ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor
Overview
An unknown Golang-based backdoor GoRed is being employed by the cybercrime gang ExCobalt. This group has roots dating back to at least 2016 and possibly originates from the notorious Cobalt Gang. They focus on various sectors in Russia and exploit systems.
Impact
Targets: ExCobalt has targeted multiple sectors i.e. Govt., IT, metallurgy, mining, software development, telecommunications, etc. over the past year, in Russia. The gang gains initial access by exploiting previously compromised contractors. They execute supply chain attacks by infecting legit software components.
They used tools like Metasploit, Mimikatz, ProcDump, SMBExec, Spark RAT, etc. Also, they employed Linux privilege escalation exploits like CVE-2019-13272, CVE-2021-3156, CVE-2021-4034, etc.
GoRed Backdoor allows command execution, credential harvesting, active processes and network interfaces monitoring, etc. It communicates with its command-and-control (C2) server via the RPC protocol to enable reverse shell access. They export collected data to attacker-controlled infrastructure.
Recommendation
Organizations should strengthen their security posture. Use robust security measures i.e. ATP. Also, ensure all software are from verified suppliers. That said, regularly audit the integrity of software supply chains. Also, apply security patches promptly to address known vulnerabilities and maintain a comprehensive incident response plan.
New Adware Campaign Targets Meta Quest App Seekers
Overview
A new adware is targeting users searching for the Meta Quest (formerly Oculus) app for Windows. The campaign uses the adware family, AdsExhaust. It can exfiltrate screenshots and interact with browsers using simulated keystrokes.
Impact
Via an infection vector, they lure users to a bogus website (“oculus-app[.]com”) through SEO poisoning. The site prompts users to download a ZIP archive (“oculus-app.EXE.zip”) that contains a Windows batch script. It brings more scripts from a command-and-control (C2) server and creates scheduled tasks to run the scripts. They download the legit Meta Quest app and other malicious scripts. As a result, the scripts gather IP and system info, capture screenshots, exfiltrate data, etc. AdsExhaust adware checks for Microsoft’s Edge browser activity. It simulates clicks and interactions to generate ad revenue. It can also fetch keywords from a remote server and perform Google searches to further its ad-clicking scheme.
Recommendation
- Avoid Suspicious Downloads.
- Use Antivirus Software.
- Monitor Browser Activity.
- Educate Users and Scan Regularly.
U.S. Treasury Sanctions Key Kaspersky Executives Following Software Ban
Overview
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctions 12 senior executives at Kaspersky Lab. This follows the Commerce Department’s ban on the Russian cybersecurity firm in the US, effective July 20, 2024. These measures highlight the U.S. commitment to securing its cyber domain.
Impact
Sanctioned Executives include the Chief Operating Officer, Deputy CEO, Chief Business Development Officer, among others.
Scope of Sanctions: The sanctions do not extend to Kaspersky Lab as an entity, its parent or subsidiary companies.
Operational Restrictions: Kaspersky Lab is banned from providing its software and security services in the U.S.
Entity List Inclusion: The company has been added to the Entity List.
Recommendation
Businesses should review current cybersecurity frameworks and ensure compliance with new regulations. They should replace any Kaspersky software with alternatives before July 20. Also, IT departments should conduct a comprehensive audit of cybersecurity tools to ensure no Kaspersky products are in use.
Chinese Hackers Deploy SpiceRAT and SugarGh0st in Global Espionage Campaign
Overview
A Chinese-speaking threat actor, SneakyChef, linked to a sophisticated espionage campaign. They target govt. entities in Asia, Europe, the Middle East, and Africa. This campaign has been active since August 2023. It uses malware like SugarGh0st and SpiceRAT to gather intelligence from various govt. organizations.
Impact
Govt. bodies in regions like Asia, EMEA, and US, specifically those involved in AI research. Countries specifically impacted include South Korea, India, Latvia, Saudi Arabia, Turkmenistan, etc. They used spear-phishing via scanned docs from government agencies, particularly embassies. They use RAR archives containing Windows Shortcut (LNK) files and self-extracting RAR (SFX) archives to deploy malware. They also used techniques like VBS, DLL side-loading, HTML Applications (HTA), etc. to execute malware.
Malware Characteristics:
SugarGh0st: Custom variant of Gh0st RAT. It can control infected systems.
SpiceRAT: It utilizes multiple infection chains i.e. LNK files in RAR archives to sideload malicious DLLs.
Recommendation
To enhance cybersecurity, rigorously monitor and scan email attachments and download links. Govt. agencies should train staff to recognize suspicious emails. Understand the tactics and procedures used by SneakyChef and similar threat actors. Develop custom detection rules for identifying SugarGh0st and SpiceRAT.
SolarWinds Serv-U Vulnerability Under Active Attack – Patch Immediately
Overview
A recently patched critical vulnerability in SolarWinds Serv-U file transfer software is already being exploited. The flaw has been identified as CVE-2024-28995, with a CVSS score of 8.6. It is characterized by a directory traversal bug that enables attackers to read sensitive files on the host machine. All versions of Serv-U prior to and including 15.4.2 HF 1 are affected.
Impact
CVE-2024-28995 allows attackers to read arbitrary files on the server. The flaw is trivial to exploit and is highly dangerous. Affected Products include Serv-U FTP Server 15.4, Serv-U Gateway 15.4, Serv-U MFT Server 15.4, Serv-U File Server 15.4. The Proof-of-concept (PoC) exploits and technical details have been publicly disclosed. A successful exploitation can lead to data exfiltration, credential theft, and further attacks via chaining.
Recommendation
Apply the latest update to mitigate the vulnerability. Verify versions and ensure all instances of Serv-U software are patched. Conduct thorough scans to identify vulnerable versions and monitor network traffic and server logs.
