archive

APT

  1. Vulnerable Private Networks: Corporate VPNs Exploited in the Wild

    The details of multiple, critical Pulse Secure SSL VPN vulnerabilities are well known; they were disclosed in detail by two security researchers as part of a talk at Black Hat USA 2019¬†on August 7, 2019. What has not been widely covered, but should come as no surprise, is that APT actors have been actively exploiting these vulnerabilities in order to gain access to targeted networks. The vulnerability being exploited is CVE-2019-11510, which allows a remote unauthenticated attacker to send specially crafted requests that allow read access of arbitrary files on the Pulse Secure VPN. This includes access to databases that the VPN server uses to track sessions, cleartext credentials, and NTLM hashes. Volexity has observed multiple attackers exploiting this vulnerability starting approximately a week after the talk was given. Volexity has worked on multiple incidents where networks, whose remote access is protected by two-factor authentication (2FA), have been intruded upon. […]

  2. Active Exploitation of Newly Patched ColdFusion Vulnerability (CVE-2018-15961)

    If your organization is running an Internet-facing version of ColdFusion, you may want to take a close look at your server. Volexity recently observed active exploitation of a newly patched vulnerability in Adobe ColdFusion, for which no public details or proof-of-concept code exists. In the attack detected by Volexity, a suspected Chinese APT group was able to compromise a vulnerable ColdFusion server by directly uploading a China Chopper webshell. The target server was missing a single update from Adobe that had been released just two weeks earlier. On September 11, 2018, Adobe issued security bulletin APSB18-33, which fixed a variety of issues to include an unauthenticated file upload vulnerability. Per the advisory, this vulnerability was assigned CVE-2018-15961 and affects ColdFusion 11 (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and ColdFusion 2018 (July 12 release). This effectively includes all versions of ColdFusion released over the last four years. […]

  3. Patchwork APT Group Targets US Think Tanks

    In March and April 2018, Volexity identified multiple spear phishing campaigns attributed to Patchwork, an Indian APT group also known as Dropping Elephant. This increase in threat activity was consistent with other observations documented over the last few months in blogs by 360 Threat Intelligence Center analyzing attacks on Chinese organizations and Trend Micro noting targets in South Asia. From the attacks observed by Volexity, what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks. Volexity has also found that, in addition to sending malware lures, the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages. In three observed spear phishing campaigns, the threat actors leveraged domains and themes mimicking those of well-known think tank organizations in the United States. The group lifted articles and themes from […]

  4. OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society

    In May 2017, Volexity identified and started tracking a very sophisticated and extremely widespread mass digital surveillance and attack campaign targeting several Asian nations, the ASEAN organization, and hundreds of individuals and organizations tied to media, human rights and civil society causes. These attacks are being conducted through numerous strategically compromised websites and have occurred over several high-profile ASEAN summits. Volexity has tied this attack campaign to an advanced persistent threat (APT) group first identified as OceanLotus by SkyEye Labs in 2015. OceanLotus, also known as APT32, is believed to be a Vietnam-based APT group that has become increasingly sophisticated in its attack tactics, techniques, and procedures (TTPs). Volexity works closely with several human rights and civil society organizations. A few of these organizations have specifically been targeted by OceanLotus since early 2015. As a result, Volexity has been able to directly observe and investigate various attack campaigns. This report […]

  5. Real News, Fake Flash: Mac OS X Users Targeted

    Volexity recently identified a breach to the website of a well regarded media outlet in the country of Georgia. As part of this breach, the media organization’s website was being leveraged as a component of a malware campaign targeting select visitors. The news organization provides reporting on its website in English, Georgian, and Russian. However, only the Georgian language portion of the website was impacted and used in an effort to distribute malware. The targets were then further narrowed to those that were running the Mac OS X operating system, had not previously visited the website, and had specific browser versions. The attackers accomplished much of this with JavaScript they placed on the media organization’s website. The following JavaScript code was observed on the index page of the Georgian language portion of the website. The attackers appear to have implemented multiple checks to make sure they limited the targeting and […]

  6. PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs

    In the wake of the 2016 United States Presidential Election, not even six hours after Donald Trump became the nation’s President-Elect, an advanced persistent threat (APT) group launched a series of coordinated and well-planned spear phishing campaigns. Volexity observed five different attack waves with a heavy focus on U.S.-based think tanks and non-governmental organizations (NGOs). These e-mails came from a mix of attacker created Google Gmail accounts and what appears to be compromised e-mail accounts at Harvard’s Faculty of Arts and Sciences (FAS). These e-mails were sent in large quantities to different individuals across many organizations and individuals focusing in national security, defense, international affairs, public policy, and European and Asian studies. Two of the attacks purported to be messages forwarded on from the Clinton Foundation giving¬† insight and perhaps a postmortem analysis into the elections. Two of the other attacks purported to be eFax links or documents pertaining to […]

  7. Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence

    In the world of information security, there is never a dull moment. Part of the fun of working in this space is that you always get to see attackers do something new or put a new spin on something old. Last month at the CERT-EU Conference in Brussels, Belgium, Volexity gave a presentation on a recent evolution in how attackers are maintaining persistence within victim networks. The method, which involves modifying the login pages to Cisco Clientless SSL VPNs (Web VPN), is both novel and surprisingly obvious at the same time. Attackers have been able to successfully implant JavaScript code on the login pages that enables them to surreptitiously steal employee credentials as they login to access internal corporate resources. Whether you are proactively monitoring your network or reactively undergoing an incident response, one of the last places you might examine for backdoors are your firewalls and VPN gateway appliances. […]

  8. APT Group Wekby Leveraging Adobe Flash Exploit (CVE-2015-5119)

    As if the recent breach and subsequent public data dump involving the Italian company Hacking Team wasn’t bad enough, it all gets just a little bit worse. Emerging from the bowels of Hacking Team data dump was a Flash 0-day exploit (CVE-2015-5119) that was just patched today by Adobe as covered in APSB15-16. The exploit has since been added into the Angler Exploit Kit and integrated into Metasploit. However, not to be out done, APT attackers have also started leveraging the exploit in targeted spear phishing attacks as well. Before we start dishing the details, there is going to be one main takeaway from this blog post: If you haven’t already, update/patch your Adobe Flash now. Spear Phishing This morning, a well known APT threat group, often referred to as Wekby, kicked off a rather ironic spear phishing campaign. The attackers launched spoofed e-mail messages purporting to be from Adobe. […]

  9. Afghan Government Compromise: Browser Beware

    Visiting a wide-ranging number of websites associated with the Government of Afghanistan may yield visitors an unwanted surprise. For the second time this year, malicious code has surfaced on, cdn.afghanistan.af, a host that serves as a content delivery network (CDN) for the Afghan government. Javascript code from this system is found on several different Afghan Offices, Ministries, and Authorities. This strategic web compromise (SWC) against the Afghan CDN server has effectively turned a large portion of the government’s websites into attack surfaces against visitors. Volexity recently detected malicious code being loaded after a user visited the websites for the President of Afghanistan (www.president.gov.af). Second Round of Attacks In a previous attack highlighted earlier in the year by ThreatConnect. One of the two primary Javascript files accessed from the CDN system was modified to load code from two different malicious URLs. In the past attacks, the following file was modified to […]

  10. Drupal Vulnerability: Mass Scans & Targeted Exploitation

    Yesterday (October 15, 2014), a critical SQL injection vulnerability in version 7 of the popular open source content management system (CMS) Drupal was disclosed by Stefan Horst and detailed in SA-CORE-2014-005. The description of the vulnerability is rather harrowing: Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users. If you think this sounds pretty bad, you are spot on. Along with the advisory, a patch was released to fix the security issue. Unfortunately, patches are also often leveraged to identify exactly how to exploit such vulnerabilities. In this case, it was only […]