Research Saturday

Lancefly screams bloody Merdoor.

Brigid O Gorman from Symantec joins Dave to discuss their research, “Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors." Researchers discovered in 2020 that Lancefly, an APT group, is using a custom-written backdoor in attacks targeting government, aviation, educations, and telecoms organizations in South and Southeast Asia. The research states "The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted." These targets, though observed in some activity in 2020 and 2021, started in 2022 and have continued into 2023.

Transcript

8 GoAnywhere MFT breaches and counting.

This week, our guests are Emily Austin and Himaja Motheram from Censys and their sharing their research - "Months after first GoAnywhere MFT zero-day attacks, Censys still sees about 180 public admin panels." In early February 2023, Censys researchers discovered a zero-day RCE vulnerability in Fortra’s “GoAnywhere MFT” (Managed File Transfer) software. After finding this the Clop ransomware gang claimed that they exploited this vulnerability to breach the data of 130 organizations and Censys found other ransomware groups were jumping on the bandwagon. They said " A single vulnerable instance has the potential to serve as a gateway to a data breach that could potentially impact millions of individuals."

Transcript

Dangerous vulnerabilities in H.264 decoders.

Willy R. Vasquez from The University of Texas at Austin discussing research on "The Most Dangerous Codec in the World - Finding and Exploiting Vulnerabilities in H.264 Decoders." Researchers are looking at the marvel that is modern video encoding standards such as H.264 for vulnerabilities and ultimately hidden security risks. The research states "We introduce and evaluate H26FORGE, domain-specific infrastructure for analyzing, generating, and manipulating syntactically correct but semantically spec-non-compliant video files." Using H26FORCE, they were able to uncover insecurities in depth across the video decoder ecosystem, including kernel memory corruption bugs in iOS and video accelerator and application processor kernel memory bugs in Android devices.

Transcript

Running away from operation Tainted Love.

Aleksandar Milenkoski and Juan Andres Guerrero-Saade from SentinelOne's SentinelLabs join Dave to discuss their research "Operation Tainted Love | Chinese APTs Target Telcos in New Attacks." Researchers found initial phases of attacks against telecommunication providers in the Middle East in Q1 in 2023. The research states "We assess that this activity represents an evolution of tooling associated with Operation Soft Cell." While the exact grouping is unclear, researchers think it is highly likely that the threat actor is a Chinese cyberespionage group in the nexus of Gallium and APT41.

Transcript

Phishing campaign takes the energy out of Chinese nuclear industry.

Ryan Robinson from Intezer to discuss his team's work on "Phishing Campaign Targets Chinese Nuclear Energy Industry." The research team discovered activity targeting the nuclear energy industry in China. Researchers attributed the activity to Bitter APT, a South Asian APT that is known to target the energy, manufacturing and government sectors, mainly in Pakistan, China, Bangladesh, and Saudi Arabia. The article states "We identified seven emails pretending to be from the Embassy of Kyrgyzstan, being sent to recipients in the nuclear energy industry in China. In some emails, people and entities in academia are also targeted, also related to nuclear energy." By luring recipients in, invites them to join conferences on subjects that are relevant to them, they are then able to social engineer the victims.

Transcript