squxlch – sec

Tag: cybersecurity

  • The Rise of RAT | Deuterbear & SugarGh0st Cyber Espionage Campaigns

    Cybersecurity researchers have recently uncovered more details about Deuterbear, a remote access trojan (RAT) utilized by the China-linked hacking group BlackTech. This cyber espionage campaign has been active in the Asia-Pacific region this year.

    Deuterbear: An Evolved Threat

    First of all, according to Trend Micro researchers Pierre Lee and Cyris Tseng, Deuterbear exhibits significant advancements over its predecessor, Waterbear. These enhancements include:

    • Support for shellcode plugins
    • Operation without handshakes
    • HTTPS for command-and-control (C&C) communication
    • Anti-memory scanning
    • Shared traffic key with its downloader

    BlackTech, also known as Circuit Panda, Earth Hundun, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard, has been active since at least 2007. Traditionally, their cyber attacks have leveraged the Waterbear malware, but since October 2022, an updated version known as Deuterbear has been in use.

    Waterbear’s Infection Pathway

    Waterbear is delivered via a patched legitimate executable using DLL side-loading. This process involves:

    1. Launching a loader that decrypts and executes a downloader.
    2. The downloader contacts a C&C server to retrieve the RAT module.
    3. The RAT module is fetched twice from the attacker’s infrastructure.

    The initial RAT serves as a plugin downloader, while the secondary RAT functions as a backdoor, capable of executing 60 commands to harvest sensitive information from the compromised host.

    Deuterbear’s Infection Pathway

    Deuterbear follows a similar two-stage infection process but with some variations:

    1. The first stage launches a downloader that connects to the C&C server to fetch Deuterbear RAT.
    2. The loader then establishes persistence through a second-stage loader via DLL side-loading.
    3. This final loader executes a downloader that retrieves Deuterbear RAT from the C&C server for information theft.

    Researchers noted that only the second stage of Deuterbear is typically found on infected systems, as all components of the first stage are removed after establishing persistence. This tactic complicates analysis and protects the malware from detection in simulated environments.

    The Rise of SugarGh0st RAT

    In a related disclosure, Proofpoint detailed a highly targeted cyber campaign aimed at U.S. organizations involved in artificial intelligence, including academia, private industry, and government. The campaign, named UNK_SweetSpecter deploys the SugarGh0st RAT, a variant of the older Gh0st RAT used by Chinese-speaking threat actors.

    Targeted Attack Details

    The SugarGh0st RAT campaign, first documented by Cisco Talos in late 2023, targeted the Uzbekistan Ministry of Foreign Affairs and South Korean users. The May 2024 campaign focused on fewer than 10 individuals connected to a leading U.S.-based AI organization. The phishing attack involved AI-themed messages containing a ZIP archive with a Windows shortcut file, leading to a JavaScript dropper that deployed the SugarGh0st payload.

    Potential Motives

    While the exact goals of the campaign remain unclear, it is speculated that the attackers aim to steal non-public information about generative artificial intelligence (GenAI). This activity coincides with U.S. efforts to restrict China’s access to GenAI tools from companies like OpenAI, Google DeepMind, and Anthropic.

    Additionally, a former Google software engineer was indicted earlier this year for stealing proprietary information and attempting to use it at AI-affiliated technology companies in China. This underscores the ongoing tensions and the potential for Chinese-aligned cyber actors to target U.S. entities with access to advanced AI technologies.

    Conclusion

    Finally, these findings highlight the continuous evolution of cyber threats and the sophistication of adversaries like BlackTech and the entities deploying SugarGh0st RAT. Staying informed and vigilant is crucial for organizations to defend against such advanced threats.

  • Over 9,000 Of D-Link NAS Devices Found With RCE Vulnerability

    The cybersecurity world is currently focused on a severe remote code execution (RCE) vulnerability identified in over 92,000 D-Link Network Attached Storage (NAS) devices. This critical flaw, which can be exploited via a hardcoded account and a command injection vulnerability, threatens the integrity and security of the impacted devices. As a renowned ethical hacker and influencer, it is essential to delve into this pressing issue to highlight the immediate need for corrective action.

    Identified as CVE-2024-3273, this vulnerability allows unauthorized access to D-Link NAS devices, making them susceptible to external manipulation. The exploit involves using the “messagebus” username with no password, combined with a vulnerability in the “system” parameter that enables command injections. This can lead to unauthorized data access, alteration of device settings, or disruption of service through denial-of-service attacks.

    The exploitation of this vulnerability has escalated rapidly, with attackers deploying a variant of the Mirai malware, known as skid.x86, to infiltrate vulnerable devices. The Mirai botnet, which has been involved in significant DDoS attacks, poses a substantial threat to the stability and security of online services.

    The vulnerability was exploited soon after its discovery by the researcher Netsecfish, who noted that D-Link’s end-of-life policy for these devices meant they would not receive patches. Despite prior warnings, D-Link’s initial response was insufficient to prevent the risks to thousands of users.

    Following the public disclosure, D-Link issued an advisory encouraging users to either decommission or replace the compromised devices. The company highlighted the lack of automatic update features and real-time alerts in these older models, which leaves users vulnerable without regular manual updates.

    Considering the severity of the threat, it is imperative for owners of the affected devices to immediately discontinue their use or ensure they are securely updated. Given the popularity of NAS devices as targets for ransomware and other cyberattacks, it is crucial to remove them from public internet access to prevent unauthorized intrusions.

    The discovery of CVE-2024-3273 serves as a stark reminder of the necessity for proactive security practices and timely updates in the digital world. Ethical hackers and cybersecurity professionals must continue to advocate for robust security measures and educate device owners on protecting their digital environments effectively.

    If you liked this article please be sure to check out my other articles here.

    Sources:

    Original Article: [Link to the original article]
    CVE-2024-3273: [Link]
    Mirai Malware: [Link to Mirai malware information]
    Netsecfish Disclosure: [Link to Netsecfish disclosure]
    D-Link Security Advisory: [Link to D-Link’s security advisory]