In recent news, cybersecurity threats have been increasingly targeting vulnerabilities in publicly exposed assets such as VPNs and firewalls. Various actors, including APT groups and ransomware gangs, are exploiting these vulnerabilities. While the focus on these assets is understandable, it is crucial not to neglect traditional attack vectors like phishing emails, malicious websites, and social engineering, as they continue to be potent tools in the hands of attackers.
A notable incident in 2023 involved a watering hole attack on the website of a Japanese university research laboratory. This attack was likely aimed at researchers and students, highlighting the vulnerability of academic institutions to cyber threats. It also underscored the need for robust security measures to protect sensitive research data.
The attack leveraged a compromised website to deceive users into downloading a malicious Adobe Flash Player update. This update, disguised as legitimate software, was actually malware that infected the user’s system upon execution. Social engineering tactics were used to manipulate users into manually downloading and executing the malware, bypassing traditional vulnerability exploitation methods.
The malware, known as FlashUpdateInstall.exe, posed as a legitimate Adobe Flash Player update notification. Its main function was to install the core malware, system32.dll, which could potentially carry out malicious activities on the infected system. According to reports from JPCERT/CC, a modified system32.dll file, watermarked with 666666 by Cobalt Strike Beacon 4.5, was injected into the Explorer process using Early Bird Injection.
Furthermore, the attackers employed a sophisticated technique involving file name disguise, decoy documents, and customizable malware options such as stealth mode, anti-analysis disabling, document saving, process injection, and automated execution. Cloudflare Workers were leveraged for command and control (C2) operations in this watering hole attack, indicating a broader campaign by the group responsible.
The malware injected a DLL into processes to evade detection, terminated specific antivirus processes, and utilized anti-analysis techniques to check system resource usage and virtual machine environments. Suspected Cobalt Strike beacon configurations revealed communication with a server via HTTPS and port 443. Malicious code was injected through a downloaded JavaScript file, with dllhost.exe being used as a spawnto process. The configuration included user-agent spoofing and the retrieval of additional resources from the server.
In conclusion, the incident involving the Japanese university research laboratory serves as a stark reminder of the ongoing threats faced by academic institutions and the importance of implementing robust security measures. As cyber threats continue to evolve, it is essential for organizations to remain vigilant and address vulnerabilities across all attack vectors to protect against malicious activities.