In a recent report, cybersecurity firm Trend Micro has revealed the details of a cyberespionage campaign carried out by a group of hackers dubbed “Earth Estries.” The targets of this campaign include organizations in the government and technology sectors based in several countries, including the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US.
According to Trend Micro, the threat actors behind Earth Estries possess sophisticated skills and experience in cyberespionage and other illicit activities, indicating that they have access to high-level resources. However, the researchers have not made any specific attributions regarding the origin of the group. Nevertheless, they have noted some similarities between Earth Estries and the China-linked FamousSparrow APT, suggesting a potential connection.
In another development, ESET researchers have uncovered that a China-linked threat actor known as “GREF” has been deploying the BadBazaar Android malware through Trojanized versions of popular messaging apps Telegram and Signal. The malicious apps were distributed through the Google Play store and the Samsung Galaxy Store but have since been removed. It is worth noting that BadBazaar has been previously used to target Uyghurs and other Turkic ethnic minorities.
Of particular concern is the fact that the malicious Signal app, called “Signal Plus Messenger,” represents the first documented case of spying on a victim’s Signal communications by secretly linking the compromised device to the attacker’s Signal device. This raises serious privacy and security concerns for users of such messaging platforms.
Meanwhile, Aqua researchers have discovered a new malware campaign exploiting a vulnerability in the OpenFire software. The vulnerability, known as CVE-2023-32315, was disclosed in May 2023. The attackers are leveraging this vulnerability to deliver the Kinsing malware and a cryptominer. By exploiting the vulnerability, the threat actors gain unauthorized access to the OpenFire setup environment, allowing them to create a new admin user and upload malicious plugins. It is worth noting that there are still 984 vulnerable OpenFire servers connected to the internet, with the majority located in the US, China, and Brazil.
In a separate investigation, ReversingLabs has been tracking a supply chain attack known as “VMConnect.” This attack involves the distribution of malicious packages on the PyPI package repository. The research team has identified three more malicious Python packages in the VMConnect campaign, namely tablediter, request-plus, and requestspro. The VMConnect campaign appears to share similarities with previous attacks attributed to Labyrinth Chollima, a branch of North Korea’s Lazarus Group.
Additionally, Securonix has warned about the DB#JAMMER attack campaigns targeting exposed MSSQL databases. These attacks involve brute-force techniques to deliver the FreeWorld ransomware. The attackers utilize various tools, including enumeration software, remote access trojans (RATs), exploitation, credential stealing software, and ransomware payloads. The FreeWorld ransomware is thought to be a variant of the Mimic ransomware, as both exhibit similar tactics, techniques, and procedures (TTPs). Notably, the attackers abuse the legitimate application Everything to locate and encrypt target files.
Another emerging ransomware threat has been identified by Flashpoint. The threat actor, known as “Ransomed,” not only conducts data theft but also employs a unique tactic to coerce victims into paying the ransom. Ransomed utilizes data protection laws such as the European Union’s General Data Protection Regulation (GDPR) to threaten victims with fines if they refuse to pay. This marks a departure from typical extortionist operations and demonstrates an exploitation of protective laws against the victims.
In the realm of software vulnerabilities, Contrast Security has discovered a deserialization vulnerability (CVE-2023-34040) affecting Spring-Kafka, a project used for the development of Kafka-based messaging services. This vulnerability allows untrusted or unknown data to be passed, potentially enabling denial-of-service attacks or remote code execution. Fortunately, VMware has released a patch to mitigate the vulnerability.
Furthermore, Checkmarx has uncovered an ongoing campaign targeting cryptocurrency developers since at least 2021. The threat actor, referred to as “Prolific,” publishes malicious NPM packages to exfiltrate sensitive data such as source code and configuration files from victims’ machines. The packages are directly linked to the cryptocurrency domain, indicating a financial motive.
Lastly, the Microsoft Threat Intelligence team has issued a warning about a rise in adversary-in-the-middle (AiTM) phishing attacks facilitated by phishing-as-a-service (PhaaS) offerings. These attacks aim to circumvent multi-factor authentication (MFA) protections by stealing session cookies, enabling attackers to conduct high-volume phishing campaigns. Unlike traditional phishing attacks, addressing AiTM attacks requires the revocation of stolen session cookies.
The cybersecurity landscape continues to evolve, with threat actors employing increasingly sophisticated tactics to infiltrate organizations and compromise sensitive data. It is crucial for individuals and businesses to stay vigilant, implement robust security measures, and promptly apply necessary patches and updates to safeguard against these threats.