FOCUS MODE
EXTRACT IOC
Cyber Security News

Attackers Targeting Japanese Firms with Cobalt Strike

iocOne
Attackers Targeting Japanese Firms with Cobalt Strike
Threat analysts have identified a sophisticated cyber-intrusion campaign targeting various sectors in Japan, including technology and e-commerce. The attackers exploited a remote code execution flaw in PHP-CGI to gain initial access, followed by deploying PowerShell scripts for persistence and executing other malicious tactics such as credential theft and lateral movement. Affected: technology, telecommunications, entertainment, education, e-commerce sectors

Keypoints :

  • Targeted organizations primarily in Japan across several sectors.
  • Attackers exploited CVE-2024-4577 to gain initial foothold.
  • Utilized PowerShell scripts to deploy Cobalt Strike for remote access.
  • Executed privilege escalation, credential theft, and lateral movement through Cobalt Strike plugins.
  • Used publicly available Python exploit to test for vulnerabilities.
  • Employed several tactics for persistence and evasion, including registry modifications and removing event logs.
  • Abused Group Policy Objects for lateral movement across networks.
  • Misused cloud services to deploy malicious tools, including Blue-Lotus and BeEF for web exploitation.
  • No clear attribution to a specific hacker group, though similarities with You Dun were noted.
  • Mitigation strategies suggested, including immediate patching and monitoring logs for unauthorized changes.

MITRE Techniques :

  • Exploitation of Remote Services (T1210) – Used CVE-2024-4577 for initial access via PHP-CGI.
  • Command and Control (T1071) – Deployed Cobalt Strike for remote shell access.
  • Privilege Escalation (T1068) – Leveraged JuicyPotato, RottenPotato, and SweetPotato to escalate privileges.
  • Persistence (T1547) – Modified registry keys and created scheduled tasks for ongoing access.
  • Defense Evasion (T1070) – Cleared event logs using wevtutil to evade detection.
  • Credential Dumping (T1003) – Used Mimikatz to steal NTLM hashes and plaintext passwords.
  • Credential Access (T1555) – Abused PowerShell for credential theft tasks.
  • Lateral Movement (T1021) – Employed SharpGPOAbuse to move laterally via Group Policy Objects.

Full Story: https://www.infosecurity-magazine.com/news/attackers-japan-cobalt-strike/

Tags: PATCH, TOOL, PRIVILEGE, CVE, XSS, EDR, EXPLOIT, PAYLOAD