Researchers at Bolster have observed a phishing campaign that’s impersonating more than a hundred clothing and footwear brands. The researchers discovered ties with the state-sponsored Eye on the Nile campaign that targeted civil society organizations in Egypt in 2019. The different versions found suggest that Stealth Soldier is actively maintained as of January 2023, the compilation timestamp of its latest version." The implant enables surveillance operations and supports functionality such as keystroke logging and screenshot and microphone recordings. Check Point states, "Stealth Soldier is a custom implant, likely used in a limited set of targeted attacks. Additionally, HTTPS prevents inspection of these requests without man-in-the-middling the traffic, so defenders cannot easily identify what domain requests are being made over DoH and selectively detect or prevent anomalous traffic such as ChamelDoH’s encoded communications." Cyberespionage campaign targets Libya.Ĭheck Point describes an espionage campaign that targeted entities in Libya with a new backdoor tracked as "Stealth Soldier." The threat actor used phishing sites that purported to belong to the Libyan Foreign Affairs Ministry. Researchers at Stairwell have observed a new strain of Linux malware that uses DNS-over-HTTPS (DoH) tunneling. The malware was developed by ChamelGang, a China-aligned threat actor that's targeted "energy, aviation, and government organizations in Russia, the United States, Japan, Turkey, Taiwan, Vietnam, India, Afghanistan, Lithuania, and Nepal." The researchers state, "The implant’s C2 configuration is a JSON object containing two keys.This configuration is then used by the implant to craft DoH requests using the configured providers and malicious nameservers, encoding its C2 communications as subdomains of the malicious nameserver and issuing TXT requests for the generated domain containing the encoded C2 communications. Due to these DoH providers being commonly utilized DNS servers for legitimate traffic, they cannot easily be blocked enterprise-wide. They've successfully compromised defense, technology, and telecommunications organizations with mature security programs in place." ChamelGang uses DNS-over-HTTPS tunneling. They try to limit their malware deployment to victim systems that do not support endpoint detection and response (EDR) solutions, making it very difficult for organizations to detect their intrusions. They monitor Mandiant's blogs that describe their tradecraft and they quickly retool to evade detection. They have strong operational security and are very hard to detect in victim environments. "UNC3886 is one of the most clever China-nexus espionage actors that we see nowadays. This address family enabled direct reconnection from any guest VM to the compromised ESXi host’s backdoor regardless of network segmentation or firewall rules in place."Ĭharles Carmakal, CTO, Mandiant Consulting, Google Cloud, offered the following comments: Mandiant says a Chinese cyberespionage actor tracked as "UNC3886" is using a VMware ESXi zero day flaw "that enabled the execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs." After exploiting the vulnerability, the threat actor " backdoors on ESXi hosts using an alternative socket address family, VMCI, for lateral movement and continued persistence. Cyber risk trends for small and medium businesses.Ĭhinese threat actor exploits VMware ESXi zero day.ChamelGang uses DNS-over-HTTPS tunneling. Chinese threat actor exploits VMware ESXi zero day.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |