WME Security Briefing 08 November 2024

WME Cybersecurity Briefings No. 033

Evasive Panda Exploits CloudScout Toolset to Hijack Cloud Service Sessions in Taiwan

Overview

A recent cybersecurity report disclosed an advanced cyber espionage campaign conducted by the China-affiliated threat actor, Evasive Panda, deploying a novel malware toolset called CloudScout. The operation targets government and religious organizations in Taiwan, stealing session cookies ultimately to compromise cloud services.

The CloudScout toolset operates alongside Evasive Panda’s primary malware, MgBot, to access services like Google Drive, Gmail, and Outlook. Over the past ten months, CloudScout modules have included ten unique functionalities – three of these explicitly designed to exfiltrate data from the platforms mentioned above.

Impact

Evasive Panda is also known by aliases like Bronze Highland, Daggerfly, StormBamboo, etc. It has a well-documented history of targeting entities in Taiwan and Hong Kong. The group frequently uses supply chain compromises and DNS poisoning to gain initial access to victim networks.

Using CloudScout, Evasive Panda can swipe cookies from victims’ web browsers to control authenticated sessions. Compromised cookies can be used to provide unauthorised access to sensitive files and attachments from above-mentioned cloud services.

The CloudScout toolset incorporates custom-built libraries under its CommonUtilities package, making itself more efficient for handling communications and cookie management. This infrastructure includes modules like HTTPAccess and ManagedCookie to facilitate the seamless transfer of stolen data back to Evasive Panda. The data is stored and packed and then transferred using MgBot or Nightdoor.

Recommendation

We recommend users immediately review and strengthen session security measures, notably concerning cloud services. Some proposed countermeasures include security mechanisms like Device Bound Session Credentials (DBSC) and App-Bound Encryption, which limit cookie-theft malware’s capabilities by binding sessions to particular devices.

To minimize vulnerability:

  • Review current session management and authentication policies.
  • Upgrade to protocols that support Device Bound Credentials for Google services.
  • Rapid response to signs of unauthorized session activity.

Suspected Russian Espionage Group Deploys Malware Targeting Ukrainian Military via Telegram

Overview

A known Russian espionage group has evolved its cyber-espionage campaign against the Ukrainian military to deliver Windows and Android malware. This group, known as UNC5812, has been actively present on Telegram using a channel called “Civil Defense” created in September 2024.

While this channel pretends it is a legitimate platform advertising software for Ukrainian Conscripts to find military recruiters, we can see that the real goal behind its activity was malicious. The malware attack vectors are distributed via links in the Telegram channel, which lure users into installing tailored software that delivers malware. This malware campaign employs a personalized map tool, SUNSPINNER, designed for devices with Google Play Protect turned off, which puts them in grave danger.

Impact

UNC5812’s operation compromises the devices of Ukrainian military personnel by deploying malware through the Civil Defense Telegram channel and its website. This latest campaign is part of an overarching influence and espionage operation aimed at Android devices and Windows operating systems separately.

Windows Devices: Once the user is targeted, they are urged to download a PHP-based malware loader called Pronsis. This loader then distributes SUNSPINNER and a stealer malware called PureStealer. PureStealer is a commercially available spyware tool with capabilities ranging from credential theft to file exfiltration, posing severe risks to privacy and security.

Android Devices: Users are tricked into downloading an APK with the package name “com. HTTP.masters.” The APK embeds a RAT file called CraxsRAT. It enables extensive spyware functions, including keylogging, remote control of gestures, media access, etc., effectively turning the infected device into a surveillance tool.

The malware uses social engineering to trick unsuspecting users into performing the instructions for a successful installation with no protection (after disabling Google Play Protect), which is very high risk.

With these compromised devices, UNC5812 can grab hold of sensitive information to continue its espionage and influence mission against Ukraine.

Recommendation

Security researchers recommend avoiding any interaction with the Civil Defense Telegram channel.

Windows Users: Do not download files from untrusted sites unless downloaded directly by the Windows built-in antivirus and anti-malware tools.

Android Users: Do not disable Google Play Protect, particularly if instructed to do so by unofficial apps or websites. App protection increases defense against threats like CraxsRAT.

Organizational Measures: Deploy organizational cybersecurity measures that educate employees about the dangers of downloading applications from untrusted sources, particularly in military or high-security contexts.

Emerging Threat: BeaverTail Malware Hidden in Malicious npm Packages

Overview

In the latest cybersecurity news, another information-stealing malware, BeaverTail, has been disclosed as embedded in multiple npm packages to target developer systems. This campaign was identified in September 2024 and is associated with North Korean-backed groups with the alias “Contagious Interview.” These packages have now been removed from the npm registry. Basically, they are carefully designed clones of popular JavaScript libraries.

The three identified packages are:

  • Passports-js.
  • Bcrypts-js.
  • Blockscan-api.

They reached many downloads and the malware they carry, BeaverTail, is both a downloader and information stealer. So, it poses a huge threat to open-source software community.

Impact

BeaverTail is still a threat to developers, especially those working in the cryptocurrency and software sectors. Attackers use this library-like malware to exploit developers who typically perceive legitimate-looking packages as trustworthy, packages like etherscan-api or other well-known libraries. What’s more? Once installed, the malware can download additional payloads.

The Contagious Interview campaign is tied to North Korean threat actors. Since last year, the attackers have expanded tactics to lure developers with seemingly harmless packages. It is a worrying trend of strategic targeting, where developers have become unwitting entry points bringing malware into broader software ecosystems.

All in all, attacks through the supply chain (especially open source elements like Kubernetes) in this new cloud world will lead to more frequent and damaging identity compromises unless developers and admins continue evolving their security mindsets to keep up with these ever-changing threats.

Recommendation

Cybersecurity experts recommend the following steps to counter the risks BeaverTail and similar threats pose:

  • Verify the source and integrity of npm packages before use. Do not download unverified or newly uploaded packages, especially if they are named similarly to widely used ones.
  • Prefer packages with established security practices and community validation. Examine reviews and watch out for alert messages about suspect activity on essential libraries.
  • Keep updating npm packages to avoid vulnerabilities in outdated versions.
  • Automate monitoring with scripted solutions to receive immediate alerts for any new threats in your development pipeline.

Newly Discovered OS Downgrade Vulnerability Poses Risk to Windows Kernel Security

Overview

Researchers have discovered a critical vulnerability that is actively targeting Microsoft Windows systems using OS downgrade techniques. This flaw allows attackers to bypass Driver Signature Enforcement (DSE). It’s a key security feature that permits unsigned kernel drivers loading. Leveraging this, attackers can deploy customized rootkits and gain high-level access, all while maintaining stealthy elevated access in fully patched Windows versions.

Impact

This vulnerability provides a novel method for attackers. It offers an alternative to traditional Bring Your Own Vulnerable Driver (BYOVD) exploits. It uses a tool, “Windows Downdate” to exploit two existing Windows update vulnerabilities:

CVE-2024-21302 and CVE-2024-38202.

These flaws allow attackers to roll back Windows components to unpatched versions. They can also roll back the Windows kernel itself, which exposes the system to severe security risks. This way, the system becomes highly vulnerable to unauthorized code execution at the kernel level.

In essence, the attack relies on downgrading critical OS files like ci.dll library to unpatched versions. Ultimately, attackers can exploit DSE bypass mechanisms to load rogue drivers. Yes, Virtualization-Based Security (VBS) can mitigate the attack, but only to an extent. The default VBS configuration lacks a UEFI lock which allows hackers to turn off VBS protections by altering specific registry keys.

Recommendation

To prevent exploitation, admins need to ensure VBS is enabled with a UEFI lock and the “Mandatory” flag ( it safeguards against downgrades and halts the unsafe boot process.) This configuration reduces the risk of a DSE bypass by enforcing Secure Kernel Code Integrity.

WME’s security experts also recommend that your security solutions proactively monitor for downgrade attempts on critical components.

TeamTNT’s New Cloud Attack Campaign Targeting Cryptocurrency Mining

Overview

The notorious hacking group TeamTNT has launched a new attack on cloud-native environments. This is significant because it marks a landmark escalation in their crypto-jacking efforts. Their latest tactics revolve around exploiting vulnerable Docker daemons to deploy malware for cryptocurrency mining. They also aim to rent compromised server resources to third parties by leveraging Docker Hub and exposed API endpoints for distribution and control.

Impact

TeamTNT’s campaign has huge cloud security implications. Their strategy targets exposed Docker API endpoints. It allows them to breach vulnerable cloud environments and convert them into a Docker Swarm.

The compromised servers are mined for cryptocurrencies and rented out to other malicious actors. This double approach enhances their revenue: direct crypto mining and selling access to infected resources. They deploy a sophisticated toolset, including the Sliver C2 framework, to remotely command infected servers and create a persistent threat across cloud infrastructures.

Recommendation

To mitigate this threat, organizations should:

  • Secure Docker API endpoints. Ensure they are not publicly accessible without authentication.
  • Update threat detection tools to identify abnormal Docker activity.
  • Use Docker images from trusted sources and periodically review Docker instances.
  • Separate critical resources from external-facing apps.

Share:

Facebook
Twitter
LinkedIn

Contact Us

Name
=
On Key

More Posts

Microsoft EndPoint Management

Sync ConfigMgr Collections to Intune

ConfigMgr collection sync is a feature that has been in ConfigMgr for a few versions. At a high level, it syncs the membership of a collection to a group in Entra ID that can then be

Read More »
WME Microsoft 365 Updates No. 025
Azure

WME Microsoft 365/Azure Updates 22 August 2025

1. Exchange Online: Temporary Mailbox Access Disruption via MAPI Overview Some Exchange Online users experienced mailbox access issues via the Messaging API (MAPI) on August 20, 2025. The disruption occurred after Microsoft reverted a recent service

Read More »