Online Pizza Ordering v1.0 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file uploaded to the server.

CVE-2023-29627: File uploads | Web Security Academy

<p>In this article we will describe how Microsoft and Red Hat are collaborating in the open source community to show how Red Hat <a href="https://www.redhat.com/en/technologies/cloud-computing/openshift">OpenShift</a> can be deployed on <a href="https://aka.ms/azurecc">Azure Confidential Computing</a> for providing confidential container capabilities to its users. For this purpose, OpenShift uses the <a href="https://www.redhat.com/en/blog/learn-openshift-sandboxed-containe

Deploying confidential containers on the public cloud

Microsoft zero-days, dark web forum takedowns and Pentagon leaks on Discord in this week's newsletter.

Thursday, April 13, 2023 14:04

Welcome to this week’s edition of the Threat Source newsletter.

Law enforcement organizations across the globe notched a series of wins over the past few weeks against online forums for cybercriminals.

On March 23, the FBI announced it disrupted the online cybercriminal marketplace BreachForums, known for being a place where users could buy and sell stolen user information. They also arrested a 20-year-old suspected of being the site’s founder and main administrator.

Then last week we had “Operation Cookie Monster” in which several international agencies worked together to take down Genesis Market, a similar dark web forum, arresting dozens of suspected users and administrators.

These arrests and network operations are important in that they disrupted sites that were known for highly sensitive information and served as a place for some of the most prolific cyber criminals to make money. The U.S. Department of Justice estimated that Genesis Market was responsible for the sale of data on more than 1.5 million compromised computers around the world containing over 80 million account access credentials. And the U.K.’s National Crime Agency (NCA) said credentials were available for as little as 70 cents to hundreds of dollars depending on the stolen data available.

But the user base for these sites was also huge (after all, someone had to be buying those credentials). At the time of its takedown, BreachForums had 340,000 members, according to the FBI. And reporting on Operation Cookie Monster stated that Genesis Market had 59,000 registered users.

So while it’s great that these sites have been disrupted, I can’t help but assume that two more sites are going to pop up to service these cyber criminals. It’s impossible for any agency to arrest 340,000 people, so even if a handful of administrators are restricted from accessing the internet for a while, the other 339,000 people are going to be looking for a new home.

Some of the same agencies celebrated in March 2021 that they disrupted Emotet, one of the most infamous botnets ever. As anyone who follows security news will know, Emotet didn’t actually go anywhere and was recently rebooted as recently as last month, according to our research.

RaidForums, a forefather of BreachForums, was also disrupted in April 2022, along with the arrest of several administrators and accomplices.

All of this is not to discount the great strides made in the past few weeks in disrupting these marketplaces and taking them offline. But a lot of these headlines are sounding familiar to me after a few years, so it’s important to remember that we as a security community can’t take our foot off the gas and assume that because there were a few big wins that dark web forums are just going to go away forever.

**The one big thing**

Microsoft’s Patch Tuesday for April included another zero-day vulnerability in the Windows Common Log File System Driver. CVE-2023-28252, which could allow an attacker to obtain SYSTEM privileges, is actively being exploited in the wild, according to Microsoft. The U.S. Cybersecurity and Infrastructure Security Agency already added the vulnerability to its list of know exploited issues and urged federal agencies to patch it as soon as possible. Microsoft disclosed a similar zero-day issue in September that could also lead to the same privileges: CVE-2022-37969.

**Why do I care?**

Security researchers say that the vulnerability has already been exploited in Nokoyawa ransomware attacks, so it’s important to patch this issue as soon as possible. The Nokoyawa ransomware is known for targeting 64-bit Windows systems in double extortion attacks in which the actors encrypt targets’ files and then threaten to leak them unless the ransom is paid.

**So now what?**

Microsoft has a patch available, so all Windows users should update now if they haven’t already. Talos also has new Snort detection coverage available for CVE-2023-28252 and other vulnerabilities disclosed as part of Patch Tuesday.

**Top security headlines of the week**

**A trove of classified military documents and images leaked on several social media channels** over the past week, including potentially sensitive information on Russia’s invasion of Ukraine and China’s military plans. The images first surfaced in a Discord channel, eventually making their way onto the Telegram messaging app, the popular forum 4Chan and then broader social media sites like Twitter. The U.S. Department of Justice and the Pentagon have since launched a formal investigation into the leaks. Ukrainian officials have blamed Russian actors for the leaks, trying to cast doubt on the authenticity of the images, while Russia accused Western governments of trying to spread disinformation. (Bellingcat, New York Times)

**Apple released patches for two zero-day vulnerabilities** targeting current and older versions of iOS, iPadOS, macOS and Safari that attackers were exploiting in the wild. The vulnerabilities, CVE-2023-28206 and CVE-2023-28205, could lead to arbitrary code execution. CVE-2023-28206 specifically could allow an adversary to execute code with kernel privileges. Apple initially patched the issue in current iPhones and other devices and followed up a few days later with fixes for older hardware like the iPhone 8. This was the third instance of Apple patching a zero-day vulnerability since the start of the year. (SC Media, Security Week)

**The FBI warned users again this week against plugging their phones in public charging stations** at common spaces like airports, hotels and shopping centers. The agency stated that threat actors have found ways to use the public USB ports to “introduce malware and monitoring software onto devices." Instead, the Federal Communications Commission suggests users carry their own USB cables and charging blocks to plug directly into outlets rather than relying on or trusting a cable. However, the tweet from the FBI’s Denver office did not offer examples of any recent attacks that would have prompted a fresh warning. (Axios, NBC News)

**Can’t get enough Talos?**

*   How threat actors are using AI and other modern tools to enhance their phishing attempts
*   How do you hunt cybersecurity threats in a war zone? Like this
*   Cisco unveils latest security trends from Cisco Talos report at GISEC 2023
*   Researcher Spotlight: Giannis Tziakouris first learned how to fix his family’s PC, and now he’s fixing networks all over the globe

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Talos Incident Response: On Air** **(April 27)**

Virtual

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6  
**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c  
**Typical Filename:** PDFpower.exe  
**Claimed Product:** PdfPower  
**Detection Name:** Win32.Adware.Generic.SSO.TALOS

**SHA 256:** f3d5815e844319d78da574e2ec5cd0b9dd0712347622f1122f1cb821bb421f8f  
**MD5:** a2d60b5c01a305af1ac76c95e12fdf4a  
**Typical Filename:** KMSAuto.exe  
**Claimed Product:** N/A  
**Detection Name:** W32.File.MalParent

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

Threat Source newsletter (April 13, 2023) — Dark web forum whac-a-mole

Security researchers are jailbreaking large language models to get around safety rules. Things could get much worse.

As a result, jailbreak authors have become more creative. The most prominent jailbreak was DAN, where ChatGPT was told to pretend it was a rogue AI model called Do Anything Now. This could, as the name implies, avoid OpenAI’s policies dictating that ChatGPT shouldn’t be used to produce illegal or harmful material. To date, people have created around a dozen different versions of DAN.

However, many of the latest jailbreaks involve combinations of methods—multiple characters, ever more complex backstories, translating text from one language to another, using elements of coding to generate outputs, and more. Albert says it has been harder to create jailbreaks for GPT-4 than the previous version of the model powering ChatGPT. However, some simple methods still exist, he claims. One recent technique Albert calls “text continuation” says a hero has been captured by a villain, and the prompt asks the text generator to continue explaining the villain’s plan.

When we tested the prompt, it failed to work, with ChatGPT saying it cannot engage in scenarios that promote violence. Meanwhile, the “universal” prompt created by Polyakov did work in ChatGPT. OpenAI, Google, and Microsoft did not directly respond to questions about the jailbreak created by Polyakov. Anthropic, which runs the Claude AI system, says the jailbreak “sometimes works” against Claude, and it is consistently improving its models.

“As we give these systems more and more power, and as they become more powerful themselves, it’s not just a novelty, that’s a security issue,” says Kai Greshake, a cybersecurity researcher who has been working on the security of LLMs. Greshake, along with other researchers, has demonstrated how LLMs can be impacted by text they are exposed to online through prompt injection attacks.

In one research paper published in February, reported on by Vice’s Motherboard, the researchers were able to show that an attacker can plant malicious instructions on a webpage; if Bing’s chat system is given access to the instructions, it follows them. The researchers used the technique in a controlled test to turn Bing Chat into a scammer that asked for people’s personal information. In a similar instance, Princeton’s Narayanan included invisible text on a website telling GPT-4 to include the word “cow” in a biography of him—it later did so when he tested the system.

“Now jailbreaks can happen not from the user,” says Sahar Abdelnabi, a researcher at the CISPA Helmholtz Center for Information Security in Germany, who worked on the research with Greshake. “Maybe another person will plan some jailbreaks, will plan some prompts that could be retrieved by the model and indirectly control how the models will behave.”

No Quick Fixes

Generative AI systems are on the edge of disrupting the economy and the way people work, from practicing law to creating a startup gold rush. However, those creating the technology are aware of the risks that jailbreaks and prompt injections could pose as more people gain access to these systems. Most companies use red-teaming, where a group of attackers tries to poke holes in a system before it is released. Generative AI development uses this approach, but it may not be enough.

Daniel Fabian, the red-team lead at Google, says the firm is “carefully addressing” jailbreaking and prompt injections on its LLMs—both offensively and defensively. Machine learning experts are included in its red-teaming, Fabian says, and the company’s vulnerability research grants cover jailbreaks and prompt injection attacks against Bard. “Techniques such as reinforcement learning from human feedback (RLHF), and fine-tuning on carefully curated datasets, are used to make our models more effective against attacks,” Fabian says.

The Hacking of ChatGPT Is Just Getting Started

The Microsoft Windows Kernel has insufficient validation of new registry key names in transacted NtRenameKey.

Microsoft Windows Kernel New Registry Key name Insufficient Validation

The Microsoft Windows Kernel suffers from multiple issues in the prepare/commit phase of a transactional registry key rename.

Microsoft Windows Kernel Transactional Registry Key Rename Issues

A novel credential harvester compromises SMTP services to steal data from a range of hosted services and providers, and can also launch SMS-based spam attacks against devices using US mobile carriers.

Threat actors are selling a novel credential harvester and hacktool via a Telegram channel, which can exploit numerous Web-based services to steal credentials. It also has the bonus ability to launch SMS-based spam attacks that target US-based mobile devices as well, the researchers have found.

Researchers from Cado Security uncovered the Python-based credential stealer, called Legion, which has links to both the AndroxGh0st malware family and another previously discovered malware, they revealed in a blog post published today.

Legion's primary means of attack is to compromise misconfigured Web servers running content management systems (CMS), PHP, or PHP-based frameworks, such as Laravel, the researchers noted. Once installed, it contains several methods for retrieving credentials from the servers: by targeting the Web server software itself, scripting languages, or frameworks on which the server is running. The malware attempts to request resources from these known to contain secrets, parses them, and saves the secrets into results files sorted on a per-service basis, the researchers said.

"One such resource is the .env environment variables file, which often contains application-specific secrets for Laravel and other PHP-based Web applications," wrote Matt Muir, threat intelligence researcher at Cado Security, in the analysis. "The malware maintains a list of likely paths to this file, as well as similar files and directories for other Web technologies."

Legion then marches on to steal credentials from myriad Web-based sources and services —such as email providers, cloud service providers, server-management systems, databases, and payment platforms like Stripe and PayPal, the researchers said. And Legion can brute-force credentials to Amazon Web Services (AWS), which is consistent with similar functionality in AndroxGh0st, according to analysis of that malware by researchers at Lacework, Muir said. 

In addition to credential theft, Legion includes traditional hacktool functionality that can exploit well-known PHP vulnerabilities to register a Webshell or remotely execute malicious code, Muir tells Dark Reading.

"It is an SMTP abuse tool primarily, but it relies on opportunistic exploitation of misconfigured Web services to harvest credentials for said abuse," he says. "It also bundles additional functionality traditionally found in more common hacktools, such as the ability to execute Web-server-specific exploit code and brute force account credentials."

As mentioned, one unique aspect of the malware is that along with stealing credentials and general hacking, it also can automatically send SMS spam messages to mobile network users based in the United States, including subscribers to AT&T, Boost Mobile, Cingular, Sprint, Verizon, and more. This feature is one not often, if ever, seen in a credential harvester, the researchers noted.

This function is fairly basic: It retrieves the area code from the website www.randomphonenumbers.com, then tries different combinations of numbers to find a workable phone number.

"To retrieve the area code, Legion uses Python's BeautifulSoup HTML parsing library," Muir wrote. "A rudimentary number generator function is then used to build up a list of phone numbers to target."

To send the SMS messages themselves, the malware checks for saved SMTP credentials retrieved by one of the credential-harvesting modules, he added.

**Widespread Malware Distribution via Telegram**

A public Telegram group with more than 1,000 members to which Cado researchers gained access is distributing Legion, which also has a dedicated YouTube channel containing tutorial videos on the malware, the researchers said.

The malware is also being advertised by other Telegram groups to reach about 5,000 users in total. These combined factors indicate that Legion already has a loyal following and is likely a for-purchase offering under a perpetual license model, Muir said.

"While not every member will have purchased a license for Legion, these numbers show that interest in such a tool is high," he wrote in the post. "Related research indicates that there are a number of variants of this malware, likely with their own distribution channels."

While the researchers have not identified the definitive source of Legion, several Indonesian-language comments on the YouTube channel suggest that the developer may be Indonesian or based in Indonesia, and references to user with the handle "my13gion" in the Telegram group also offer clues to its source, they said.

Moreover, in a function dedicated to PHP exploitation, a link to a GitHub Gist leads to a user named Galeh Rizky, with a profile suggesting that this user is located in Indonesia. Still, it's not clear if Rizky is the developer behind Legion, or if his code just happens to be found in the sample analyzed by Cado, the researchers said.

**How to Mitigate & Assess Legion's Cyber-Risk**

Researchers included a list of indicators of compromise (IoCs), as well as a list of targeted US mobile carriers in the blog post to help organizations or device users know if they've been compromised by Legion or could be a target of the malware, respectively.

Given the malware's reliance on misconfigurations in Web servers or frameworks to access systems, Cado recommends that organizations and other users of these technologies review existing security processes and ensure that secrets are appropriately stored. Moreover, if credentials are stored in a .env file, this file should be outside Web server directories so that it's inaccessible from the Web, the researchers said.

Organizations using cloud providers such as AWS and Microsoft Azure should also keep in mind their shared-responsibility obligations under the terms of use for those platforms to ensure their Web servers are configured properly, Muir says. A compromise by the malware "would likely fall under the user's remit in a shared responsibility context," he says.

Additionally, AWS users should also be aware of Legion's targeting of the platform's identity access management (IAM) and simple email service (SES) in its attempt to gain AWS credentials. To mitigate this risk, organizations should look out for user accounts that show a change in the IAM user registration code to include an "Owner" tag with the hardcoded value "ms.boharas," which is a hallmark of the malware, the researchers said.

Legion Malware Marches onto Web Servers to Steal Credentials, Spam Mobile Users

There are plenty of AD objects and groups that should be considered tier zero in every environment, but some will vary among organizations.

Organizations trying to improve the security of their Active Directory environments face a simple problem: Attackers have too many options. The average enterprise AD environment has thousands or tens of thousands of attack paths, which are chains of misconfigurations that allow an attacker with initial access to a low-privileged user to escalate privilege, move laterally to a high privilege user, and then take over the domain. While fixing every misconfiguration may not be possible, security and identity and access management administrators can absolutely make meaningful progress towards securing AD. But they need a way to prioritize their work to do so successfully.

The first step in prioritizing attack paths is focusing on those that lead to any tier-zero asset. Tier-zero assets are the vital systems in AD or Azure AD that, if compromised, allow an attacker to give themselves access to any system they want. Whatever an attacker is trying to do, whether that's deploying malware, stealing sensitive information or establishing persistence, getting control of a tier-zero system will allow them to do that.

This raises the question of what systems are included in tier zero. The term comes from Microsoft's Enhanced Security Administration Environment (ESAE - Retired) model and means the set of objects with full control over the environment _and_ any objects with control over those objects. The ESAE model has been retired and replaced with Microsoft's Enterprise Access Model, which recommends the same advice and now refers to this sensitive group as "control plane." However, neither model includes a list of systems considered to be part of tier zero.

Here's what my colleagues and I who research AD security consider tier zero assets. There are many AD objects and groups that should always be considered tier zero in every environment, but some will vary from organization to organization. The final tier zero group will be custom to each organization.

**Group One: Domain Control Groups**

First, we include objects that maintain full control of a domain or have the (effectively) irrevocable ability to gain access to those groups. Remember to inspect any privileged group membership in AD to identify any nested groups, since group permissions are inherited. For example, if one group is nested within a second group that is included in domain controllers, all members of both groups will have those privileges.

In Active Directory, these include the domain head object, built-in administrator accounts, domain admins; domain controllers; schema and enterprise admins; enterprise domain controllers; key and enterprise key admins; and administrators overall.

In Azure, tier zero includes the default roles that maintain full control of an Azure tenant or have the effectively irrevocable ability to gain access to those roles. These include tenant objects, global administrators, privileged role administrator, and privileged authentication administrators.

**Group Two: Key Identity Systems

Next, tier zero should include the computers and service accounts associated with the following systems. These will almost always be tier zero, but the process for identifying them will vary depending on the environment.

First are the public key infrastructure/Active Directory certificate services, including root certificate authority (CA) server and subordinate CAs. Second is Active Directory federation services, but note that Web application proxy servers should be in a separate AD forest (DMZ or extranet network) and are not considered tier zero. Third are Azure AD Connect servers and accounts, including servers with pass-through authentication that is enabled. Privileged access management systems such as Thycotic or CyberArk, and group policy object administration tools such as Quest GPO admin or advanced group policy manager should be considered tier zero as well.

As we've said, tier zero should be customized for each organization. The computers and services accounts associated with anything else that a specific organization considers to be tier zero, such as privileged access workstations, should be included with the systems listed above. Enterprise read-only domain controllers and read-only domain controllers can be considered tier zero or tier one, depending on certain conditions.

****Group Three: Systems With Code Execution Ability**

Finally, tier zero should include systems that have code execution ability (or other privileged control) on the tier zero systems listed above. For example, if domain controllers are managed from Microsoft System Center Configuration Manager (SCCM), compromising SCCM allows the attacker to execute code on domain controllers. SCCM is, in this case, an indirect path to full control over the environment and, therefore, a tier-zero system. This attack requires more sophistication but is still a viable option for an adversary and organizations should be prepared for this possibility.

There are often many systems in this category and identifying them all can be a significant project. It's recommended that organizations work in phases; first identify all the objects and accounts listed above, draw the tier-zero boundary around them, and then move on to identify systems with code execution ability over them.

Once an organization has identified these assets, they can focus their security resources on protecting them and better assess which attack paths to focus on closing. It's practically impossible to close every possible avenue of attack in an enterprise network, but prioritizing their efforts allows defenders to eliminate the most dangerous ones that lead to tier-zero assets and reduce their overall exposure significantly.

How to Define Tier-Zero Assets in Active Directory Security

The Transparent Tribe threat actor has been linked to a set of weaponized Microsoft Office documents in attacks targeting the Indian education sector using a continuously maintained piece of malware called Crimson RAT.
While the suspected Pakistan-based threat group is known to target military and government entities in the country, the activities have since expanded to include the education

The **Transparent Tribe** threat actor has been linked to a set of weaponized Microsoft Office documents in attacks targeting the Indian education sector using a continuously maintained piece of malware called Crimson RAT.

While the suspected Pakistan-based threat group is known to target military and government entities in the country, the activities have since expanded to include the education vertical.

The hacking group, also called APT36, Operation C-Major, PROJECTM, and Mythic Leopard, has been active as far back as 2013. Educational institutions have been at the receiving end of the adversary's attacks since late 2021.

"Crimson RAT is a consistent staple in the group's malware arsenal the adversary uses in its campaigns," SentinelOne researcher Aleksandar Milenkoski said in a report shared with The Hacker News.

The malware has the functionality to exfiltrate files and system data to an actor-controlled server. It's also built with the ability to capture screenshots, terminate running processes, and download and execute additional payloads to log keystrokes and steal browser credentials.

Last month, ESET attributed Transparent Tribe to a cyber espionage campaign aimed at infecting Indian and Pakistani Android users with a backdoor called CapraRAT.

An analysis of Crimson RAT samples has revealed the presence of the word "Wibemax," corroborating a previous report from Fortinet. While the name matches that of a Pakistani software development company, it's not immediately clear if it shares any direct connection to the threat actor.

That said, it bears noting that Transparent Tribe has in the past leveraged infrastructure operated by a web hosting provider called Zain Hosting in attacks targeting the Indian education sector.

The documents analyzed by SentinelOne bear education-themed content and names like assignment or Assignment-no-10, and make use of malicious macro code to launch the Crimson RAT. Another method concerns the use of OLE embedding to stage the malware.

UPCOMING WEBINAR

Learn to Secure the Identity Perimeter - Proven Strategies

Improve your business security with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter strategies!

Don't Miss Out – Save Your Seat!

"Malicious documents that implement this technique require users to double-click a document element," Milenkoski explained. "These documents distributed by Transparent Tribe typically display an image (a 'View Document' graphic) indicating that the document content is locked."

This, in turn, tricks users into double-clicking the graphic to view the content, thereby activating an OLE package that stores and executes the Crimson RAT, masquerading as an update process.

Crimson RAT variants have also been observed to delay their execution for a specific time period spanning anywhere between a minute and four minutes, not to mention implement different obfuscation techniques using tools like Crypto Obfuscator and Eazfuscator.

"Transparent Tribe is a highly motivated and persistent threat actor that regularly updates its malware arsenal, operational playbook, and target," Milenkoski said. "Transparent Tribe's constantly changing operational and targeting strategies require constant vigilance to mitigate the threat posed by the group."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Pakistan-based Transparent Tribe Hackers Targeting Indian Educational Institutions

The North Korean threat actor known as the Lazarus Group has been observed shifting its focus and rapidly evolving its tools and tactics as part of a long-running activity called DeathNote.
While the nation-state adversary is known for its persistent attacks on the cryptocurrency sector, it has also targeted automotive, academic, and defense sectors in Eastern Europe and other parts of the world

Cyber Attack / Cyber Threat

The North Korean threat actor known as the Lazarus Group has been observed shifting its focus and rapidly evolving its tools and tactics as part of a long-running activity called **DeathNote**.

While the nation-state adversary is known for its persistent attacks on the cryptocurrency sector, it has also targeted automotive, academic, and defense sectors in Eastern Europe and other parts of the world, in what's perceived as a "significant" pivot.

"At this point, the actor switched all the decoy documents to job descriptions related to defense contractors and diplomatic services," Kaspersky researcher Seongsu Park said in an analysis published Wednesday.

The deviation in targeting, along with the use of updated infection vectors, is said to have occurred in April 2020. It's worth noting that the DeathNote cluster is also tracked under the monikers Operation Dream Job or NukeSped. Google-owned Mandiant also tied a subset of the activity to a group it calls UNC2970.

The phishing attacks directed against crypto businesses typically entail using bitcoin mining-themed lures in email messages to entice potential targets into opening macro-laced documents in order to drop the Manuscrypt (aka NukeSped) backdoor on the compromised machine.

The targeting of the automotive and academic verticals is tied to Lazarus Group's broader attacks against the defense industry, as documented by the Russian cybersecurity firm in October 2021, leading to the deployment of BLINDINGCAN (aka AIRDRY or ZetaNile) and COPPERHEDGE implants.

In an alternative attack chain, the threat actor employed a trojanzied version of a legitimate PDF reader application called SumatraPDF Reader to initiate its malicious routine. The Lazarus Group's use of rogue PDF reader apps was previously revealed by Microsoft.

The targets of these attacks included an IT asset monitoring solution vendor based in Latvia and a think tank located in South Korea, the latter of which entailed the abuse of legitimate security software that's widely used in the country to execute the payloads.

UPCOMING WEBINAR

Learn to Secure the Identity Perimeter - Proven Strategies

Improve your business security with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter strategies!

Don't Miss Out – Save Your Seat!

The twin attacks "point to Lazarus building supply chain attack capabilities," Kaspersky noted at the time. The adversarial crew has since been blamed for the supply chain attack aimed at enterprise VoIP service provider 3CX that came to light last month.

Kaspersky said it discovered another attack in March 2022 that targeted several victims in South Korea by exploiting the same security software to deliver downloader malware capable of delivering a backdoor as well as an information stealer for harvesting keystroke and clipboard data.

"The newly implanted backdoor is capable of executing a retrieved payload with named-pipe communication," Park said, adding it's also "responsible for collecting and reporting the victim's information."

Around the same time, the same backdoor is said to have been utilized to breach a defense contractor in Latin America using DLL side-loading techniques upon opening a specially-crafted PDF file using a trojanized PDF reader.

The Lazarus Group has also been linked to a successful breach of another defense contractor in Africa last July in which a "suspicious PDF application" was sent over Skype to ultimately drop a variant of a backdoor dubbed ThreatNeedle and another implant known as ForestTiger to exfiltrate data.

"The Lazarus group is a notorious and highly skilled threat actor," Park said. "As the Lazarus group continues to refine its approaches, it is crucial for organizations to maintain vigilance and take proactive measures to defend against its malicious activities."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#microsoft