Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Mustang Panda Deploys New Backdoor

Mustang Panda (also identified as TA416, RedDelta and BRONZE PRESIDENT) is a China-based cyber-espionage threat actor that may have been operating since 2014, target a wide range of organizations in S.E. Asia, the US and Europe. Now ESET researchers report that the group has been running a campaign since January 2023 which is utilizing a new backdoor which seems to be completely original and not descended from existing malware or other publicly-available projects. The new malware, dubbed MQsTTang, is much simpler than the group's previous tools, consisting of only a single stage and using only the most basic evasion techniques.

The backdoor gets its name from its somewhat novel use of the standardized IoT messaging protocol MQTT for its C2 communication; as a side benefit, this allows the group to hide its C2 servers behind legitimate brokers. It provides only fairly limited functionality - at this stage, just remote command execution, with output sent back to the attackers.

The malware is distributed via spearphishing malmails, typically as RAR archives containing only a single executable, which usually has a name related to diplomacy and passports, suggesting the targets are political and government organizations. ESET has seen unknown entities in Bulgaria and Australia in their telemetry, but believe the campaign is targeting a Taiwanese government institution as well as others in Asia and Europe - Mustang Panda has dramatically increased its activities there since the Russian invasion of Ukraine.

The ESET report provides a detailed analysis along with a mapping to MITRE ATT&CK techniques as well as IOC's.

Côté Cyr, Alexandre, MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT, blog post, 2 March 2023. Available online at https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/.

Cryptomining Campaign Targets Redis Deployments

Redis is a popular in-memory NoSQL key-value database that is popular for real-time analytics and sharing session data in web server farms and cloud environments. Now Cado Labs researchers report on a cryptoacking campaign which targets insecure Redis deployments in order to install the XMRig cryptominer.

The basic initial access exploit is very simple: the insecure Redis instance is given a command which creates a simple cron job that runs every two minutes. This job will run the curl command to fetch a shell script, save it as .cmd and then invoke bash to execute it. What is novel about this is that it fetches the file from the free and open source transfer.sh command line file transfer service, rather than historically popular services like pastebin.com.

Once the script is running, it starts by un-hardening the system, disabling SELinux and setting the resolver to use public DNS servers. It also removes other cron jobs and frees up as much memory as possible, probably for use by XMRig - however, to do this it forces the kernel to drop some in-memory data structures which could severely impact performance for the legitimate applications on the system.

From there, ths script clears log files, reconfigures iptables firewall rules, kills any competing cryptominers and downloads binaries for pnscan - which it will use to propagate itself - and XMRig, which then sets about mining Monero cryptocurrency.

The Cado Labs report provides more detail, along with IOC's.

Muir, Matt, Redis Miner Leverages Command Line File Hosting Service, blog post, 2 March 2023. Available online at https://www.cadosecurity.com/redis-miner-leverages-command-line-file-hosting-service/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.