Multiple Microsoft Windows Products Vulnerabilities
June 21, 2024ModiLoader aka DBatLoader – Active IOCs
June 21, 2024Multiple Microsoft Windows Products Vulnerabilities
June 21, 2024ModiLoader aka DBatLoader – Active IOCs
June 21, 2024Severity
High
Analysis Summary
China-affiliated cyber-espionage organizations have been connected to an ongoing operation that has penetrated many telecom providers in one Asian nation at least since 2021.
In addition to trying to obtain credentials, the attackers installed backdoors on the networks of the targeted firms. The nation that was targeted was not disclosed by the cybersecurity researchers, but they have discovered evidence indicating that the hostile cyber activity might have begun as early as 2020. They further stated that a university in another Asian nation and an unidentified services provider serving the telecom industry were also the targets of the attacks.
This campaign's tool selection is similar to previous operations carried out by Chinese threat groups such as Mustang Panda (also known as Earth Preta and Fireant), RedFoxtrot (also known as Neeedleminer and Nomad Panda), and Naikon (also known as Firefly) in the past few years. This includes specially designed backdoors with the ability to intercept sensitive data and communicate with a command-and-control (C2) server, which is monitored as COOLCLIENT, QuickHeal, and RainyDay.
It is currently uncertain exactly which initial access pathway was utilized to breach the targets, however, the campaign is noteworthy for using port scanning tools and for stealing credentials via dumping Windows Registry hives. Several possibilities have been brought up by the tooling's connections to three distinct adversarial collectives: either multiple threat actors are working together on a single campaign, or the attacks are being carried out independently of one another, or a single threat actor is using tools that have been obtained from other groups.
The main reason for the incursions is unknown as well, even though Chinese threat actors have a track record of attacking the global telecom industry. It is possible that the attackers were gathering information about that nation's telecom industry. Another option is to eavesdrop. Alternatively, it's possible that the attackers were trying to develop a disruptive capability against that nation's vital infrastructure.
Impact
- Credential Theft
- Cyber Espionage
- Exposure of Sensitive Data
Indicators of Compromise
IP
- 103.180.161.123
- 110.34.166.198
- 203.159.95.197
- 115.79.207.240
- 206.189.140.171
- 65.60.14.246
MD5
- edada1b4d3393aab4ea96ad495817d12
- 617469a87f5148913abf68536351f3a3
- 3b636a75f3df29efcb6a602204f0a2a2
SHA-256
- 089809e73354648b3caed7db6bc24dcce4f2ef0f327206fd14f36c6619d9ed30
- 3aae73ff8ff5973c74af5a7991ca6a57ce797b7b775e1358efd9d76b67b5797b
- c61daa0df88a33387b94b22bfc0b68d1211a57357aff401613c07832b5192fc0
SHA1
- e34b3f56c941eeb37ab01110ab4f96d748808ac3
- 410c1f822517145054c8714708d6075d3e35a9bf
- 93cf4530b2288384141594eba8db387fad6c8704
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Ensure all operating systems and software are up to date with the latest security patches.
- Employ reliable antivirus and antimalware software to detect and block known threats.
- Regularly update these tools to maintain the latest threat intelligence.
- Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
- Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
- Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
- Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
- Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
- Segment your network to limit lateral movement for attackers.
- Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
- Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
- Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.