Top 5 Cyber Threats Targeting Asia-Pacific Region (June 2023)

At SISA, we understand the ever-evolving nature of cyber threats and the importance of staying one step ahead to protect your organization’s sensitive data and assets. Our dedicated team of experts is constantly monitoring various platforms, gathering intelligence, and analyzing the latest cyber threats to provide valuable insights into the latest cyber risks that can impact organizations.

This monthly post provides a condensed overview of the threats encountered throughout the month.

Our team brings to you five significant threats that have recently targeted the Asia-Pacific region including North Korean hacker group Kimsuky employing social engineering for credential theft, UNC4841 group exploiting a zero-day vulnerability, Linux backdoor ChamelDoH leveraging DNS-over-HTTPS Tunneling, RDStealer malware targeting remote desktop protocol, and ScarCruft hackers exploiting Ably service.

Read on to discover more…

1. Kimsuky’s new social engineering campaign for credential theft

Kimsuky, a North Korean hacker group, is actively engaged in an intelligence-gathering campaign targeting individuals knowledgeable about North Korean affairs and the media. They employ social engineering techniques and malware to target think tanks, academic institutions, and the media. Their tactics include stealing subscription information from news organizations and using fraudulent URLs, counterfeit websites, and malware-infected Office documents. Kimsuky focuses on stealing email credentials and distributing malware, with the aim of gathering strategic intelligence and influencing North Korea’s decision-making processes. They have recently emphasized building trust with targets before launching malicious operations, demonstrating their commitment to cultivating relationships for more effective attacks.

2. UNC4841 group targets Barracuda Email Security Gateway

UNC4841, a hacker group associated with China, has been implicated in a data-theft campaign targeting Barracuda Email Security Gateway (ESG) appliances. They exploited a zero-day vulnerability (CVE-2023-2868) to execute remote command injections within the appliances. UNC4841 deployed various malware families, including ‘Saltwater,’ ‘Seaspy,’ and ‘Seaside,’ to compromise and steal email data from the affected devices. They targeted government agencies and critical organizations across multiple countries. The attackers used malicious email attachments with the ‘.tar’ extension, taking advantage of the vulnerability to gain remote access and establish persistence on the compromised devices. UNC4841 adapted its malware and employed diverse techniques to evade detection which includes utilizing reverse shells, backdoors, and concealing their activities with tools like “Sandbar.” The group demonstrated rapid lateral movement and targeted specific email messages to gather relevant information.

3. New Linux backdoor ChamelDoH leveraging DNS-over-HTTPS tunneling

ChamelGang, a notorious threat actor, has recently demonstrated an alarming advancement in their tactics by utilizing a previously unknown Linux backdoor named ChamelDoH. Crafted in C++, this malware enables communication through DNS-over-HTTPS (DoH) tunneling, expanding the group’s capabilities. ChamelGang has targeted sectors such as fuel, energy, and aviation production in several countries with their attack chains exploiting vulnerabilities in Microsoft Exchange servers and Red Hat JBoss Enterprise Application. ChamelDoH, the new Linux backdoor, gathers system information and grants remote access to ChamelGang. Notably, it employs DoH for communication, leveraging popular providers like Cloudflare and Google to make detection and blocking challenging. Traditional security solutions struggle to identify and prevent malicious DoH requests, as the channel resembles legitimate traffic and encryption hampers interception. These developments highlight ChamelGang’s significant investment in developing a powerful toolkit for infiltrating Linux systems.

4. Novel RDStealer malware targeting remote desktop protocol

Researchers have issued a warning about a new custom malware called RDStealer that targets remote desktop protocol (RDP) clients to steal sensitive data. Initially observed in a targeted cyber espionage operation named RedClouds, the malware infects connecting RDP clients with a Logutil backdoor, allowing for data exfiltration. The operation, active for over a year, aimed to compromise credentials and extract sensitive information. The threat actors employ evasion tactics by storing backdoor payloads in Microsoft Windows folders typically excluded from security software scans. Notably, the threat actors deliberately chose folders such as “C:Program FilesDellCommandUpdate” to camouflage their malicious activity, and registered command-and-control (C2) domains resembling legitimate Dell domains. RDStealer stands out for its ability to monitor RDP connections and compromise remote machines when client drive mapping is enabled. Additionally, connecting RDP clients are infected with a Golang-based malware called Logutil, facilitating persistence on the victim network and command execution through DLL side-loading techniques.

5. ScarCruft hackers exploit Ably service for stealthy wiretapping attacks

The state-sponsored hacking group known as APT37 or StarCruft has recently deployed a sophisticated information-stealing malware called FadeStealer. This malware includes a wiretapping capability, allowing the threat actors to eavesdrop on victims’ microphones and record audio. A recent report revealed that APT37 distributes the malware through phishing emails containing password-protected Word and Hangul Word Processor documents, as well as a Windows CHM file named ‘password.chm.’ When recipients open the CHM file, it displays a fake password while silently downloading and executing a remote PowerShell script, establishing a backdoor for unauthorized access. The compromised systems are then infiltrated with an additional GoLang-based backdoor known as AblyGo, utilizing the Ably Platform as a command-and-control infrastructure for executing commands and evading detection. Eventually, the malicious payload FadeStealer is introduced, targeting Windows devices and exfiltrating various sensitive data, including screenshots, keystrokes, files from connected devices, and audio recordings.

Key recommendations to combat cyber risks:

• Implement robust email security measures such as spam filters, email authentication protocols (e.g., DMARC, SPF, DKIM), and advanced threat detection systems to identify and block phishing attempts and malicious emails.
• Enable Multi-Factor Authentication (MFA) across all critical accounts, including email and online platforms.
• Keep all software, including operating systems, web browsers, and productivity tools, up to date with the latest security patches and updates.
• Replace compromised appliances without delay, regardless of their patch level.
• Deploy and maintain advanced endpoint protection solutions that include behavior-based detection mechanisms and real-time threat intelligence updates.
• Employ network monitoring and intrusion detection systems (IDS/IPS) to identify suspicious network traffic patterns.
• Deploy web filtering solutions that can inspect and control encrypted traffic, including HTTPS.
• Conduct regular security awareness training to educate employees about the risks of phishing emails, attachments, and social engineering techniques.
• Implement the principle of least privilege (PoLP) by restricting user access rights and privileges to minimize the potential impact of successful attacks.
• Develop a comprehensive incident response plan that outlines the steps to be taken in the event of a security breach.