- Monthly Threat Brief - September 27, 2024
Top 5 Attacks by the people, of the people and for the people
At SISA, we understand the ever-evolving nature of cyber threats and the importance of staying one step ahead to protect your organization’s sensitive data and assets. Our dedicated team of experts is constantly monitoring various platforms, gathering intelligence, and analyzing the latest cyber threats to provide valuable insights into the latest cyber risks that can impact organizations.
This monthly post provides a condensed overview of the threats encountered throughout the month.
Our team brings you five emerging state linked cyber threats that you should be aware of, including the Voldemort malware exploiting Google Sheets for espionage across global sectors, the Mustang Panda APT group leveraging Visual Studio Code vulnerabilities to target Southeast Asian governments, a North Korean cyber-espionage group deploying the MISTPEN malware against energy and aerospace sectors, the Twelve hacktivists engaging in destructive cyber operations on Russian entities, and North Korean threat actors poisoning Python packages with PondRAT malware to target software developers and the supply chain. These campaigns reveal evolving tactics that pose a serious threat to critical infrastructure and business operations worldwide.
Read on to discover more….
1. Malware Exploits Google Sheets for Espionage in Cyber Attack
Cybersecurity researchers have uncovered a new malware campaign utilizing Google Sheets as a command-and-control (C2) platform. The campaign targets over 70 organizations globally, impersonating tax authorities from various governments in Europe, Asia, and the U.S. The malware, named Voldemort, collects sensitive data and deploys additional malicious payloads, affecting sectors such as insurance, aerospace, finance, healthcare, and more.
Phishing emails are meticulously crafted to appear as tax-related communications, redirecting victims to malicious landing pages. If the victim is using a Windows machine, they are directed to a search-ms URI that displays a fake PDF, tricking the user into executing a Python script. This script profiles the system and side-loads Voldemort malware through a legitimate Cisco WebEx executable. The ultimate objective of this campaign is still unclear.
Voldemort is a C-based backdoor that supports data exfiltration, payload deployment, and file deletion. The malware’s standout feature is its use of Google Sheets as a C2 server, where commands are issued and stolen data uploaded. This approach allows Voldemort to evade detection, as blocking Google Sheets in enterprise environments is impractical, making the malware’s communication stealthy and resilient.
2. Cyber Espionage Targets Southeast Asia Using Visual Studio Code
The Mustang Panda advanced persistent threat (APT) group, linked to China, has been observed using Visual Studio Code for cyber espionage activities against Southeast Asian government organizations. Active since 2012, Mustang Panda targets government and religious institutions in the South China Sea region, Europe, and Asia. The group used Visual Studio Code’s embedded reverse shell feature to establish a foothold in targeted networks, executing commands and delivering malicious payloads.
In this recent campaign, Mustang Panda exploited the reverse shell feature in Visual Studio Code to execute arbitrary code and exfiltrate data. By using code.exe tunnel, the attackers gained remote access via GitHub authentication, allowing them to execute commands, create files, and deploy additional payloads. OpenSSH and tools like SharpNBTScan were employed for network scanning and lateral movement.
Researchers’ investigations also uncovered a secondary attack involving ShadowPad, a modular backdoor linked to Chinese espionage. It is unclear whether the two clusters—Visual Studio Code and ShadowPad—are part of the same campaign or represent different groups sharing access. Both attacks highlight the evolving tactics of Mustang Panda in conducting sophisticated cyber espionage operations.
3. Cyber-Espionage Group Deploys Malware Against Energy & Aerospace
A North Korean cyber-espionage group has been using job-themed phishing campaigns to target individuals in the energy and aerospace sectors. The attackers deploy a new backdoor named MISTPEN as part of their operations. This activity shares links with the notorious Lazarus Group, also known as Diamond Sleet or TEMP.Hermit.
The group has recently focused on high-level personnel in the U.S., U.K., Netherlands, Germany, Singapore, and other nations, using spear-phishing emails and WhatsApp messages. Posing as recruiters, they engage victims with job descriptions tailored to match real postings. The phishing scheme culminates in the delivery of a malicious ZIP file containing a trojanized version of Sumatra PDF, which initiates the infection.
The attack chain starts with BURNBOOK, a launcher that drops the DLL TEARPAGE, which decrypts and runs the MISTPEN backdoor. MISTPEN, a modified Notepad++ plugin, communicates with a command-and-control (C2) server over Microsoft Graph URLs and is designed to download executable files. Older versions of the malware relied on compromised WordPress sites for C2. Researchers found that MISTPEN continues to evolve, gaining stealth capabilities to evade detection and analysis, making it a potent tool in North Korean espionage efforts.
4. Twelve Hacktivists Unleash Destructive Cyber Operations on Russian
The hacktivist group Twelve has been launching highly destructive cyberattacks on Russian entities, using publicly accessible tools to cripple networks. Unlike traditional ransomware groups, Twelve doesn’t demand a ransom for data decryption. Instead, they encrypt data and deploy a wiper to destroy infrastructure, making recovery impossible.
Formed in April 2023 during the Russo-Ukrainian war, Twelve’s attacks focus on network disruption and data destruction. The group has also engaged in hack-and-leak operations, stealing and publishing sensitive data on their Telegram channel. While sharing similarities with the DARKSTAR ransomware group, Twelve’s objectives are purely hacktivist, with no ransom demands.
Twelve typically gains access via compromised accounts and uses Remote Desktop Protocol (RDP) for lateral movement. They have also exploited contractor systems to access customer networks. The group leverages well-known tools like Cobalt Strike, Mimikatz, and PsExec for credential theft, network discovery, and post-exploitation activities.
In one attack, Twelve exploited VMware vCenter vulnerabilities (CVE-2021-21972 and CVE-2021-22005) to install a web shell and backdoor. They then used PowerShell to manipulate domain user accounts and disguise their malware as legitimate processes. Before wiping systems, Twelve exfiltrated sensitive data using DropMeFiles and deployed LockBit 3.0 ransomware to encrypt the victim’s data. Their wiper, similar to Shamoon, overwrote the Master Boot Record (MBR), leaving systems irrecoverable.
The group relies on publicly accessible tools, making their tactics detectable with the right security measures.
5. Python Packages Poisoned with PondRAT Malware Target Developers
North Korean-affiliated threat actors have been identified using malicious Python packages to distribute a new malware variant named PondRAT. This activity is linked to Gleaming Pisces, a subgroup of the Lazarus Group. The malware, related to POOLRAT (also known as SIMPLESEA), targets both Linux and macOS systems, posing a serious threat to software developers and the supply chain.
Attackers uploaded several malicious Python packages to PyPI, a popular open-source repository, according to recent research. The packages—real-ids, coloredtxt, beautifultext, and minisound—were downloaded hundreds of times before being removed. These packages delivered an encoded payload that retrieved and executed the PondRAT malware on Linux and macOS systems.
PondRAT, a streamlined version of POOLRAT, shares nearly identical code structures with its predecessor. It allows attackers to upload and download files, pause operations, and execute arbitrary commands from a command-and-control (C2) server. This campaign highlights North Korean efforts to expand their cyber capabilities across platforms and compromise the supply chain by targeting software developers.
This disclosure follows reports of North Korean threat actors attempting to infiltrate companies through fake resumes and job applications, posing significant risks to organizations.
Key recommendations to combat cyber risks:
- Patch Management: Regularly update and patch systems to close known vulnerabilities, especially critical software.
- Endpoint Detection and Response (EDR): Deploy EDR tools to monitor, detect, and block malicious activities and unauthorized executions.
- User Access Control: Enforce least privilege and audit user permissions regularly to prevent unauthorized access.
- Multi-Factor Authentication (MFA): Implement MFA for critical systems, especially for remote and sensitive data access.
- Email and Phishing Security: Use advanced email filters and provide phishing awareness training to employees.
- Code and Supply Chain Auditing: Verify third-party software authenticity and regularly audit open-source code and dependencies.
- Continuous Monitoring: Implement logging and monitoring tools to detect suspicious activities and network behavior.
- Network Segmentation: Isolate critical systems to limit lateral movement and minimize attack impact.
- Threat Intelligence: Integrate threat intelligence services to stay updated on emerging threats and tactics.
- Application Whitelisting: Limit execution to trusted applications, preventing unauthorized scripts and software.
- Security Awareness Training: Conduct regular training on recognizing phishing and suspicious activities.
- Restrict Macros and Scripts: Disable or limit macros, PowerShell, and other scripts to prevent malware execution.
To get updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories or check out SISA Weekly Threat Watch on our website.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.