suspected of prolific contributions to multiple ransomware groups, including building malware to extort money from businesses and other targets. The suspect is reportedly Mikhail Matveev, or “Wazawaka,” who has worked as an affiliate with ransomware gangs like Conti, LockBit, Babuk, DarkSide, and Hive. Social media reports indicate that Matveev confirmed his indictment and said that he has been released from law enforcement custody on bail.

Russia’s prosecutor general did not name Matveev, but described charges last week against a 32-year-old hacker under Article 273 of Russia’s Criminal Code, which bans the creation or use of malware. The move came as Russia seemed to be sending some sort of message about its tolerance for cybercrime with the sentencing of the dark web marketplace Hydra’s staff, including a life sentence for its administrator. In 2023, the US government indicted and sanctioned Matveev.

**FBI Is Investigating Exxon Lobbyist Firm Over Hack-and-Leak Operation Targeting Activists**

In a disturbing scoop (one we didn’t cover last week due to the Thanksgiving holiday), Reuters reporters have revealed that the FBI is now investigating a lobbying consultancy hired by Exxon over the firm’s role in a hack-and-leak operation that targeted climate change activists. DCI Group, a lobbying firm hired at the time by Exxon, allegedly gave a list of target activists to a private investigator who then outsourced a hacking operation against those targets to mercenary hackers. After the private investigator—an Israeli man named Amit Forlit, who was later arrested in London and faces US hacking charges—allegedly gave the hacked material to DCI, it leaked the activists’ internal communications about climate change litigation against Exxon to the media, Reuters discovered. The FBI, according to Reuters, has determined that DCI also first previewed that material to Exxon before leaking it. “Those documents were directly employed by Exxon to come after me with all guns blazing,” one attorney working with the activist group, the Center for Climate Integrity, told Reuters. “It turned my life upside down.”

Exxon has denied knowing about any hacking activities and DCI told Reuters in a statement that “we direct all our employees and consultants to comply with the law.”

US Officials Recommend Encryption Apps Amid Chinese Telecom Hacking

The threat actors behind the More_eggs malware have been linked to two new malware families, indicating an expansion of its malware-as-a-service (MaaS) operation.
This includes a novel information-stealing backdoor called RevC2 and a loader codenamed Venom Loader, both of which are deployed using VenomLNK, a staple tool that serves as an initial access vector for the deployment of follow-on

More_eggs MaaS Expands Operations with RevC2 Backdoor and Venom Loader

New Fortress Information Security research shows 90% of software products used by critical infrastructure organizations contain code developed in China.

PRESS RELEASE

ORLANDO, FL — December 5, 2024 — The code that makes up the software now powering U.S. utilities is rife with vulnerabilities, including hundreds that are “highly exploitable,” a new research report released by Fortress Information Security today finds. Researchers studied thousands of products and found troubling risk patterns.

The report, Beyond the Bill of Materials: The Silent Threat Lurking in Critical Infrastructure Software, also shows that 25 percent of software components and 90 percent of software products contained code from developers in China.

Compromised software code can provide threat actors with a “backdoor” into power grids, oil and gas pipelines, and communication networks. In similar research last year, Fortress discovered that code developed in China was 1.4 times more likely to contain vulnerabilities than code developed elsewhere.

“China is an existential threat to U.S. economic and physical security,” said Alex Santos, CEO of Fortress. “Software products with China-born code must be identified and weeded out from our nation’s critical infrastructure. We developed and then examined the Software Bill of Materials (SBOM) for the most widely used products managing the U.S. electric power grid. The next step is to take action to eliminate these systemic risks, and we look forward to working with utilities to do just that.”

Using the North American Energy Software Assurance Database (NAESAD) to review Software Bills of Materials (SBOMs) for more than 2,000 software products, researchers found:

More than 9,000 unique vulnerabilities – including 855 highly exploitable vulnerabilities that attackers can exploit with minimal effort.

Twenty components that account for more than 80% of critical vulnerabilities.

3,841 instances of Known Exploited Vulnerabilities (KEVs) across products. KEVs are a subset of vulnerabilities actively exploited by threat actors in the wild.

The Most Common Dependencies were 1) The Linux kernel, 2) zlib (a compression library), and 3) OpenSSL (an open-source cryptographic library). 

"Once again, we found that just a small number of common components, used across hundreds of products, were responsible for the bulk of critical vulnerabilities,” said Bryan Cowan, lead researcher for Fortress. “These are vulnerabilities that can be detected and software flaws that can be corrected. Addressing those 20 components would make our power plants, oil and gas refineries, and chemical companies much more secure.”

Brief Methodology

Fortress created a Software Bill of Materials (SBOM) for each product version using binary analysis. Researchers reviewed the SBOMs stored in NAESAD. Fortress analyzed more than 9,535 unique vulnerabilities identified across 8,758 unique components associated with 2,233 products across 243 vendors. This included information technology (IT) products, used for network management, and operational technology (OT) products, used for business functions. The team used the Exploit Prediction Scoring System (EPSS) as a proxy for exploitability. 

About Fortress. Securing critical supply chains and cyber assets from evolving threats.

Compromised Software Code Poses New Systemic Risk to U.S. Critical Infrastructure

SUMMARY A large U.S. company with operations in China fell victim to a large-scale cyberattack earlier this year,…

****SUMMARY****

*   **Network Access**: Chinese hackers maintained access to a major U.S. company’s network for at least four months, likely stealing sensitive information, including emails.

*   **Techniques Used**: Hackers employed DLL sideloading, exploited Google and Apple software, and used tools like Impacket and FileZilla to move within the network.

*   **Targeted Data**: The attackers focused on Exchange Servers and email data, indicating a strategic intelligence-gathering operation.

*   **Attribution to Daggerfly**: Symantec linked the attack to Chinese state-sponsored groups Daggerfly and Crimson Palace, known for sophisticated cyber-espionage.
*   **Expert Insight**: Cybersecurity expert Stephen Kowski highlights the sophistication and dangers of long-term network breaches and emphasises the need for stronger email security and monitoring.

A large U.S. company with operations in China fell victim to a large-scale cyberattack earlier this year, according to cybersecurity firm Symantec. The attack believed to be the work of **Chinese hackers**, allowed the attackers to maintain access to the company’s network for at least four months, likely gathering sensitive information.

This follows **October 2024’s report** in which it was revealed that China’s Salt Typhoon hacking group targeted and successfully compromised AT&T, Verizon, and Lumen, compromising wiretap systems used in criminal investigations.

Symantec’s findings indicates the hackers were active from April 11, 2024, until August, though the initial breach may have happened even earlier. During this time, hackers moved through the company’s network, gaining access to multiple computers, including **Exchange Servers**.

This suggests a primary goal of stealing email data for intelligence-gathering purposes. According to Symantec’s **blog post**, hackers employed a mix of legitimate applications and open-source tools to carry out their attacks.

From DLL-sideloading, a technique where malicious code is loaded with legitimate applications, to the exploitation of Google and Apple software were carried out for this purpose. Additionally, threat actors utilized **Impacket**, a Python-based toolkit for network protocol manipulation, and FileZilla, an FTP client, among others.

****Links to Chinese APT Groups****

Although the organization’s name is still unknown, Symantec believes that the group behind the attack is closely linked to the Chinese state-sponsored group **Daggerfly** (Daggerfly (also known as BRONZE HIGHLAND StormCloud, and Evasive Panda) and Crimson Palace.

This claim is based on the group’s repeated use of DLL sideloading in past attacks. Daggerfly is well-known for using this technique. Moreover, one of the malicious files found on a compromised system was textinputhost.dat, which has also been associated with another Chinese group, Crimson Palace. This group recently **made news** for targeting South Asian governments and stealing sensitive military secrets.

**Stephen Kowski**, a cybersecurity expert at SlashNext, told _Hackread.com_ that this attack is part of a worrying trend. Hackers are using increasingly sophisticated methods to gain long-term access to company networks, he said.

“The focus on Exchange servers and email harvesting suggests a strategic intelligence-gathering operation,” Kowski added. He emphasized the need for strong email security and continuous monitoring to detect these kinds of attacks.

1.  **GLASSBRIDGE: Google Blocks Pro-China Fake News Sites**
2.  **China’s insidious surveillance against Uyghurs with Android malware**
3.  **Muddling Meerkat Suspected of Espionage via Great Firewall of China**
4.  **Chinese Blackwood APT Deploys NSPX30 Backdoor in Cyberespionage**
5.  **Cyberattacks Surge 325% in Philippines Amid South China Sea Standoff**

Chinese Hackers Breach US Firm, Maintain Network Access for Months

Cloudflare Tunnels is just the latest legitimate cloud service that cybercriminals and state-sponsored threat actors are abusing to hide their tracks.

Source: Classic Image via Alamy Stock Photo

NEWS BRIEF

BlueAlpha, a Russian state-sponsored advanced persistent threat (APT) group, has recently evolved its malware delivery chain to abuse Cloudflare Tunnels — with the goal of ultimately infecting victims with its proprietary GammaDrop malware.

Cloudflare Tunnels is, as its name suggests, a secure tunneling software. It can be used to connect resources to Cloudflare's network without using a publicly routable IP address, with the goal of protecting Web servers and applications from distributed denial-of-service (DDoS) and other direct cyberattacks, by hiding their origins.

Unfortunately, this obfuscation mechanism, like other legitimate cloud tools, can also be used by the likes of BlueAlpha, which uses Cloudflare Tunnels to conceal its GammaDrop staging infrastructure from traditional network detection mechanisms, according to Recorded Future's Insikt Group.

"Cloudflare offers the tunneling service for free with the use of the TryCloudflare tool," according to an analysis published this week from Insikt. "The tool allows anyone to create a tunnel using a randomly generated subdomain of trycloudflare.com and have all requests to that subdomain proxied through the Cloudflare network to the Web server running on that host."

The APT then uses the concealed infrastructure to mount HTML smuggling attacks that bypass email security systems, along with employing DNS fast-fluxing, which makes it more difficult to disrupt BlueAlpha’s command-and-control (C2) communications, Insikt Group researchers noted — and in the end, deliver the GammaDrop malware, which enables data exfiltration, credential theft, and backdoor access to networks.

BlueAlpha, which shares DNA with other Russian threat groups like Trident Ursa, Gamaredon, Shuckworm, and Hive0051, first emerged in 2014, and has lately targeted Ukrainian organizations via spearphishing campaigns. The APT has used the custom VBScript malware GammaLoad since at least October 2023.

To protect against such attacks, Insikt Group recommended several mitigations, including:

*   Beef up email security to block HTML smuggling techniques
    
*   Flag attachments with suspicious HTML events
    
*   Use application control policies to block malicious use of mshta.exe and untrusted .lnk files
    
*   Set up network rules to flag requests to trycloudflare.com subdomains
    

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Russia's 'BlueAlpha' APT Hides in Cloudflare Tunnels

Ever wonder what an extroverted strategy security nerd does? Wonder no longer! This week, Joe pontificates on his journey at Talos, and then is inspired by the people he gets to meet and help.

Thursday, December 5, 2024 14:02

Welcome to this week’s edition of the Threat Source newsletter. 

I am unbelievably lucky to do the work that I do. My title is technically ‘Senior Security Strategist’. It’s a very fancy title, but basically: I get to research threats with my colleagues and friends to keep people safe here at Talos. I also get to travel and talk to our customers and communities about that work and how we fight that good fight. This has taken me to some interesting places - from Ukraine to California and lots of places in between. Not bad for a guy from a small town in Alabama.  

This gig isn’t for everyone. You must have some extroverted tendencies, and as the youth would say, some ‘rizz’. It’s not enough to talk about something like, say, ransomware. You need to be able to explain it in high technical detail if needed and then explain it to a board of C-levels and speak the language of business they understand. And you need to do it in an engaging way to keep your audiences bought in. It’s a unique blend of security practitioner expertise and the ability to communicate that to audiences, some technical, some not.  

If you’re thinking this also requires some kind of social media influencer level of Hemsworth caliber good looks and hyper charisma, have no fear. I’m about as much a security influencer as Chris Farley was a Beverly Hills ninja. I am just a security nerd who likes to talk. Like I said - I'm very lucky.  

Sometimes this gig takes you to very unexpected places. A couple of weeks ago I found myself at the Ford Foundation Center for Social Justice. I was there to attend and support the NGO-ISAC annual summit. The NGO-ISAC ‘is a non-profit organization improving the cybersecurity of US-based nonprofits.’ They do amazing work supporting cyber security for non-governmental organizations that help protect and promote civil society. We’re also fortunate at Talos to be a partner with them and donate time and resources to support their mission of helping the helpers.  

We are proud to be partners and volunteer our time with NGO-ISAC and it’s members. If you ever want to be truly humbled, spend time with an NGO and learn about what they do. The energy and heart those people have is incredible and will inspire you. They help feed the hungry, cloth the homeless, protect refugees, promote democracies, and generally help take care of some of the most vulnerable people and institutions our society relies upon. They also traditionally struggle with cybersecurity - security investments and practitioner expertise can be difficult to obtain when your budgets are built upon donations to support your mission. They are the embodiment of fighting the good fight, and we at Talos will always have the time to help them help others.  

While I was there, we debuted a custom NGO version of Backdoors & Breaches I helped co-develop with the NGO-ISAC. It was a real hit, and we ran demo games that resonated very well with the audiences. Helping teach cybersecurity to NGOs is fantastic. If we can help them stay secure, there’s so many others who will be helped by it. Also, keep your eyes peeled for a blog post in January about how we designed and created a custom expansion for Backdoors & Breaches.  

Also, the Ford Foundation? Amazing building. It’s in the heart of NYC and is an island of pure serenity. They have an indoor atrium/park that is next level. They pipe in some absolute jazz bangers throughout the entire building that, mixed with the decor, exudes a class I've rarely encountered in my travels. If I could make a blanket out of that entire vibe and wrap myself up in it, I'd do it.  

**The one big thing **

QR Codes, am I right? Sometimes you can scan one with your phone and maybe win a free cheeseburger, sometimes it can take you to a fake O365 phishing site. The tricky bit with QR codes in e-mails is how easily they can avoid spam filters. My man Jaeson Schultz did some great research on attacks, prevalence, and detection of QR codes in e-mail messages. The parts on AI-generated QR imagery are fantastic – be careful what you scan! 

**Why do I care? **

E-mail phishing and evading defenses are a tried and tested tactic with attackers. QR codes are another method of attack, and because they can be difficult to defang/detect, defenders have to work extra hard to understand those threats and stop them.  

**So now what? **

Exercise serious caution when scanning a QR code. If possible, detonate those suspicious QR code e-mails in a sandbox, like Threat Grid. 

**Top security headlines of the week **

At least 97 major water systems in the US have serious cybersecurity vulnerabilities and compliance issues, raising concerns that cyberattacks could disrupt businesses, industry, and the lives of millions of citizens. (Dark Reading) 

The NSA updated its mobile devices security best practices report. Reboot those phones at least once a week friends.  (ZDNet) 

The United States and other Western nations released guidance Tuesday designed to evict the China-linked group in the wake of the high-profile hack. (CyberScoop) 

**Can’t get enough Talos? **

*   New PXA Stealer targets government and education sectors for sensitive information 
*   The TTP Episode 7: Explore this year's Macro-ATT&CK findings  
*   Beers with Talos is back (kind of) with a special “B Team” episode: Misadventures, Rabbit Holes, and Turkey Lurkey Goes to the Movies 

**Upcoming events where you can find Talos ****AVAR (Dec. 4-6)   **

_Chennai, India_    

Vanja Svancer and Chetan Raghuprasad from Cisco Talos will both present, Vanja will be discussing Exploring Vulnerable Windows Drivers, while Chetan presents Sweet and Spicy Recipes for Government Agencies by SneakyChef.   

**Most prevalent malware files from Talos telemetry over the past week  ****SHA 256: 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647 **

MD5: bbcf7a68f4164a9f5f5cb2d9f30d9790 

VirusTotal: https://www.virustotal.com/gui/file/0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647/details 

Typical Filename: cwjhtmbwgyomzrhbo.exe 

Claimed Product: n/a 

Detection Name: Win.Dropper.Scar::1201  

**SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca **

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/detection 

Typical Filename: VID001.exe 

Claimed Product: n/a 

Detection Name: Coinminer:MBT.26mw.in14.Talos 

**SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   **

MD5: 200206279107f4a2bb1832e3fcd7d64c  

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details%C2%A0 

Typical Filename: lsgkozfm.bat  

Claimed Product: N/A  

Detection Name: Win.Dropper.Scar::tpd    

**SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   **

MD5: 71fea034b422e4a17ebb06022532fdde   

VirusTotal: https://www.virustotal.com/gui/file/bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a/details 

Typical Filename: VID001.exe   

Claimed Product: N/A   

Detection Name: RF.Talos.80   

**SHA 256: 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   **

MD5: 8b84d61bf3ffec822e2daf4a3665308c   

VirusTotal: https://www.virustotal.com/gui/file/3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66/details%C2%A0 

Typical Filename: RemComSvc.exe   

Claimed Product: N/A   

Detection Name: W32.3A2EA65FAE-95.SBX.TG

Tag

#backdoor