Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

New Mirai Variant Recruits FreePBX, IP Cameras, Routers and More to Botnet

Palo Alto Networks Unit 42 researchers have produced a report on a new variant of the Mirai botnet, which they have labeled V3G4. The malware is able to infect a victim system using any one of the following vulnerabilities:

• CVE-2012-4869: FreePBX Elastix Remote Command Execution Vulnerability
• Gitorious Remote Command Execution Vulnerability
• CVE-2014-9727: FRITZ!Box Webcam Remote Command Execution Vulnerability
• Mitel AWC Remote Command Execution Vulnerability
• CVE-2017-5173: Geutebruck IP Cameras Remote Command Execution Vulnerability
• CVE-2019-15107: Webmin Command Injection Vulnerability
• Spree Commerce Arbitrary Command Execution Vulnerability
• FLIR Thermal Camera Remote Command Execution Vulnerability
• CVE-2020-8515: DrayTek Vigor Remote Command Execution Vulnerability
• CVE-2020-15415: DrayTek Vigor Remote Command Injection Vulnerability
• CVE-2022-36267: Airspan AirSpot Remote Command Execution Vulnerability
• CVE-2022-26134: Atlassian Confluence Remote Code Execution Vulnerability
• CVE-2022-4257: C-Data Web Management System Command Injection Vulnerability

Once initial access has been gained the malware then uses either the wget or curl commands to download and install the bot, making the infected machine part of the botnet. Once it is running, the bot also examines the system process list and will attempt to kill any rival malware, including other Mirai variants, and then connects to its C2 server using simple XOR encryption with multiple different key strings.

The Unit 42 advisory contains a full analysis as well as IOC's.

Lei, Chao, Zhibin Zhang, Cecilia Hu and Aveek Das, Mirai Variant V3G4 Targets IoT Devices, blog post, 15 February 2023. Available online at https://unit42.paloaltonetworks.com/mirai-variant-v3g4/.

Singapore Researchers Track Sidewinder AP Around South Asia

A new report from Singapore-based Group-IB details the 2021 activities of an advanced persistent threat group called SideWinder, which appears to be based in India, and is also known as Rattlesnake, Hardcore Nationalist (HN2) and T-APT4. Between June and November, SideWinder attacked 61 different government, military, law enforcement and other organizations in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka. Group-IB has also been able to link SideWinder to two other groups, Baby Elephant and Donot.

Like many other groups, Sidewinder primaril gains initial access via a malicious phishing email campaign which contains either a malicious attachment or a URL which in turn downloads a malicious payload - either a reverse shell, a remote access trojan or an infostealer. Sidewinder has developed its own tools for this pupose, such as SideWinder.RAT.b and SideWinder.StealerPy - the latter a custom infostealer designed to gather the user's Chrome browsing history, browser-saved credentials, and a range of filetypes. Like many other groups, SideWinder has switched to using the Telegram messaging app for information exfiltration, because of its convenience.

Kupin, Dmitry, Molted skin: APT SideWinder 2021 campaign that targeted over 60 companies in the Asia-Pacific, press release, 15 February 2023. Available online at https://www.group-ib.com/media-center/press-releases/sidewinder-apt-report/.

Trend Micro Uncovers New Tools and Campaign: Earth Yako

Meanwhile, Trend Micro researchers have been busy analyzing the tactics, techniques and procedures used in several attacks which targeted academics and think-tank members in Japan during 2021. Terming the attacks "Earth Yako", the researchers believe they are part of a campaign called Operation RestyLink or EneLink. A number of new malware tools were observed in these attacks:

• MirrorKey: An in-memory dynamic link library (DLL) loader
  
• TransBox: A backdoor abusing the Dropbox API
  
• PlugBox: A Dropbox API-based backdoor with a couple of capabilities
  
• Dulload: A generic loader
  
• PULink: A dropper of ShellBox written in C++/CLR, capable of achieving persistence
  
• ShellBox: Another Dropbox API-based stager written in C#
  

The initial attack vector is once again spearphishing, with a URL inducing the victim to download a .zip or .iso package, which in turn contains a link to a malicious Microsoft Word template. In some cases, the vicim machine is infected with Cobalt Strike.

Based on the tools and TTP's, it is not possible to definitely attribute Earth Yako to any particular group - it could be North Korean, Chinese or Russian in origin.

Trend Micro's report includes a detailed analysis and IOC's.

Hiroaki, Hara, Yuka Higashi and Masaoki Shoji, Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns, blog post, 16 February 2023. Available online at https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.