At a glance.
- Wide-ranging cyberespionage campaign by China's Ministry of State Security.
- EvilProxy phishing tool targets executives, and defeats multifactor authentication.
- Vulnerabilities in CPUs.
- Yashma ransomware targets a wide range of countries.
- Gootloader malware-as-a-service afflicts law firms.
- MacOS threat trends.
Wide-ranging cyberespionage campaign by China's Ministry of State Security.
Recorded Future’s Insikt Group has published a report on RedHotel, a threat actor answering to China's Ministry of State Security, that's prospecting targets primarily in Southeast Asia but in other regions as well. Microsoft tracks RedHotel as Charcoal Typhoon; Secureworks calls it Bronze University. The operation appears to be run for the Ministry of State Security by contractors operating from Chengdu. Recorded Future thinks RedHotel's activity is marked by unusual scope and intensity. "Since at least 2019," the Insikt Group writes, "RedHotel has exemplified a relentless scope and scale of wider PRC state-sponsored cyber-espionage activity by maintaining a high operational tempo and targeting public and private sector organizations globally. The group often utilizes a mix of offensive security tools, shared capabilities, and bespoke tooling." The shared, commodity tools include, the Record says, ShadowPad and Winnti; the bespoke malware includes Spyder and FunnySwitch.
EvilProxy phishing tool targets executives, and defeats multifactor authentication.
Proofpoint describes a surge in cloud account takeovers by threat actors using a reverse proxy tool, EvilProxy, in spearphishing campaigns that compromise multifactor-protected credentials and session cookies. It's an adversary-in-the-middle campaign specializing in advanced account takeover methods. The use of reverse proxy tools is a foreseeable criminal response to the growing adoption of multifactor authentication security measures. Multifactor authentication remains an important security tool, but, as with any other technology, it isn't foolproof and doesn't amount to a panacea.
Vulnerabilities in CPUs.
Several generations of Intel’s x86 processors are vulnerable to a data leak flaw called “Downfall,” CyberScoop reports. Daniel Moghimi, a computer security expert at the University of California, San Diego, and Google found that an attacker running one application could exploit the flaw to “steal passwords, encryption keys, and other sensitive data” from another application.
Moghimi told CyberScoop, “When you have a vulnerability like this, essentially this software-hardware contract is broken, and the software can access physical memory inside the hardware that was supposed to be abstracted away from the user program. It violates a lot of assumptions we make in general about operating system security.”
Intel said in a statement that the attack “would be very complex to pull off” outside of “the controlled conditions of a research environment.”
AMD processors also exhibit a vulnerability of their own. BleepingComputer reports that all AMD Zen CPUs are vulnerable to a hardware flaw that “can leak privileged secrets and data using unprivileged processes.” Researchers at ETH Zurich discovered the flaw and created an exploit called “Inception” that “creates an infinite transient loop in hardware to train the return stack buffer with an attacker-controlled target in all existing AMD Zen microarchitectures.”
Yashma ransomware targets a wide range of countries.
Cisco Talos warns that a new threat actor is using the Yashma ransomware to target “victims in English-speaking countries, Bulgaria, China, and Vietnam.” The researchers state, “Talos assesses with moderate confidence that the threat actor may be of Vietnamese origin because their GitHub account name and email contact on the ransomware notes spoofs a legitimate Vietnamese organization’s name. The ransom note also asks victims to contact them between 7 and 11 p.m. UTC+7, which overlaps with Vietnam’s time zone.”
Talos also notes that the threat actor’s ransom note mimics the one used by WannaCry.
Gootloader malware-as-a-service afflicts law firms.
Trustwave describes activity by the Gootloader malware delivery service, finding that a significant portion (46%) of cases involving Gootloader afflict law firms. Gootloader is distributed via watering-hole sites hosting phony legal documents, with SEO keywords such as “agreements,” “contracts,” and “forms.”
Trustwave states, “Gootloader's SEO poisoning watering hole technique targeting legal-related search terms represents a significant threat to organizations or even individuals, seeking legal information online. By manipulating search engine results and luring unsuspecting users to compromised websites, Gootloader takes advantage of users' trust in search results to deliver malicious payloads.”
MacOS threat trends.
Bitdefender has published its macOS Threat Landscape Report, finding that “Trojans are the biggest single threat to Macs, accounting for more than half of threat detections.” The researchers state, “EvilQuest remains the single most common piece of malware targeting Macs, with a 52.7% share. It bundles a ransomware component designed to encrypt and pilfer the victim’s files, as well as a keylogger to record keystrokes and steal personal or financial data. While most antivirus vendors recognize and block EvilQuest, its continued abundance indicates that attackers still use it in a spray-and-pray fashion, hoping to catch unprotected systems in their nets.”