On May 23, 2023, the U.S., Australia, New Zealand, Canada and the U.K. issued a joint advisory about a suspected Chinese state-sponsored threat actor group that infiltrates firewalls, routers and virtual private networks (VPNs) belonging to critical infrastructure organizations. The group is primarily referred to as Volt Typhoon aka BRONZE SILHOUETTE, Dev-0391, Insidious Taurus, Storm-0391, UNC3236, VANGUARD PANDA, VOLTZITE.…

Read More
Introduction

This is Part 2 of our two-part technical deep dive into APT41’s new tooling, DodgeBox and MoonWalk. For details of DodgeBox, go to Part 1.

In Part 2 of this blog series, we examine the MoonWalk backdoor, a new addition to APT41’s toolkit. Continuing from our previous analysis of the DodgeBox loader in Part 1, we have discovered that MoonWalk shares several evasion techniques.…

Read More

On July 11, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Advisory (CSA) detailing the Tactics, Techniques and Procedures (TTPs), mitigation strategies, and detection methods associated with a red team assessment carried out by CISA against a Federal Civilian Executive Branch (FCEB) organization.…

Read More

This advisory, authored by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV), the Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center, and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Police Agency (NPA)—hereafter referred to as the “authoring agencies”—outlines a People’s Republic of China (PRC) state-sponsored cyber group and their current threat to Australian networks.…

Read More
EXECUTIVE SUMMARY

In early 2023, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a SILENTSHIELD red team assessment against a Federal Civilian Executive Branch (FCEB) organization. During SILENTSHIELD assessments, the red team first performs a no-notice, long-term simulation of nation-state cyber operations. The team mimics the techniques, tradecraft, and behaviors of sophisticated threat actors and measures the potential dwell time actors have on a network, providing a realistic assessment of the organization’s security posture.…

Read More
1. Introduction

Attackers have increasingly started using Telegram as a control server (C2). One example is the Lazy Koala group, which we recently discovered and set out to study. While researching bots on Telegram, we found that many are from Indonesia. We were struck by the huge numbers of messages and victims, and how new bots and chats seem to appear on Telegram by the day, so we decided to get to the bottom of this “Indonesian tsunami.”…

Read More

Summary: The Qualys Threat Research Unit has discovered a Remote Unauthenticated Code Execution vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems, which allows unauthenticated remote code execution as root and presents a significant security risk.

Threat Actor: N/A

Victim: OpenSSH server instances

Key Point:

The vulnerability is a signal handler race condition in OpenSSH’s server (sshd) that affects sshd in its default configuration.…
Read More

This blog investigates the network-based activity detected by Darktrace in compromises stemming from the exploitation of a vulnerability in Palo Alto Networks firewall devices, namely CVE-2024-3400.

Introduction

Perimeter devices such as firewalls, virtual private networks (VPNs), and intrusion prevention systems (IPS), have long been the target of adversarial actors attempting to gain access to internal networks.…

Read More

Summary: There is a critical vulnerability in the command line program wget, which has a CVSS Base Score of 10.0. CERT-Bund warns of the vulnerability, which is contained in wget versions <=1.24.5.

Threat Actor: Unspecified threat actor | wget Victim: Users of wget under Linux or Windows | wget

Key Point :

A critical vulnerability (CVE-2024-38428) has been discovered in the command line program wget, which allows an attacker to carry out an unspecified attack.…
Read More

Summary: This content discusses the investigation into UNC3886, a suspected China-nexus cyberespionage group targeting strategic global organizations.

Threat Actor: UNC3886 | UNC3886 Victim: Strategic global organizations | strategic global organizations

Key Point :

UNC3886 demonstrated sophisticated and cautious approaches by employing multiple layers of persistence across network devices, hypervisors, and virtual machines to maintain long-term access.…
Read More

I am @unixfreaxjp of MalwareMustDie team. This is the English translation of APT overall analysis I made in Japanese at my Japan security blog: “#OCJP-136: 「FHAPPI」 Geocities.jpとPoison Ivy(スパイウェア)のAPT事件”, it has been translated by my buddy, a professional hacker and translator, The “El” Kentaro (he did it very good so I will not change any words he translated).…

Read More

Summary: This content discusses a new cryptojacking campaign by the threat actors behind Spinning YARN, targeting exposed Docker Engine hosts.

Threat Actor: Spinning YARN | Spinning YARN Victim: Docker Engine hosts | Docker Engine

Key Points:

The attackers behind Spinning YARN are targeting publicly exposed Docker Engine hosts for initial access.…
Read More

This blog entry provides an analysis of the Noodle RAT backdoor, which is likely being used by multiple Chinese-speaking groups engaged in espionage and other types of cybercrime.

This blog is based on our presentation at Botconf 2024. It can be viewed here.

Introduction

Since 2022, we have been investigating numerous targeted attacks in the Asia-Pacific region that used the same ELF backdoor.…

Read More