WME Security Briefing 27 June 2024

WME Cybersecurity Briefings No. 016

ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor

Overview

An unknown Golang-based backdoor GoRed is being employed by the cybercrime gang ExCobalt. This group has roots dating back to at least 2016 and possibly originates from the notorious Cobalt Gang. They focus on various sectors in Russia and exploit systems.

Impact

Targets: ExCobalt has targeted multiple sectors i.e. Govt., IT, metallurgy, mining, software development, telecommunications, etc. over the past year, in Russia. The gang gains initial access by exploiting previously compromised contractors. They execute supply chain attacks by infecting legit software components.

They used tools like Metasploit, Mimikatz, ProcDump, SMBExec, Spark RAT, etc. Also, they employed Linux privilege escalation exploits like CVE-2019-13272, CVE-2021-3156, CVE-2021-4034, etc.

GoRed Backdoor allows command execution, credential harvesting, active processes and network interfaces  monitoring, etc. It communicates with its command-and-control (C2) server via the RPC protocol to enable reverse shell access. They export collected data to attacker-controlled infrastructure.

Recommendation

Organizations should strengthen their security posture. Use robust security measures i.e. ATP. Also, ensure all software are from verified suppliers. That said, regularly audit the integrity of software supply chains. Also, apply security patches promptly to address known vulnerabilities and maintain a comprehensive incident response plan.

New Adware Campaign Targets Meta Quest App Seekers

Overview

A new adware is targeting users searching for the Meta Quest (formerly Oculus) app for Windows. The campaign uses the adware family, AdsExhaust. It can exfiltrate screenshots and interact with browsers using simulated keystrokes.

Impact

Via an infection vector, they lure users to a bogus website (“oculus-app[.]com”) through SEO poisoning. The site prompts users to download a ZIP archive (“oculus-app.EXE.zip”) that contains a Windows batch script. It brings more scripts from a command-and-control (C2) server and creates scheduled tasks to run the scripts. They download the legit Meta Quest app and other malicious scripts. As a result, the scripts gather IP and system info, capture screenshots, exfiltrate data, etc. AdsExhaust adware checks for Microsoft’s Edge browser activity. It simulates clicks and interactions to generate ad revenue. It can also fetch keywords from a remote server and perform Google searches to further its ad-clicking scheme.

Recommendation

  • Avoid Suspicious Downloads.
  • Use Antivirus Software.
  • Monitor Browser Activity.
  • Educate Users and Scan Regularly.

U.S. Treasury Sanctions Key Kaspersky Executives Following Software Ban

Overview

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctions 12 senior executives at Kaspersky Lab. This follows the Commerce Department’s ban on the Russian cybersecurity firm in the US, effective July 20, 2024. These measures highlight the U.S. commitment to securing its cyber domain.

Impact

Sanctioned Executives include the Chief Operating Officer, Deputy CEO, Chief Business Development Officer, among others.

Scope of Sanctions: The sanctions do not extend to Kaspersky Lab as an entity, its parent or subsidiary companies.

Operational Restrictions: Kaspersky Lab is banned from providing its software and security services in the U.S.

Entity List Inclusion: The company has been added to the Entity List.

Recommendation

Businesses should review current cybersecurity frameworks and ensure compliance with new regulations. They should replace any Kaspersky software with alternatives before July 20.  Also, IT departments should conduct a comprehensive audit of cybersecurity tools to ensure no Kaspersky products are in use.

Chinese Hackers Deploy SpiceRAT and SugarGh0st in Global Espionage Campaign

Overview

A Chinese-speaking threat actor, SneakyChef, linked to a sophisticated espionage campaign. They target govt. entities in Asia, Europe, the Middle East, and Africa. This campaign has been active since August 2023. It uses malware like SugarGh0st and SpiceRAT to gather intelligence from various govt. organizations.

Impact

Govt. bodies in regions like Asia, EMEA, and US, specifically those involved in AI research. Countries specifically impacted include South Korea, India, Latvia, Saudi Arabia, Turkmenistan, etc.  They used spear-phishing via scanned docs from government agencies, particularly embassies. They use RAR archives containing Windows Shortcut (LNK) files and self-extracting RAR (SFX) archives to deploy malware. They also used techniques like VBS, DLL side-loading, HTML Applications (HTA), etc. to execute malware.

Malware Characteristics:

SugarGh0st: Custom variant of Gh0st RAT. It can control infected systems.

SpiceRAT: It utilizes multiple infection chains i.e. LNK files in RAR archives to sideload malicious DLLs.

Recommendation

To enhance cybersecurity, rigorously monitor and scan email attachments and download links. Govt. agencies should train staff to recognize suspicious emails. Understand the tactics and procedures used by SneakyChef and similar threat actors. Develop custom detection rules for identifying SugarGh0st and SpiceRAT.

SolarWinds Serv-U Vulnerability Under Active Attack – Patch Immediately

Overview

A recently patched critical vulnerability in SolarWinds Serv-U file transfer software is already being exploited. The flaw has been identified as CVE-2024-28995, with a CVSS score of 8.6. It is characterized by a directory traversal bug that enables attackers to read sensitive files on the host machine. All versions of Serv-U prior to and including 15.4.2 HF 1 are affected.

Impact

CVE-2024-28995 allows attackers to read arbitrary files on the server. The flaw is trivial to exploit and is highly dangerous. Affected Products include Serv-U FTP Server 15.4, Serv-U Gateway 15.4, Serv-U MFT Server 15.4, Serv-U File Server 15.4. The Proof-of-concept (PoC) exploits and technical details have been publicly disclosed. A successful exploitation can lead to data exfiltration, credential theft, and further attacks via chaining.

Recommendation

Apply the latest update to mitigate the vulnerability. Verify versions and ensure all instances of Serv-U software are patched. Conduct thorough scans to identify vulnerable versions and monitor network traffic and server logs.

Share:

Facebook
Twitter
LinkedIn
Picture of Wajid Ali

Wajid Ali

Experienced marketing professional with a proven track record of success in building innovative strategies and driving business growth.

Contact Us

=
On Key

More Posts

E-Commerce Security - Solutions for Online Retailers
Azure

E-commerce Security – Solutions for Online Retailers

Today’s hyper-charged e-commerce landscape demands top-notch cybersecurity measures. Cybersecurity for this bustling sector isn’t just about ticking a technical box; it’s the cornerstone of building trust. As businesses and consumers flock to the online space, the

Read More »
WME Cybersecurity Briefings No. 017
Cyber Security

WME Security Briefing 08 July 2024

SnailLoad: A New Stealthy Threat to Web Privacy Overview: Researchers discover a concerning new side-channel attack technique: SnailLoad. It exploits inherent weaknesses in the internet to potentially monitor a user’s web activity without requiring any direct access to

Read More »
WME Cybersecurity Briefings No. 016
Cyber Security

WME Security Briefing 27 June 2024

ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor Overview An unknown Golang-based backdoor GoRed is being employed by the cybercrime gang ExCobalt. This group has roots dating back to at least 2016 and possibly originates

Read More »
Top 7 Office 365 Backup Solutions
Cloud Computing

Top 7 Office 365 Backup Solutions

Let’s explore the top 7 Microsoft 365 (Office 365) backup and recovery solutions. These solutions feature, among others, automated backups, detailed reporting, and efficient deduplication. We will guide you through their pros and cons and what

Read More »
WME Cybersecurity Briefings No. 015
Cyber Security

WME Security Briefing 24 June 2024

Google’s Privacy Sandbox Faces Scrutiny Over User Tracking Allegations Overview Google’s Privacy Sandbox was initially designed to replace third-party cookies in Chrome. It was a more privacy-conscious solution, but the Austrian privacy group Noyb is now

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=