By Deeba Ahmed
The attacks, potentially linked to Russian APT Sandworm, exploited vulnerabilities in Zyxel firewalls.
This is a post from HackRead.com Read the original post: Forescout Report Uncovers New Details in Danish Energy Hack

The potential involvement of Sandworm, the wider threat beyond attribution, the vulnerability of Zyxel firewalls and the focus on European energy firms call for improved cybersecurity posture and threat intelligence.

Forescout, a global cybersecurity leader, has provided new evidence about two attacks on the Danish energy sector in May 2023 (PDF). Their report, ‘Clearing the Fog of War,’ highlights the need for better network monitoring and incident response plans and analyzes the potential involvement of an advanced persistent threat (APT) group called Sandworm.

For your information, SektorCERT, Denmark’s critical infrastructure CERT, reported a significant cyber-related attack on 22 Danish energy sector companies between May 11-30, 2023. The attacks, linked to Russian APT Sandworm, exploited vulnerabilities in Zyxel firewalls. Despite SektorCERT’s swift response, some companies were forced into island mode, allowing attackers to access industrial control systems.

Forescout Research-Vedere Labs report shed light on this incident. Reportedly, the first wave of attacks started on May 11, 2023, exploiting CVE-2023-28771, a pre-authentication OS command injection vulnerability in unpatched Zyxel firewalls.

A second wave occurred on May 22, 2023, where attackers downloaded MIPS binaries from 45.89.106147 to Zyxel firewalls in an energy sector organization containing Mirai variants with Moobot flavour indicators. The firewalls participated in DDoS and SSH brute-force attacks against targets in Hong Kong, the U.S., and Canada.

Zyxel firewalls at other SektorCERT member organizations were also observed downloading Mirai variants from staging servers, historically associated with malware distribution, adware, ransomware, and Log4j exploitation attempts.

 “After the second incident, further attacks targeted exposed devices within critical infrastructure worldwide in the ensuing months,” the report read.

Researchers couldn’t fully attribute the attacks to Sandworm given the difference between the two waves. The first wave targeted a limited number of targets using a PoC-less n-day while the second wave involved Zyxel firewalls infected by staging servers with a history of mass exploitation and crimeware, explained Elisa Costante, VP of Research at Forescout Research–Vedere Labs.

The study found numerous IP addresses exploiting the Zyxel vulnerability CVE-2023-28771, first reported by TRAPA Security in June 2023 and added to the CISA KEV catalogue in May 2023 with a 9.8 severity rating.

In April 2023, Zyxel announced patches for impacted firewalls, including USG Flex, ATP, ZyWALL/USG, and VPN. However, FortiGuard Labs reported a rise in DDoS botnets exploiting the Zyxel vulnerability, which persisted as late as October 2023 and spread across various devices, including Zyxel firewalls.

In May 2023, Hackread reported how a variant of the Mirai botnet, IZ1H9, successfully hacked Zyxel Firewalls using a patched command injection vulnerability, potentially leading to DDoS attacks. Researchers from Palo Alto Networks’ Unit 42 identified it as the most active Mirai variant.

Europe faces high exploitation attempts, with 80% of publicly identifiable and potentially vulnerable firewalls located there. Six European power companies are at risk of exploitation by malicious actors due to their use of Zyxel firewalls, highlighting the need for prioritizing threat intelligence in the energy sector.

Living off the land (LotL) attacks offer stealth benefits, allowing attackers to abstract away from legacy/proprietary protocols. Energy firms and critical infrastructure organizations must remain alert to attacks on unpatched network infrastructure devices.

Exposed Zyxel firewalls

**Expert Opinions**

For insight into the new development, we reached out to John Gallagher, Vice President of Viakoo Labs at Viakoo who praised Forescout for “digging deeper into exploits against critical infrastructure, and getting closer to the truth of what is behind these attacks.”

“Getting a more accurate assessment of these attack vectors, and getting to that truth more quickly as Forescout has provided, is crucial in protecting these critical assets. Disrupting cyber adversaries in their efforts is one form of defence; that’s why getting specific as to who is the threat actor is critical to defending ICS infrastructure,” he said.

“Forescout’s analysis points to the spillover from nation-state-directed cyber exploits to mass exploitation campaigns, which is an alarming trend. As “mass market” threat actors become more skilled at working within the unique languages and protocols of ICS systems it dramatically increases the risk of non-affiliated threat actors providing “as a service” ICS exploitation,” John added.

“In addition, this means organizations who depend on IoT/OT/ISC systems will be direct targets at some point to the same threats being launched against national critical infrastructure.”

Jose Seara, CEO and founder at DeNexus emphasizes the need for companies to “strengthen their cybersecurity posture” by understanding their cyber risks, identifying them, and quantifying them in monetary terms.

“Critical infrastructure and industrial sites have been increasingly targeted by threat actors and they all need to strengthen their cybersecurity posture. It is imperative for these companies to better understand their cyber risks, identify them and quantify them in monetary terms to drive data-driven decisions on cybersecurity investments,” said Jose.

“Additionally, new SEC regulations on cybersecurity reporting in the U.S. and the NIS2 in Europe are mandating the reporting cyber risk management, expanding the associated consequences of attacks beyond standard security concerns and putting organizations who do not comply at risk of potential legal and financial implications,” he added.

****_RELATED ARTICLES_****

1.  **Mirai botnet exploiting Azure OMIGOD vulnerabilities**
2.  **DDoS Attacks Hit Denmark Central Bank and 7 Private Banks**
3.  **Attacker builds malware variant with leaked Mirai source code**
4.  **Denmark’s largest train operator hit by service crippling DDoS attack**
5.  **Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer**

Forescout Report Uncovers New Details in Danish Energy Hack

Gentoo Linux Security Advisory 202312-4 - A vulnerability has been found in Arduino which bundled a vulnerable version of log4j. Versions greater than or equal to 1.8.19 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Arduino: Remote Code Execution  
     Date: December 22, 2023  
     Bugs: #830716  
       ID: 202312-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in Arduino which bundled a vulnerable  
version of log4j.

Background  
=========  
Arduino is an open-source AVR electronics prototyping platform.

Affected packages  
================  
Package               Vulnerable    Unaffected  
--------------------  ------------  ------------  
dev-embedded/arduino  < 1.8.19      >= 1.8.19

Description  
==========  
A vulnerability has been discovered in Arduino. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
Arduino bundles a vulnerable version of log4j that may lead to remote  
code execution.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Arduino users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-embedded/arduino-1.8.19"

References  
=========  
[ 1 ] CVE-2021-4104  
      https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-04

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-04

By Deeba Ahmed
The 8220 gang, believed to be of Chinese origins, was first identified in 2017 by Cisco Talos when they targeted Drupal, Hadoop YARN, and Apache Struts2 applications for propagating cryptojacking malware.
This is a post from HackRead.com Read the original post: 8220 Gang Targets Telecom and Healthcare in Global Cryptojacking Attack

The 8220 Gang is exploiting multiple vulnerabilities, including the Oracle WebLogic Server vulnerability, to propagate cryptojacking malware in the Americas, Europe, and Africa.

Imperva Threat Research has discovered undocumented activity from a hacker group known as the 8220 gang. This group is known for mass malware deployment using an ever-evolving arsenal of TTPs. The 8220 gang mainly targets Windows and Linux web servers with cryptojacking malware.

The 8220 gang, believed to be of Chinese origins, was first identified in 2017 by Cisco Talos when it targeted Drupal, Hadoop YARN, and Apache Struts2 applications for propagating cryptojacking malware. the group exploited Confluence and Log4j vulnerabilities, and recently, Trend Micro found them leveraging Oracle WebLogic vulnerability (CVE-2017-3506) to infect systems.

According to Imperva’s blog post, the 8220 gang is also exploiting CVE-2020-14883, a Remote Code Execution vulnerability in the Oracle WebLogic Server, to spread malware. This vulnerability allows remote attackers to execute code using a gadget chain. It is often chained with CVE-2020-14882 (authentication bypass vulnerability) or leaked/weak/stolen credentials. The gang uses two gadget chains; one loads an XML file, and the other executes commands on the OS.

Credit: Imperva

Driven by financial motives, this gang uses simple exploits to target vulnerabilities and exploit easy targets. Despite their unsophisticated nature, they constantly evolve their tactics to evade detection. Attributing attacks to this group is straightforward due to their use of traceable IoCs and TTPs, frequently reusing the same IP addresses, web servers, payloads, and attack tools.

The 8220 gang uses various methods to target Linux hosts, including cURL, wget, lwp-download, python urllib, and a custom bash function. They also use a PowerShell WebClient command on Windows to execute a downloaded script.

In another variation, they use a gadget chain to run Java code without an externally hosted XML file. The injected Java code evaluates whether the OS is Windows or Linux and executes the appropriate command strings. The downloaded files are executed, infecting the exploited hosts with known AgentTesla, rhajk, and nasqa malware variants.

According to Imperva researchers, the 8220 gang appears to be an opportunistic group because of its target selection, which includes healthcare, telecommunications, and financial services.

It mainly targets organizations in the United States, South Africa, Spain, Columbia, and Mexico. Moreover, the gang prefers using custom tools written in Python in their attack campaigns, and the attacking IPs are associated with known hosting companies.

Imperva Cloud WAF and on-prem WAF have identified and mitigated web vulnerabilities used by the 8220 gang for malicious activities. These vulnerabilities include CVE-2017-3506, CVE-2019-2725, CVE-2020-14883, CVE-2021-26084, CVE-2021-44228, Apache Log4j JNDI, and CVE-2022-26134.

Imperva is urging organizations to maintain security. Enterprises should patch their applications and implement multiple security measures to protect against falling victim to such groups.

****_RELATED ARTICLE_****

1.  **Patched OpenSSH Exploited for IoT, Linux Cryptomining**
2.  **Hackers mining Monero on Microsoft SQL databases for last 2 years**
3.  **Malicious Chrome extensions stealing data with cryptomining malware**
4.  **Cryptomining, Malware Flourish on Misconfigured Kubernetes Clusters**
5.  **New JaskaGO Malware Targets Mac and Windows for Crypto, Browser Data**

8220 Gang Targets Telecom and Healthcare in Global Cryptojacking Attack

Gentoo Linux Security Advisory 202312-2 - A vulnerability has been found in Minecraft Server which leads to remote code execution. Versions greater than or equal to 1.18.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Minecraft Server: Remote Code Execution  
     Date: December 20, 2023  
     Bugs: #828936  
       ID: 202312-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been found in Minecraft Server which leads to remote  
code execution.

Background  
==========

Minecraft Server is the official server for the sandbox video game.

Affected packages  
=================

Package                        Vulnerable    Unaffected  
-----------------------------  ------------  ------------  
games-server/minecraft-server  < 1.18.1      >= 1.18.1

Description  
===========

A vulnerability has been discovered in Minecraft Server. Please review  
the CVE identifier referenced below for details.

Impact  
======

Vulnerable Minecraft Server versions include a bundled version of log4j  
which is vulnerable to remote code execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Minecraft Server users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=games-server/minecraft-server-1.18.1"

References  
==========

[ 1 ] CVE-2021-4104  
      https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-02

Everyone's New Year's Resolution should be to stop using passwords altogether.

Thursday, December 14, 2023 14:00

As you’ve probably seen by now, Talos released our 2023 Year in Review report last week. It’s an extremely comprehensive look at the top threats, attacker trends and malware families from the past year with never-before-seen Cisco Talos telemetry. 

We have podcasts, long-form videos and even Reddit AMAs to keep you covered and make it easy to digest our major takeaways from the report. Or, just kick back with a cup of coffee and read the full report — your choice! 

With this being the last Threat Source newsletter of the calendar year, I figured I’d do a Year in Review of my own. I don’t have the data or first-hand research to back any of these statements up, this is purely just _vibes_\-based or things I’ve discovered about myself and my cybersecurity habits over the past year, so while you may not be able to deploy any of these things on your firewall, I hope they serve as good advice to anyone thinking about the security landscape heading into the new year. 

*   **Do as I say, not as I do.** Before my daughter was born, I wrote in this newsletter about how I was skeptical about posting her face online and entering her personal data into various platforms while she’s so young and unable to even understand what a phone is. As soon as she was old enough to smile, I folded quickly. I’ll admit that I’ve posted her face all over Instagram, supplied her information to Gerber to enter her into the annual Gerber Baby competition (she came up short behind Maddie, apparently) and given personal information to who knows what sites while I was randomly trying to get answers to my first-time parent questions at 2 a.m. when she was getting her first tooth. None of these things are particularly smart in the long run, but as an unbiased observer, I can confidently say her cuteness on the internet only makes it a better place. 
*   **Just assume your passwords are going to get out there.** Several major password management services were hit with data breaches this year. And there were countless headlines about how brute-forcing password guesses led to others. The basic idea of a password manager is that your login information is inherently safer than just using the same password repeatedly, writing them down on a physical sheet of paper, or just hoping you remember each time you log in. At this point, I think it’s just safe to say that passwords are not your safest option. Passkeys and a passwordless approach to security are becoming increasingly popular, so where you can enroll in that, do it. Or if a traditional username and password combination is your only option, change that password as often as you can and make sure you have multi-factor authentication enabled to whatever password management service you use.  
*   **It’s time to get off Twitter.** Or X, whatever you want to call it. This platform has fully jumped the shark at this point and is rife with misinformation. The company has completely torn down any internal teams it has dedicated to fighting fake news or scams and searching for literally anything will surface misleading information, outright lies or offensive content. I miss the days when I could go to Twitter and search for a topic to get updates on a particular news item. I’m writing this on Dec. 13, and in the “Trending” sidebar on Twitter, I saw that “#cyberattack” was trending. Naturally, I wanted to see if there was an event going on I should be aware of, for obvious reasons. Instead, my results in the “Top” section included some word salad about the Bank of England targeting its own country’s critical infrastructure, a nonsensical clip from commentator Dan Bongino about woke leftists showing a cyber pandemic in a new movie, and a shocking amount of conspiracy theories about said new movie “Leave the World Behind.” It reminds me of the Michael Bluth line from “Arrested Development” when he grabs the bag out of the fridge that says, “Dead Dove DO NOT EAT.” 
*   **Don’t ever assume a threat is gone forever.** Over the past year, many major threat actors and malware operators that were once thought removed showed they could find a way back. The story of the FBI’s takedown of the Qakbot botnet was a major headline in August, and anyone who read the basic coverage would have thought, “Cool, don’t need to worry about those guys anymore!” However, subsequent research from Talos and other security firms found that remnants of Qakbot are still around, specifically services dedicated to sending spam. Trickbot, a major threat actor known for big game hunting, recently switched up its tactics and is actively targeting organizations in Ukraine, despite its developer being arrested and pleading guilty to several U.S. federal charges. And Emotet, which is known for its various stops-and-starts, is relatively quiet right now but was briefly active again earlier this year. This is not to say that these law enforcement server takedowns and arrests aren’t working — anything we can do to make the bad guys’ lives harder is a win in the end — but it’s continued proof that we can never really count any threat out.  

**The one big thing **

Cisco Talos recently discovered a new campaign conducted by the Lazarus Group we’re calling “Operation Blacksmith,” employing at least three new DLang-based malware families, two of which are remote access trojans (RATs), where one of these uses Telegram bots and channels as a medium of command and control (C2) communications. Our latest findings indicate a definitive shift in the tactics of the infamous North Korean state-sponsored actor. 

**Why do I care? **

This particular activity can be attributed to Andariel, a spinoff of the Lazarus Group. They’re actively exploiting the Log4shell vulnerability in Log4j, which is virtually everywhere. The hope is that most people have patched since the ubiquitous vulnerability was discovered in late 2021, but telemetry indicates there are many vulnerable instances still out there. Once infected, Andariel looks to install other malware loaders on the targeted machines and executes remote code that allows them to learn about the details of the system.  

**So now what? **

Talos’ blog outlines the numerous ways Cisco Secure products have protections in place to defend against Operation Blacksmith and other activities from Lazarus Group. 

**Top security headlines of the week **

**Hundreds of Windows and Linux devices from a range of manufacturers are vulnerable to a newly discovered attack called “LogoFAIL.”** The attack involves an adversary executing malicious firmware during the machines’ boot-up sequences, which means it’s difficult for traditional detection methods to block, or for users to even notice that it’s happening. The researchers who discovered this exploit wrote in their full paper that, once the attacker uses LogoFAIL to execute remote code during the Driver Execution Environment phase, it’s “game over for platform security.” Although there is no indication this type of attack has been used in the wild, it is being tracked through several CVEs. Potentially affected users should update to the latest version of UEFI by updating their firmware, including new patches from AMI, Intel, Insyde, Phoenix and Lenovo. Users can also lock down their machine’s EFI System Partition (ESP) so adversaries can’t access it, which is necessary to carry out LogoFAIL. (ArsTechnica, ZDNet) 

**The U.K. publicly charges Russia’s intelligence agency, the FSB, of a yearslong cyber espionage campaign targeting British government officials and other high-profile public citizens.** The U.K. Foreign Office said the FSB conducted "sustained unsuccessful attempts to interfere in U.K. political processes” over several years, including stealing information relating to the country’s national elections in 2019. The alleged campaigns involved trying to breach emails belonging to politicians, journalists, activists and academics, and fake social media profiles set up to impersonate the target’s contacts. One MP in British parliament said their emails had been stolen. Several individuals belonging to a group known as Star Blizzard have been sanctioned for their connections to these activities. (BBC, Politico) 

**Several major hardware and software vendors released their last patches of the calendar year this week.** Microsoft disclosed four critical vulnerabilities as part of its regular Patch Tuesday, three of which could lead to remote code execution. However, the total number of vulnerabilities included in December’s Patch Tuesday, 33, was the lowest in a single month since December 2019. Meanwhile on Monday, Apple released patches for its major pieces of hardware, disclosing security issues in iPhones, Macs and more. One of the vulnerabilities in macOS, CVE-2023-42914, is a kernel issue with the potential to allow apps to break out of their sandboxes. Additionally, the U.S. Cybersecurity and Infrastructure Security Agency released an advisory that attackers are actively exploiting a vulnerability in Adobe ColdFusion, which potentially poses a threat to government agencies. CVE-2023-26360 is an improper access control issue that could lead to arbitrary code execution. (Dark Reading, Talos, Security Boulevard) 

**Can’t get enough Talos? **

*   Network Infrastructure Is A Prime Target For Cyber Threats 
*   North Korean hackers using Log4J vulnerability in global campaign 
*   Video: Talos 2023 Year in Review highlights 
*   CCQ explores cybersecurity strategies for managing and responding to industrial incidents 
*   CW39 Houston: Protect Yourself from Cyber Attack 
*   Lazarus exploit Log4Shell vulnerability to deliver novel RAT malware 

**Upcoming events where you can find Talos **

**NIS2 Directive: Why Organizations Must Act Now to Ensure Compliance and Security** **(Jan. 11, 2024, 10 a.m. GMT)** 

Virtual 

> _The NIS2 Directive is a crucial step toward securing Europe’s critical infrastructure and essential services in an increasingly interconnected world. Organizations must act now to prepare for the new requirements, safeguard their operations, and maintain a robust cybersecurity posture. Gergana Karadzhova-Dangela from Cisco Talos Incident Response and other Cisco experts will talk about how organizations can best prepare for the coming regulations._  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725   
**MD5:** d47fa115154927113b05bd3c8a308201    
**Typical Filename:** mssqlsrv.exe   
**Claimed Product:** N/A     
**Detection Name:** Trojan.GenericKD.65065311 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd  

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**Typical Filename:** VID001.exe    
**Claimed Product:** N/A    
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 5a6b089b1d2dd66948f24ed2d9464ce61942c19e98922dd77d36427f6cded634   
**MD5:** 05436c22388ae10b4023b8b721729a33   
**Typical Filename:** BossMaster.txt   
**Claimed Product:** N/A   
**Detection Name:** PS1.malware.to.talos 

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa   
**MD5:** 9403425a34e0c78a919681a09e5c16da   
**Typical Filename:** vincpsarzh.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

A personal Year in Review to round out 2023

Our latest findings indicate a definitive shift in the tactics of the North Korean APT group Lazarus Group.

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

The notorious North Korea-linked threat actor known as the Lazarus Group has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts.
Cisco Talos is tracking the activity under the name Operation Blacksmith, noting the use of three DLang-based

The notorious North Korea-linked threat actor known as the **Lazarus Group** has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts.

Cisco Talos is tracking the activity under the name Operation Blacksmith, noting the use of three DLang-based malware families, including a RAT called NineRAT that leverages Telegram for command-and-control (C2), DLRAT, and a downloader dubbed BottomLoader.

The cybersecurity firm described the latest tactics of the adversary as a definitive shift and that they overlap with the cluster widely tracked as Andariel (aka Onyx Sleet or Silent Chollima), a sub-group within the Lazarus umbrella.

"Andariel is typically tasked with initial access, reconnaissance and establishing long term access for espionage in support of the North Korean government's national interests," Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura said in a technical report shared with The Hacker News.

Attack chains involve the exploitation of CVE-2021-44228 (aka Log4Shell) against publicly-accessible VMWare Horizon servers to deliver NineRAT. Some of the prominent sectors targeted include manufacturing, agriculture, and physical security.

UPCOMING WEBINAR

Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

The abuse of Log4Shell is not surprising given the fact that 2.8 percent of applications are still using vulnerable versions of the library (from 2.0-beta9 through 2.15.0) after two years of public disclosure, according to Veracode, with another 3.8% using Log4j 2.17.0, which, while not vulnerable to CVE-2021-44228, is susceptible to CVE-2021-44832.

NineRAT, first developed around May 2022, is said to have been put to use as early as March 2023 in an attack aimed at a South American agricultural organization and then again in September 2023 on a European manufacturing entity. By using a legitimate messaging service for C2 communications, the goal is to evade detection.

The malware acts as the primary means of interaction with the infected endpoint, enabling the attackers to send commands to gather system information, upload files of interest, download additional files, and even uninstall and upgrade itself.

"Once NineRAT is activated it accepts preliminary commands from the telegram based C2 channel, to again fingerprint the infected systems," the researchers noted.

"Re-fingerprinting of infected systems indicates that the data collected by Lazarus via NineRAT may be shared by other APT groups and essentially resides in a different repository from the fingerprint data collected initially by Lazarus during their initial access and implant deployment phase."

Also used in the attacks after initial reconnaissance is a custom proxy tool called HazyLoad that was previously identified by Microsoft as used by the threat actor as part of intrusions weaponizing critical security flaws in JetBrains TeamCity (CVE-2023-42793, CVSS score: 9.8). HazyLoad is downloaded and executed by means of another malware called BottomLoader.

Furthermore, Operation Blacksmith has been observed delivering DLRAT, which is both a downloader and a RAT equipped to perform system reconnaissance, deploy additional malware, and retrieve commands from the C2 and execute them in the compromised systems.

"The multiple tools giving overlapping backdoor entry present Lazarus Group with redundancies in the event a tool is discovered, enabling highly persistent access," the researchers said.

The disclosure comes as the AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky's use of AutoIt versions of malware such as Amadey and RftRAT and distributing them via spear-phishing attacks bearing booby-trapped attachments and links in an attempt to bypass security products.

Kimusky, also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima, is an element operating under North Korea's Reconnaissance General Bureau (RGB), which also houses the Lazarus Group.

It was sanctioned by the U.S. Treasury Department on November 30, 2023, for gathering intelligence to support the regime's strategic objectives.

"After taking control of the infected system, to exfiltrate information, the Kimsuky group installs various malware such as keyloggers and tools for extracting accounts and cookies from web browsers," ASEC said in an analysis published last week.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Lazarus Group Using Log4j Exploits to Deploy Remote Access Trojans

An issue was discovered in the function gdev_prn_open_printer_seekable() in Artifex Ghostscript through 10.02.0 allows remote attackers to crash the application via a dangling pointer.

Ghostscript is an interpreter for the PostScript®  language and PDF files. It is available under either the GNU GPL Affero license or  licensed for commercial use from Artifex Software, Inc. It has been under active development for over 30 years and has been ported to several different systems during this time. Ghostscript consists of a PostScript interpreter layer and a graphics library.

There are a family of other products, including GhostPCL, GhostPDF, and GhostXPS that are built upon the same graphics library. Between them, this family of products offers native rendering of all major page description languages. Our latest product, GhostPDL, pulls all these languages into a single executable.

Full descriptions of these products can be found on our documentation introduction.

In addition to rendering to raster formats, Ghostscript offers high-level conversion through our vector output devices.

Written entirely in C, Ghostscript runs on various embedded operating systems and platforms including Windows, macOS, the wide variety of Unix and Unix-like platforms, and VMS systems.

**Current Release**

The current Ghostscript release 10.02.1 can be downloaded here.

**NEW in this Release**

*   Old PDF Interpreter has now been removed - see https://ghostscript.com/blog/pdfi.html for more details
*   And more! Review the full release notes.

**The Ghostscript Blog**

Find news, articles and developer notes from the Ghostscript engineering team on the blog.

**Security Advisory**

*   *   November 1, 2023: Ghostscript/GhostPDL 10.02.1 release fixes CVE-2023-46751.
        
    *   CVE-2023-46751 affects _all_ Ghostscript/GhostPDL versions prior to 10.02.1.
        
    *   CVE-2023-46751 is a shell command injection/remote code execution risk, so we recommend upgrading to version 10.02.1 as a matter of urgency
        
    
    *   September 18, 2023: Ghostscript/GhostPDL 10.02.0 release fixes CVE-2023-43115.
        
    *   CVE-2023-43115 affects _all_ Ghostscript/GhostPDL versions prior to 10.02.0.
        
    *   CVE-2023-43115 is a remote code execution risk, so we recommend upgrading to version 10.02.0 as a matter of urgency
        
    
    *   June 27, 2023: Ghostscript/GhostPDL 10.01.2 release fixes CVE-2023-36664.
        
    *   CVE-2023-36664 affects _all_ Ghostscript/GhostPDL versions prior to 10.01.2.
        
*   April 3, 2023: Ghostscript/GhostPDL 10.01.1 release fixes CVE-2023-28879.
    
*   April 4, 2022: Ghostscript/GhostPDL 9.56.1 bundles zlib 1.2.12 which addresses CVE-2018-25032.
    
*   December 16, 2021: Apache Log4J vulnerability – GHOSTSCRIPT NOT AFFECTED – For more info: CVE-2021-44228
    

**Related projects**

*   Memento: A memory debugging library for C (or C++) programs.
*   jbig2dec: A JBIG2 image decoder.

CVE-2023-46751: Ghostscript

By Deeba Ahmed
The ActiveMQ flaw has been patched, but despite this, numerous threat actors continue to exploit it.
This is a post from HackRead.com Read the original post: Cybercriminals Exploit ActiveMQ Flaw to Spread GoTitan Botnet, PrCtrl Rat

The recently discovered GoTitan botnet is built on the Golang programming language, whereas PrCtrl Rat is a .NET program.

Fortinet’s FortiGuard Labs published new research highlighting that a critical Apache ActiveMQ vulnerability tracked as **CVE-2023-46604** is under active exploitation by numerous threat actors.

Despite the release of a patch a month ago, FortiGuard researchers continue to identify various malware strains exploiting a known flaw. The persistent exploitation by cybercriminals is concerning, as it allows them to execute arbitrary code on susceptible servers.

FortiGuard Labs’ report has brought attention to several new threats, such as the emergence of a Golang-based botnet named GoTitan and a .NET program called PrCtrl Rat, which possesses remote control capabilities.

Apache recently issued an advisory regarding a vulnerability related to the deserialization of untrusted Apache data. The Cybersecurity and Infrastructure Security Agency (CISA) has categorized this flaw in its Known Exploited Vulnerabilities **(KEV) catalogue**, underscoring its high risk and potential impact.

Researchers claim that this flaw is currently being exploited to distribute various malware strains, including GoTitan, PrCtrl Rat, Kinsing, Silver, and Ddostff.

Silver, designed as an advanced penetration testing tool and red teaming framework, has the capability to support various callback protocols, including TCP, DNS, and HTTP(S). **Kinsing malware** specializes in supporting cryptojacking operations and can exploit newly discovered security vulnerabilities. On the other hand, **Ddostff botnet** has been widely employed in Distributed Denial of Service (DDoS) attacks since 2016.

GoTitan, a recently uncovered botnet, is coded in the **Go programming language**. Users typically download this botnet from a malicious URL, and it is currently compatible with x64 architectures. Upon installation, the botnet initiates a system scan and generates a debug file named c.log to document execution time and status.

Following its initial installation, GoTitan replicates itself as .mod within the system, establishing a recurring execution by registering in the Cron. To facilitate communication, the botnet retrieves the Command and Control (C2) IP address. It utilizes this connection to transmit stolen data, encompassing details about the infected device, such as memory, CPU specifications, and architecture information.

According to Fortinet Labs’ **blog post,** for data transmission, it uses “<==>” as separators. The message starts with “Titan<==>” whereas it communicates with the C2 by sending “FE FE” as a heartbeat signal and waits for further instructions. GoTitan supports ten different methods of launching DDoS attacks.

The exploitation process begins with the attacker establishing a connection to the ActiveMQ server using the OpenWire protocol, commonly on port 61616. Subsequently, the attacker sends a carefully crafted packet, inducing the system to unmarshal a class under their control.

This action prompts the vulnerable server to fetch and load a class configuration XML file from a designated remote URL. Within this malicious XML file, arbitrary code is defined, aiming to execute on the compromised machine.

GoTiten and PrCtrl Rat’s XML file (Credit: FortiGuard Labs

Technical details and proof-of-concept (PoC) code for the vulnerability are publicly accessible. Users are advised to stay vigilant against active exploits by Sliver, Kinsing, and Ddostf. Prioritizing system updates and patching is crucial, and regular monitoring of security advisories is recommended to effectively mitigate the risk of exploitation.

****_RELATED ARTICLES_****

1.  **Fake Super Mario 3 Installers Drop Crypto Miner, Data Stealer**
2.  **Microsoft Azure Exploited to Create Undetectable Cryptominer**
3.  **Hackers actively exploiting 0-day in Ubiquitous Apache Log4j tool**
4.  **Golang malware infecting Windows, Linux servers with XMRig miner**
5.  **Nitrokod Crypto Miner Hiding in Fake Microsoft, Google Translate Apps**

Cybercriminals Exploit ActiveMQ Flaw to Spread GoTitan Botnet, PrCtrl Rat

A serialization vulnerability in logback receiver component part of 
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service 
attack by sending poisoned data.



Tag

#log4j