Global organizations and geopolitical entities must adopt new strategies to combat the growing sophistication in attacks that parallel the complexities of our new geopolitical reality.

Source: Dragon Claws via Alamy Stock Photo

COMMENTARY

Today, it's rare for a month to pass without reports of new distributed denial-of-service (DDoS) attacks driven by geopolitical instability. Now, a single attack can include numerous countries and networks. While the war between Russia and Ukraine and elections in NATO countries like Poland drive geopolitically focused DDoS attacks, it's important to understand that these threats were present long before these conflicts, and will be around long after. But why are these attacks against governmental institutions so prominent, and why do they impact all of us in the first place? 

That is partially because changes in political leadership often correlate directly with a spike in DDoS attacks. For example, in Poland, DDoS attack volume increased fourfold within days of its new government being sworn into office. These spikes often result from hacktivist groups (e.g., KillNet, Noname057, Anonymous Sudan) opposing the viewpoints of newly elected officials. They impact the rest of us because DDoS attacks must cross multiple Internet service providers (ISPs) to reach the intended victim. 

Unfortunately, even an attack that is effectively mitigated will use up valuable resources on any ISP network it reaches. We refer to this as the "DDoS tax," which increases the cost of network operation, making it more expensive for everyone. In fact, global ISPs reported a 500% global increase in HTTP/S application layer attacks since 2019, and 17% growth in DNS reflection/amplification volumes in the first half of 2023. Furthermore, it is alarming that carpet-bombing attacks, a technique that simultaneously targets entire IP address ranges, increased by 110% from the first to the second half of 2022, with most attacks occurring against ISP networks.

The bottom line is that there is no escape from DDoS attacks on governmental institutions, and threat intelligence needs to be taken more seriously because of how universal the threat can be when it comes to compromising global ISP networks and additional IT infrastructure. Therefore, it is key for governmental entities to suppress DDoS attacks before they can begin.

**Comprehensive and Adaptive Defenses for Evolving DDoS Attacks**

With nation-states, bad actors often directly target Internet infrastructure to take out critical communications, ecommerce, and other vital infrastructure dependent on Internet connectivity. That means attackers target ISP networks to purposefully degrade Internet connectivity. Further, these bad actors typically have vastly more resources at their disposal than other attackers. They constantly innovate and explore new and more powerful DDoS attack vectors, evidenced by the creation of new ones every year, such as DNS Water Torture and Carpet Bombing. All the while, as DDoS defenses become more effective, bad actors continue to sidestep these defenses with new DDoS attack vectors and methodologies. These advanced techniques invariably find their way into the hands of criminal gangs and even individual hackers, who turn them against any entity from whom they can profit.

With the increased persistence of cybercriminals and the growth in complexity of DDoS attacks, the foundation for a comprehensive DDoS protection solution should identify and stop all types of DDoS attacks before they impact the availability of business-critical services. With today's growing frequency and complexity of DDoS attacks, a multilayer defense strategy is now no longer nice to have, but a requirement. New techniques such as adaptive DDoS strategies, which change vectors based on the defense that is presented, reinforce the need for better agility and efficiency when it comes to managing these increasingly complex attacks.

In the end, threat actors will continue using DDoS attacks as a way to further disrupt and inflame sociopolitical tensions around the world. Security professionals need to consider both local and international conflicts when assessing the DDoS risk factors associated with nation-state attacks. The unfortunate reality is that bad actors continue to find new ways to orchestrate attacks through evolving methodologies. As such, global organizations and geopolitical entities must adopt new strategies right now, such as advanced DDoS defense and suppression, to combat this growing sophistication in attacks that parallel the complexities of our new geopolitical reality.

**About the Author(s)**

Director, Security Solutions, Netscout

Gary is an industry veteran, bringing over 20 years of broad technology experience including routing and switching, wireless, mobility, collaboration, and cloud but always with a focus on security. His previous roles include solutions architect, security SME, sales engineering, consultancy, product management, IT and customer support. Prior to joining Netscout in 2012, he spent 12 years at Cisco Systems and held positions with Avaya and Cable & Wireless.

How Nation-State DDoS Attacks Impact Us All

Though April’s monthly security update from Microsoft includes 150 vulnerabilities, only three of them are considered “critical."

Tuesday, April 9, 2024 14:23

In one of the largest Patch Tuesdays in years, Microsoft disclosed 150 vulnerabilities across its software and product portfolio this week, including more than 60 that could lead to remote code execution. 

Though April’s monthly security update from Microsoft is the largest since at least the start of 2023, only three of the issues disclosed are considered “critical,” all of which are remote code execution vulnerabilities in Microsoft Defender for IoT.  

Most of the remainder of the security issues are considered “important,” and only two are “moderate” severity. 

The three critical vulnerabilities — CVE-2024-21322, CVE-2024-21323 and CVE-2024-29053 — are all remote code execution vulnerabilities in Microsoft Defender for IoT. Though little information is provided on how these issues could be exploited, Microsoft did state that exploitation of these vulnerabilities is “less likely.”  

There are also three vulnerabilities for which Microsoft said it had detected exploitation of the vulnerability in the wild: 

*   CVE-2024-26241: Elevation of privilege vulnerability in Win32k 
*   CVE-2024-28903: Security feature bypass vulnerability in Windows Secure Boot 
*   CVE-2024-28921: Security feature bypass vulnerability in Windows Secure Boot 

More than half of the code execution vulnerabilities exist in Microsoft SQL drivers. An attacker could exploit these vulnerabilities by tricking an authenticated user into connecting to an attacker-created SQL server via ODBC, which could result in the client receiving a malicious network packet. This could allow the adversary to execute code remotely on the client. 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63254 - 63257, 63265 - 63271, 63274 and 63275. There are also Snort 3 rules 300873, 300874 and 300877 - 300879.

April’s Patch Tuesday includes 150 vulnerabilities, 60 which could lead to remote code execution

The company is asking users to retire several network-attached storage (NAS) models to avoid compromise through a publicly available exploit that results in backdooring.

Source: Tiny Ivan via Alamy Stock Photo

A critical flaw in several end-of-life (EOL) models of D-Link network-attached storage (NAS) devices can allow attackers to backdoor the device and gain access to sensitive information, among other nefarious activities.

More than 92,000 devices currently connected to the Internet are affected by a flaw tracked as CVE-2024-3273 in D-Link NAS devices, including models DNS-340L, DNS-320L, DNS-327L, and DNS-325, according to D-Link. As a result, the company is asking customers to sunset any and all affected devices, which will remain vulnerable as the devices no longer receive updates or support from the vendor.

A researcher who goes by the online name "netsecfish" identified the flaw and detailed it on GitHub and subsequently informed D-Link about it, which released its own advisory. The researcher also released an exploit for the flaw, in which attackers already are showing interest, according to a post on X (formerly Twitter) by Shadowserver.

"We have started to see scans/exploits from multiple IPs for CVE-2024-3273," according to the post. "This involves chaining of a backdoor and command injection to achieve RCE."

Flaws in NAS devices are serious business, as exploiting them has great potential to affect not only the device itself but myriad devices that connect to it, posing a dangerous threat that can expose enterprise networks to risk.

**Data Theft, Denial of Service & More**

The vulnerability exists in the nas\_sharing.cgi CGI script, leading to backdooring through username and password exposure as well as command injection through the system parameter, explained netsecfish.

"Affected is an unknown function of the file /cgi-bin/nas\_sharing.cgi of the component HTTP GET Request Handler," according to the listing for the flaw in the National Institute of Standards and Technology's (NIST's) National Vulnerability Database. "The manipulation of the argument system leads to command injection."

To get more granular, in terms of username and password exposure, the problem lies in the request, which "includes parameters for a username (user=messagebus) and an empty password field (passwd=)," according to netsecfish. "This indicates a backdoor allowing unauthorized access without proper authentication."

For command injection, attackers can exploit the "system" parameter within the request, "which carries a base64 encoded value that, when decoded, appears to be a command," according to netsecfish.

Attackers can chain the two issues together to obtain arbitrary command execution on the affected D-Link NAS devices, granting attackers potential access to sensitive information, system configuration alteration, or denial of service.

Netsecfish's exploit entails crafting malicious HTTP requests by preparing an HTTP GET request–GET /cgi-bin/nas\_sharing.cgi?user=messagebus&passwd=&cmd=15&system=<BASE64\_ENCODED\_COMMAND\_TO\_BE\_EXECUTED>–targeting the /cgi-bin/nas\_sharing.cgi endpoint.

**Replace & Retire Vulnerable D-Link Devices**

A report published last year found that companies in every industry continue to leave backup and storage platforms unsecured, making it crucial for them to ensure cybercriminals can't exploit vulnerable ones to enter corporate networks.

With no forthcoming patch for CVE-2024-3273, the only true remedy is not to use affected devices at all, so anyone with one still connected to a network should retire and replace the product immediately, according to D-Link. A complete list of devices can be found in D-Link's advisory.

Indeed, the company remained adamant that it has no plans to support or update the affected products as per its typical device EOL strategy. "Regardless of product type or sales channel, D-Link's general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products cease," according to D-Link.

If consumers in the US continue to use the device against the company's recommendation, they should "please make sure the device has the last know firmware," which can be located on a Legacy Website links included in the advisory, according to D-Link.

Anyone who wants to continue using the device also should ensure frequent updating of the device's unique password to access its Web configuration, as well enable Wi-Fi encryption with a unique password.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

92K D-Link NAS Devices Open to Critical Command-Injection Bug

Human rights activists in Morocco and the Western Sahara region are the targets of a new threat actor that leverages phishing attacks to trick victims into installing bogus Android apps and serve credential harvesting pages for Windows users.
Cisco Talos is tracking the activity cluster under the name Starry Addax, describing it as primarily singling out activists associated with

Hackers Targeting Human Rights Activists in Morocco and Western Sahara

Cisco Talos is disclosing a new threat actor we deemed “Starry Addax” targeting mostly human rights activists, associated with the Sahrawi Arab Democratic Republic (SADR) cause with a novel mobile malware.

*   Cisco Talos is disclosing a new threat actor we deemed “Starry Addax” targeting mostly human rights activists associated with the Sahrawi Arab Democratic Republic (SADR) cause with a novel mobile malware. 
*   Starry Addax conducts phishing attacks tricking their targets into installing malicious Android applications we’re calling “FlexStarling.” 
*   For Windows-based targets, Starry Addax will serve credential-harvesting pages masquerading as login pages from popular media websites. 

_Talos would like to thank the Yahoo! Paranoids Advanced Cyber Threats Team for their collaboration in this investigation._ 

**Starry Addax has a special interest in Western Sahara**

The malicious mobile application (APK), “FlexStarling,” analyzed by Talos recently masquerades as a variant of the Sahara Press Service (SPSRASD) App. The Sahara Press Service is a media agency associated with the Sahrawi Arab Democratic Republic. The malware will serve content in the Spanish language from the SPSRASD website to look legitimate to the victim. However, in actuality, FlexStarling is a highly versatile malware capable of deploying additional malware components and stealing information from the infected devices. 

 Splash screen for the malicious application.

Starry Addax’s infrastructure can be used to target Windows- and Android-based users. This campaign's infection chain begins with a spear-phishing email sent to targets, consisting of individuals of interest to the attackers, especially human rights activists in Morocco and the Western Sahara region. The email contains content that requests the target to install the Sahrawi News Agency’s Mobile App or include a topical theme related to the Western Sahara.  

Some examples of the subject lines of the phishing emails consist of: 

طلب تثبيت التطبيق على هواتف متابعي وكالة الأنباء الصحراوية 

Request to install the application on the phones of Sahrawi News Agency followers 

الوفد برلماني الأوروبي يدلي بتصريحات 

The European Parliament delegation makes statements 

الوفد برلماني يدلي بتصريحات 

A parliamentary delegation makes statements 

عاجل وبالفيديو ونقلاً عن جريدة إلبايس 

Urgent, video, and quoted from El Pais newspaper 

The email originating from an attacker-owned domain, ondroid\[.\]site, consists of a shortened link to an attacker-controlled website and domain. Depending on the requestor’s operating system, the website will either serve the FlexStarling APK for Android devices or redirect the victim to a social media login page to harvest their credentials. The links observed by Talos so far are:  

www\[.\]ondroid\[.\]store/aL2mohh1 

www\[.\]ondroid\[.\]store/ties5shizooQu1ei/ 

**Starry Addax likely to escalate momentum **

Campaigns like this that target high-value individuals usually intend to sit quietly on the device for an extended period. All components from the malware to the operating infrastructure seem to be bespoke/custom-made for this specific campaign indicating a heavy focus on stealth and conducting activities under the radar. The use of FlexStarling with a Firebase-based C2 instead of commodity malware or commercially available spyware indicates the threat actor is making a conscious effort to evade detections and operate without being detected. 

The timelines connected to various artifacts used in the attacks indicate that this campaign is just starting and may be in its nascent stages with more infrastructure and Starry Addax working on additional malware variants. 

**FlexStarling – A highly capable implant **

The FlexStarling malware app requests a plethora of permissions from the Android OS to extract valuable information from the infected mobile device. The following list contains the permissions acquired by FlexStarling via its AndroidManifest\[.\]xml: 

Some of these permissions are dynamically requested at runtime: READ\_CALL\_LOG, READ\_EXTERNAL\_STORAGE, READ\_SMS, READ\_CONTACTS, WRITE\_EXTERNAL\_STORAGE, INTERNET, ACCESS\_NETWORK\_STATE, RECORD\_AUDIO, READ\_PHONE\_STATE. 

**Anti-emulation checks **

When the implant runs, it checks the BUILD information for keywords or phrases that indicate that it is running on an emulator or analysis tool. The implant checks for the following keywords: 

*   BUILD\[MANUFACTURER\] does not contain: “Genymotion”. 
*   BUILD\[MODEL\] does not contain any of: “google\_sdk”, “droid4x”, “Emulator”, "Android SDK built for x86" 
*   BUILD\[HARDWARE\] does not contains any of: “goldfish”, “vbox86”, “nox”. 
*   BUILD\[FingerPrint\] does not start with “generic”. 
*   BUILD\[Product\] does not consist of any of: “sdk”, “google\_sdk”, “sdk\_x86”, “vbox86p”, “nox”. 
*   BUILD\[Board\] does not contain: “nox”. 
*   BUILD\[Brand\] or Device does not start with “generic”.  

The implant also checks for the presence of the following emulation/virtualization-related files in the filesystem: 

*   /dev/socket/genyd 
*   /dev/socket/baseband\_genyd 
*   /dev/socket/qemud 
*   /dev/qemu\_pipe 
*   ueventd.android\_x86.rc 
*   X86.prop 
*   ueventd.ttVM\_x86.rc 
*   init.ttVM\_x86.rc 
*   fstab.ttVM\_x86 
*   fstab.vbox86 
*   init.vbox86.rc 
*   ueventd.vbox86.rc 
*   fstab.andy 
*   ueventd.andy.rc 
*   fstab.nox 
*   init.nox.rc 
*   Ueventd.nox.rc 

If none of the keywords or files are found or all checks are passed, the malicious app tries to gain permissions for managing external storage areas (shared storage space) on the device using the permission “MANAGE\_EXTERNAL\_STORAGE”.  The actor wants to gain the ability to read, write, modify, delete and manage files on external storage locations.  

**Stealing information and executing arbitrary code **

The malware obtains command codes and accompanying information from the C2 server. It then generates the MD5 hash string of the command code and compares its list of hardcoded hashes. The corresponding activity is carried out by the implant once a match is found. 

The various commands supported by the sample are: 

Command code MD5 hash 

Decode command code 

Intent 

801ab24683a4a8c433c6eb40c48bcd9d 

Download 

Download a file specified by a URL to the Downloads directory. 

e8606d021da140a92c7eba8d9b8af84f 

unknown 

Copy files from the download's directory to the application package directory 

725888549d44eb5a3a676c018df55943 

unknown 

Decrypt a dex file located in the application package directory and reflectively load it. 

3a884d7285b2caa1cb2b60f887571d6c 

unknown 

Cleanup directories – remove all files: 

*   Cache directory. 
    
*   Application package directory (including “/oat/”). 
    
*   External Cache Directory. 
    

f2a6c498fb90ee345d997f888fce3b18 

Delete 

Delete a specified filepath. 

3e679cff5b3a6f6f8f32aead541a0a12 

Drop 

Upload a local file to the attacker’s dropbox folders using the Dropbox API. 

The ACCESS TOKEN, local filepath and remote upload path is specified by the C2. 

fb84708d32d00fca5d352e460776584c 

DECRYPT 

AES Decrypt a file from the application package directory using the secret key and IV specified and write it to a file named “.EXEC.dex” 

0ba4439ee9a46d9d9f14c60f88f45f87 

check 

Check if a file inside the application package directory exists. 

These commands are supported by accompanying information and consist of the following variables being sent across by the C2: 

**DURL:** Indicates the download URL used by the “Download” command above. 

**APPNAME:** Indicates the filename to use for the destination file during the “Download” command. 

**DEX:** Contains the source file name to be used during the Decrypt (and reflectively load) commands. 

**ky1:** Indicates a value to be used in the context of specific command codes: 

*   Delete = File to be deleted. 
*   Drop = File to be read and uploaded to Dropbox. 
*   DECRYPT = Secret key used for AES decryption. 
*   Check = Filename to be whose presence is to be checked in the application package directory. 

 **ky2:** Indicates a value to be used in the context of specific command codes: 

*   Drop = Remote file location where the local file needs to be uploaded on Dropbox. 
*   DECRYPT = IV used for AES decryption. 

 **ky3:** Indicates a value to be used in the context of specific command codes: 

*   Drop = Dropbox ACCESS TOKEN value to be used during file upload. 
*   DECRYPT = IV used for AES decryption. 

 **fl:** Filename used during the DEX reflective load process.  

**ky4:** Used as a parameter during reflective loading of the DEX file. 

**ky5:** Secret key used for AES decryption as part of the implant’s DEX decrypt and reflective load. 

**ky6:** IV used for AES decryption as part of the implant’s DEX decrypt and reflective load. 

**ky7**: Contains the source file name to be used during the AES decryption as part of the implant’s DEX decrypt and reflective load. 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

 Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

 Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

**IOCs **

IOCs for this research can also be found at our GitHub repository here. 

**Hashes **

f7d9c4c7da6082f1498d41958b54d7aeffd0c674aab26db93309e88ca17c826c 

ec2f2944f29b19ffd7a1bb80ec3a98889ddf1c097130db6f30ad28c8bf9501b3 

**Network IOCs **

hxxps\[://\]runningapplications-b7dae-default-rtdb\[.\]firebaseio\[.\]com 

ondroid\[.\]site 

ondroid\[.\]store 

bit\[.\]ly/48wdj1m 

www\[.\]ondroid\[.\]store/aL2mohh1 

bit\[.\]ly/48E4W3N 

www\[.\]ondroid\[.\]store/ties5shizooQu1ei/

Starry Addax targets human rights defenders in North Africa with new malware

A man has pleaded guilty to assuming someone else's identity for 35 years.

Sometimes the consequences of a stolen identity exceed anything you could have imagined.

Matthew David Keirans, a 58-year-old former hospital employee has pleaded guilty to assuming another man’s identity since 1988. He was convicted of one count of making a false statement to a National Credit Union Administration insured institution and one count of aggravated identity theft.

The man whose identity he assumed—William Donald Woods—and Keirans worked together in 1988 at a hot dog cart in Albuquerque.

Keirans was wanted for theft, so he used Woods’ identity “in every aspect of his life,” including obtaining employment, insurance and official documents, and even paying taxes under Wood’s name, according to a plea agreement signed by Keirans. He even fathered a child, whose last name is Woods.

In 1990, Keirans obtained a fraudulent Colorado identification card with Woods’ name and birthday. He used the ID to get a job at a fast-food restaurant and to get a Colorado bank account. He bought a car for $600 in 1991, using Wood’s name, with two $300 checks that bounced.

It wasn’t the first time Keirans had committed car theft. When he was 16, he stole a car after running away from his adoptive parents’ home in San Francisco.

In 2012, Keirans fraudulently acquired a copy of Woods’ birth certificate from the state of Kentucky using information he found about Woods’ family on Ancestry.com.

Under the assumed identity, Keirans also worked as a systems architect for the University of Iowa Hospital where he was fired for misconduct related to the identity theft investigation.

Meanwhile, the real William Woods was homeless and living in Los Angeles, when he discovered that someone was using his credit and had accumulated a lot of debt. Woods didn’t want to pay the debt and so went after the account numbers for any accounts he had open so he could close them. He handed a bank employee his real Social Security card and an authentic California Identification card, which matched the information the bank had on file. But because there was a large amount of money in the accounts, the bank employee asked Woods a series of security questions that he was unable to answer.

At that point, the bank employee called Keirans, whose phone number was associated with the accounts. He was able to answer the security questions correctly and stated that no one in California should have access to the accounts.

So, the bank employee called the police and after an investigation, the real Woods was arrested and charged with identity theft and false impersonation, under a misspelling of Keirans’ name: Matthew Kierans.

Because Woods refused to give up his own identity, a judge ruled in February 2020 that he was not mentally competent to stand trial and he was sent to a mental hospital in California, where he received psychotropic medication and other mental health treatment.

For legal reasons, Woods pleaded no contest to the identity theft charges—meaning he accepted the conviction but did not admit guilt—and was sentenced to two years imprisonment with credit for the two years he already served in the county jail and the hospital and was released.

But he didn’t give up his fight for his identity even though the judge ordered him to stop using the name William Woods. He attempted to regain his identity by filing customer disputes with financial organizations to clear his credit report.

It wasn’t until a police detective tested Woods’ biological father’s DNA against Woods’ DNA. Both men had the same birth certificate with the father’s name on it. The DNA test proved Woods was the man’s son. During a follow-up interview Keirans made a mistake and eventually confessed to the prolonged identity theft, according to court documents.

Keirans was indicted on five counts of making a false statement to a National Credit Union Administration insured institution and two counts of aggravated identity theft. He pleaded guilty to one count of each charge, and the other counts were dropped.

A sentence ruling has not yet been scheduled. Keirans is currently in the custody of the US Marshals Service, according to a news release about his plea.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 35-year long identity theft leads to imprisonment for victim 

With a complex attack chain and using Telegram for its command and control, CoralRaider targets victims in Asian countries — and appears to have accidentally infected itself as well.

Source: incamerastock via Alamy Stock Photo

A newcomer cybercrime group linked to Vietnam has targeted individuals and organizations in Asia, attempting to steal social media account information and user data.

CoralRaider, which first appeared in late 2023, relies heavily on social engineering and legitimate services for data exfiltration, and it develops custom tools for loading malware onto victim systems. Yet the group has also made some rookie mistakes, such as inadvertently infecting their own systems, which exposed their activities, threat researchers with Cisco's Talos threat intelligence group stated in a new analysis on CoralRaider.

While Vietnam has become increasingly active in cyber operations, this group does not appear to be working with the government, says Chetan Raghuprasad, security research technical leader for Cisco's Talos group.

"The main priority is financial gain, and the actor is attempting to hijack the victim’s social media business and advertis\[ing\] accounts," he says. "The potential exposure for follow-on attacks, including delivering other malware, is also possible. Our research has not seen any examples of other payloads being delivered."

Vietnam threat actors frequently focus on social media. The infamous OceanLotus group — also known as APT32 — has attacked other governments, dissidents, and journalists in Southeast Asian countries, including in Vietnam. A military-associated group, Force 47 — linked to the Vietnamese army's official television station — regularly attempts to influence social media groups.

CoralRaider, however, appears to be connected to profit motives rather than nationalist agendas.

"At this moment, we do not have any evidence or information on signs of CoralRaider working with the Vietnamese government," Raghuprasad says.

**Multistage Infection Chain**

A CoralRaider campaign typically starts with a Windows shortcut (.LNK) file, often using a .PDF extension in an attempt to fool the victim into opening the files, according to the Cisco analysis. Following that, the attackers move through a series of stages in their attack:

1.  Windows shortcut downloads and executes an HTML application (HTA) file from an attacker-controlled server
    
2.  HTA file executes an embedded Visual Basic script
    
3.  VB script executes a PowerShell script, which then runs three more PowerShell scripts, including a series of anti-analysis checks to detect if the tool is running in a virtual machine, a bypass for the system's User Access Controls, and code that disables any notifications to the user
    
4.  Final script runs RotBot, a loader that performs detection evasion, conducts reconnaissance on the system, and downloads a configuration file
    
5.  RotBot then typically downloads XClient, which collects a variety of user data from the system, including social media account credentials
    

In addition to credentials, XClient also steals browser data, credit card account information, and other financial data. And lastly, XClient takes a screenshot of the victim's desktop and uploads it.

Meanwhile, the researchers say there are indications that the attackers had targeted individuals in Vietnam as well.

"The \[XClient\] stealer function maps the stolen victim's information to hardcoded Vietnamese words and writes them to a text file on the victim machine's temporary folder before exfiltration," the analysis stated. "One example function we observed is used to steal the victim's Facebook Ads account that has hardcoded with Vietnamese words for Account rights, Threshold, Spent, Time Zone, and Date Created."

**Shooting Themselves in the Foot**

The CoralRaider group used an automated bot on the Telegram service as a command-and-control channel and as well as to exfiltrate data from victims' systems. However, the cybercriminal group appears to have infected one of their own machines, because the Cisco researchers discovered screenshots of the information posted to the channel.

"Analyzing the images of the actor's Desktop on the Telegram bot, we found a few Telegram groups in Vietnamese named 'Kiém tien tử Facebook, 'Mua Bán Scan MINI,' and 'Mua Bán Scan Meta,'" Cisco Talos stated in the analysis. "Monitoring these groups revealed that they were underground markets where, among other activities, victim data was traded."

CoralRaider's arrival on the cyber threat scene is not surprising: Vietnam is currently facing an increase in threats from account-stealing malware, says Sakshi Grover, research manager in IDC's Cybersecurity Services group for the Asia/Pacific region.

"While historically less associated with cybercrime compared to other Asian nations, Vietnam's rapid adoption of digital technologies has made it more susceptible to cyber threats," she says. "Advanced persistent threats (APTs) are increasingly targeting government entities, critical infrastructure, and businesses, utilizing sophisticated techniques like custom malware and social engineering to infiltrate systems and steal sensitive data."

Because economic conditions vary across Vietnam — with some areas experiencing limited job opportunities, resulting in low wages for highly skilled roles — individuals can be incentivized to engage in cybercrime to make money, Grover says.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Vietnamese Cybercrime Group CoralRaider Nets Financial Data

So far this year, Ivanti has disclosed a total of 10 flaws — many of them critical — in its remote access products, and one in its ITSM product.

Source: garagestock via Shutterstock

Ivanti CEO Jeff Abbott this week said his company will completely revamp its security practices even as the vendor disclosed another fresh set of bugs in its vulnerability-riddled Ivanti Connect Secure and Policy Secure remote access products.

In an open letter to customers, Abbott committed to a series of changes the company will make in the coming months to transform its security operating model following a relentless barrage of bug disclosures since January. The promised fixes include a complete do-over of Ivanti's engineering, security, and vulnerability management processes and implementation of a new secure-by-design initiative for product development.

**A Thorough Overhaul**

"We have challenged ourselves to look critically at every phase of our processes, and every product, to ensure the highest level of protection for our customers," Abbott said, in his statement. "We have already begun applying learning from recent incidents to make immediate improvements to our own engineering and security practices."

Some of the specific steps include embedding security into every stage of the software development life cycle and integrating new isolation and anti-exploit features in its products to minimize the potential impact of software vulnerabilities. The company will also improve its internal vulnerability discovery and management process and increase incentives for third-party bug hunters, Abbott said.

In addition, Ivanti will make more resources available to customers for finding vulnerability information and associated documentation and is committed to greater transformation and information sharing with customers, he added.

How much these commitments will help stem growing customer disenchantment with Ivanti remains unclear given the company's recent security track record. In fact, Abbot's comments came one day after Ivanti disclosed four new bugs in its Connect Secure and Policy Secure gateway technologies and issued patches for each of them.

The disclosure followed a similar incident less than two weeks ago that involved two bugs in Ivanti's Standalone Sentry and Neuron's for ITSM products. Ivanti so far has disclosed a total of 11 vulnerabilities — including the four this week — in its technologies since Jan. 1. Many of them have been critical flaws — at least two were zero-days — in the company's remote access products, which attackers, including advanced persistent threat actors such as "Magnet Goblin," have exploited in mass fashion. Concern over the potential for major breaches from some of these bugs prompted the US Cybersecurity and Infrastructure Security Agency (CISA) in January to order all civilian federal agencies to take their Ivanti systems offline and not reconnect the devices until fully remediated.

Security researcher and IANS Research faculty member Jake Williams says the vulnerability disclosures have prompted serious questions from Ivanti's customers. "Based on conversations I'm having, especially with Fortune 500 clients, I honestly think it's a bit of too little, too late," he says. "The time to publicly make this commitment was more than a month ago." There is no question that the issues with the Ivanti VPN appliance (formerly Pulse) are making CISOs question the security of Ivanti's many other products, he says.

**A Fresh Set of 4 Bugs**

The four new bugs Ivanti disclosed this week included two heap overflow vulnerabilities in the IPSec component of Connect Secure and Policy Secure, both of which the company characterized as high-severity risk for customers. One of the vulnerabilities, tracked as CVE-2024-21894, gives unauthenticated attackers a way to run arbitrary code on affected systems. The other, assigned as CVE-2024-22053, allows an unauthenticated remote attacker to read the contents from system memory under certain conditions. Ivanti described both vulnerabilities as allowing attackers to send maliciously crafted requests to trigger denial of service conditions.

The other two flaws — CVE-2024-22052 and CVE-2024-22023 — are two medium-severity vulnerabilities that attackers can exploit to cause denial-of-service conditions on affected systems. Ivanti said that as of April 2, it was not aware of any exploit activity in the wild targeting the vulnerabilities.

The steady stream of bug disclosures has raised questions about the risk that Ivanti's products pose to more than 40,000 customers worldwide, with some expressing their frustration on forums such as Reddit. Just two years ago, Ivanti's press releases claimed 96 of the Fortune 100 companies as its customers. In the latest release that number has declined nearly 12% to 85 companies. While the attrition might have to do with factors other than just security, some Ivanti rivals have begun to sense an opportunity. Cisco, for instance, has begun offering incentives — including a 90-day free trial — to try and get Ivanti VPN customers to migrate to its Secure Access platform so they can "mitigate risk" from Ivanti's products.

**Acquisition Related Problems?**

Eric Parizo, an analyst with Omdia, says at least some of Ivanti's challenges have to do with the fact that the company's product portfolio is the sum of numerous past acquisitions. "The original products were developed at different times by different companies for different purposes using varying methods. This means the software quality, in particular with regard to software security, can be dramatically uneven," he says.

 Parizo says what Ivanti is doing now with its commitment towards improving security processes and procedures across the board is a step in the right direction. "I would also like to see the vendor indemnify its customers for damages directly resulting from these vulnerabilities, as that will help restore confidence in future purchases," he says. "Perhaps the one saving grace for Ivanti is that customers are so used to this sort of event, with cybersecurity vendors suffering countless similar incidents in recent years, that customers are more likely to forgive and forget."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed

An April 2023 study from Kent State University found that remote workers are more likely to be vigilant of security threats and take actions to ward them off than their in-office counterparts.

Thursday, April 4, 2024 14:00

As my manager knows, I’m not the biggest fan of working in a physical office. I’m a picky worker — I like my workspace to be borderline frigid, I hate dark mode on any software, and I want any and all lighting cranked all the way up.  

So, know that I’m biased going into this, but I also can’t get over the idea that companies are using cybersecurity as an excuse to create return-to-office policies in 2024.  

I started thinking about this because of the video game developer Rockstar, which owns some of the largest video game franchises on the planet like Red Dead Redemption and Grant Theft Auto. 

The company recently started asking its employees to return to its physical office five days a week in the name of productivity and security as the company pushes to finish its highly anticipated title “Grand Theft Auto VI.”  

Rockstar has long faced a number of cybersecurity concerns over the years, including a massive leak featuring early, in-progress gameplay of GTA VI in 2022 and other sensitive data. The attack was eventually attributed to the Lapsus$ group, and the perpetrator was eventually charged and sentenced. The first reveal trailer for the game was also leaked ahead of time.  

Many other companies have started to implement return-to-office policies over the past two years, citing various things ranging from worker productivity to interpersonal camaraderie, real estate costs, and more. I’m willing to hear arguments for all those things, but simply thinking that having employees all in one physical space is going to solve security problems seems far-fetched to me.  

We’ve written and talked about the various ways remote work has influenced cybersecurity since the onset of the COVID-19 pandemic. There’s no doubt that admins have had to implement new login methods, security controls and policies since more workers across the globe started working remotely. But four years into this trend, there’s no excuse to not be prepared to have remote workers anymore. 

An April 2023 study from Kent State University found that remote workers are more likely to be vigilant of security threats and take actions to ward them off than their in-office counterparts.  

The use of multi-factor authentication during the rise in remote work has skyrocketed, but often, this requirement is actually dropped if a user is physically in the office or accessing an on-site machine because of the perceived security of being in the office.  

The perceived security of a physical office can sometimes lull admins into a false sense of security, too, because machines located on-site may lack pre-boot authentication or encryption that’s commonly found on remote workers’ devices.  

I’m not saying that working in an office is inherently less secure than remote work, but I do believe that the risks are essentially the same. Regardless of where an employee is working from, they should be using app-based MFA to access all their services. Sensitive software and hardware should rely on passkeys or physical token access rather than outdated password policies that create easy-to-guess or shareable text-based passwords.  

And if security is the name of the game when asking employees to come back into the office, there’s still going to be a monetary investment that comes with that, too. 

Cisco’s recently published Global Hybrid Work study found that only 28 percent of responding employees say they would rank their employers’ office’s “Privacy and security features” as “very well.” To me, that says that even if employers want workers back in the office, they still need to upgrade their security, which is always going to mean more money and greater manpower.  

Security fundamentals should stay the same, no matter where your employees are. And suppose security is a chief concern for a company in wanting to go back to the “traditional” office lifestyle. In that case, I’m willing to bet they still have security gaps to overcome that simply can’t be solved by thinking they’ll be able to keep a closer eye on employees while they’re in the office to keep them from clicking on a phishing email. 

**The one big thing **

Remote system management/desktop access tools such as AnyDesk and TeamViewer have grown in popularity since 2020. While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns. Cisco Talos Incident Response (Talos IR) has recently seen a spike in actors using this type of software as a method of gaining initial access to a network or to spy on the actions of users. Talos IR noted in its Quarterly Trends report for the third quarter of 2023, “AnyDesk was observed in all ransomware and pre-ransomware engagements \[. . .\], underscoring its role in ransomware affiliates' attack chains.” 

**Why do I care? **

The use of these types of tools has increased since the start of the COVID-19 pandemic when remote work became more common. Since this software is legitimate, it can be easy for an attacker to compromise it and sit undetected on a network, bypassing traditional blocking methods. These tools introduce the ability for an adversary to potentially take full remote control of a system, are easy to download and install, and can be very difficult to detect since they are considered legitimate software. 

**So now what? **

Adopting one, or at most two, approved remote management solutions will allow the organization to thoroughly test and deploy in the most secure possible configuration. Once a solution is approved and championed for the organization, other remote management/access tools should be explicitly banned by policy. Due to the complexity of implementing all these controls, detection rules can serve as a backup in case an adversary finds a way to circumvent these mitigations. 

**Top security headlines of the week **

**The U.S. and Britain have jointly filed chargers and sanctions against a Chinese state-sponsored actor known as APT31.** The group is accused of a sweeping espionage campaign allegedly linked to China's Ministry of State Security (MSS) in the province of Hubei. The group reportedly targeted thousands of U.S. and foreign politicians, foreign policy experts and other high-profile targets. Individuals in the White House, U.S. State Department and spouses of officials were also among those targeted. The attacks aligned with geopolitical events affecting China, including economic tensions with the U.S., arguments over control of the South China Sea, and pro-democracy rallies in Hong Kong in 2019. A release from the U.S. Department of Justice stated that the campaigns involved more than 10,000 malicious emails, sent to targets in multiple continents, in what it called a “prolific global hacking operation.” The charges go on to say that APT31 hoped to compromise government institution networks and stealing trade secrets. Seven Chinese nationals are the target of the new sanctions for their alleged involvement with APT31, including the Wuhan XRZ corporation that is tied to the threat actor. (Reuters, U.S. Department of Justice) 

**A silent backdoor on Linux machines was almost a massive supply chain attack, before a lone developer found malicious code hidden in software updates.** The malicious code was hidden in two updates to xz Utils, an open-source data compression utility available on almost all installations of Linux and other Unix-like operating systems. Had it been successfully deployed, adversaries could have stashed malicious code in an SSH login certificate, upload it and execute it on the backdoored device. Whoever is behind this code likely spent years working on it, with open-source updates going back to 2021. The actor never actually took advantage of the malicious code, so it’s unclear what they planned to upload. Researchers eventually identified the vulnerability as CVE-2024-3094. The U.S. Cybersecurity and Infrastructure Security Agency warned government agencies to downgrade their xz Utils to older versions. (Ars Technica, Dark Reading) 

**There is a massive backup with the National Vulnerabilities Database and, consequently, MITRE is unable to compile a list of all new vulnerabilities.** A recent study from Flashpoint found that there was backlog of more than 100,000 vulnerabilities with no CVE number, and consequently, hadn’t been included in the NVD. Of those, 330 vulnerabilities had been exploited in the wild, yet defenders had not been made aware of them. The National Institute of Standards and Technology blamed the backup on an increase in the volume of software available to the public, leading to a larger number of vulnerabilities, as well as “a change in interagency support.” NIST has only analyzed about half of the more than 8,700 vulnerabilities that had been submitted so far in 2024. And in March alone, they only analyzed 199 out of the 3,370 vulnerabilities submitted. Several organizations have tried launching their own alternatives to the NVD, though adoption can still take a long time. NIST has also vowed to remain dedicated to the NVD and that it’s still regrouping its current efforts. (SecurityWeek, The Record by Recorded Future) 

**Can’t get enough Talos? **

*   Enterprise Imperatives: The Critical Importance of Threat Intelligence 
*   Beware the gap between security readiness and confidence levels, Cisco warns 

**Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll |  
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241  
**MD5:** a5e26a50bf48f2426b15b38e5894b189  
**Typical Filename:** a5e26a50bf48f2426b15b38e5894b189.vir  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Generic::1201

**SHA 256:** 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66  
**MD5:** 8b84d61bf3ffec822e2daf4a3665308c  
**Typical Filename:** RemComSvc.exe  
**Claimed Product:** N/A   
**Detection Name:** W32.3A2EA65FAE-95.SBX.TG

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 62dfe27768e6293eb9218ba22a3acb528df71e4cc4625b95726cd421b716f983  
**MD5:** 0211073feb4ba88254f40a2e6611fcef  
**Typical Filename:** UIHost64.exe  
**Claimed Product:** McAfee WebAdvisor  
**Detection Name:** Trojan.GenericKD.68726899

There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office

A suspected Vietnamese-origin threat actor has been observed targeting victims in several Asian and Southeast Asian countries with malware designed to harvest valuable data since at least May 2023.
Cisco Talos is tracking the cluster under the name CoralRaider, describing it as financially motivated. Targets of the campaign include India, China, South Korea, Bangladesh, Pakistan, Indonesia,

Tag

#cisco