Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

New Variant of Jaca Malware Is Highly Configurable

An updated variant of the Jaca malware toolkit includes new components which form a long chain of actions to infect a victim's system, according to security consultancy Morphisec. The Windows toolkit has been used extensively by a South Asian threat actor called DoNot Team or APT-C-35, and they keep improving it.

The latest variant makes use of RTF (Rich Text Format) documents that trick the user into enabling macros. This then allows a macro to inject some shellcode into memory and that, in turn, downloads a second stage loader from its C2 server. It then downloads a DLL file from another C2 server, which sends system information back to its operators, makes itself persistent via a Scheduled Task and finally downloads the real payload, which will selectively exfiltrate data such as keystrokes, screenshots, files and browser data, using loadable modules.

This modularity gives DoNot Team considerable flexibility in adapting their malware, which they use to attack defence, diplomatic, government and military organizations in India, Pakistan, Sri Lanka and Bangladesh.

Cohen, Hido and Arnold Osipov, APT-C-35 Gets a New Upgrade, Morphisec Breach Prevention Blog, 11 August 2022. Available online at https://blog.morphisec.com/apt-c-35-new-windows-framework-revealed.

Cryptominers Spread Via Python Repositories

Software developer and researcher Hauke Lübbers 'stumbled across', and security firm Sonatype has confirmed a threat actor who has deployed at least 241 malicious npm (Node Package Manager) and PyPI (the Python Package Index). The packages all bear similar names to popular open source projects like React and argparse, but actually will download and install the XMRig cryptominer to generate Monero crypto. All the packages were published by an account called '17b4a931'.

However, you would have to wonder about the abilities of a developer who would mistake 'r2act' for 'React'.

Sharma, Ax, More than 200 cryptomining packages flood npm and PyPI registry, Sonatype, 19 August 2022. Available online at https://blog.sonatype.com/more-than-200-cryptominers-flood-npm-and-pypi-registry.

Threat Actor Targets Hospitality and Travel

A small threat actor called TA558 is operating in Latin America, North America and Western Europe, targeting hospitality, travel and related industries. The group uses malmails written in Portuguese, Spanish and sometimes English, enquiring about reservations - something recipients cannot afford to ignore. However, the attachment is one of over 15 different malware payloads the group uses - mostly remote access trojans that can be used for reconnaisance, information exfiltration and the dropping of more advanced payloads.

The group has been active since at least 2018, but has ramped up its efforts in 2022, perhaps because post-COVID recovery travel growth offers them increased opportunities. They have also switched TTP's, from Word macros (now usually disabled) to malware such as Load, Revenge RAT and others, hosted at URL's or enclosed in container formats such as RAR and ISO files.

Wise, Joe, et. al., Reservations Requested: TA558 Targets Hospitality and Travel, Proofpoint blog, 18 August 2022. Available online at https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel.

Cozy Bear Targets Foreign Policy Info in Microsoft 365

Russian state-backed APT 29, aka Cozy Bear, has been busy this year, with new advanced TTP's which it uses to compromise Microsoft 365 accounts. The attackers used a brute-force attack on the self-enrollment process for MFA in Azure Active Directory to discover the usernames and passwords that had not yet logged into a domain, and then enrolled their own devices. Having done this, they were then free to roam around the domain.

In order to evade detection, the hackers also disabled the 'Purview Audit' feature which logs details of email accesses. They also used Azure VM's to run their exploits, making their activities hard to distinguish from all the regular traffic within the Azure networks - they all use Microsoft IP addresses.

Bienstock, Douglas, You Can't Audit Me: APT29 Continues Targeting Microsoft 365, Mandiant blog, 18 August 2022. Available online at https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft.

JWST Runs JavaScript. JavaScript?

While we all marvel at the stunning images being sent from the James Webb Space Telescope, it's interesting to reflect on the fact that the scripts that control the imaging instruments are actually written in JavaScript - actually a variant called Nombas ScriptEase 5.00e which was last updated in January 2003.

This really should not come as a big surprise - the JWST has been in development since 1989 and when construction started in 2004, Nombas ScriptEast 5.00e would have been less than two years old. It's not unusual for government and major scientific projects to use quite old and stable technology - NASA has in the past been known to search second-hand component markets for parts like 8086 processors, while other parts of government were still using VAXen long after the rest of the world had moved on.

Clark, Mitchell, The James Webb Space Telescope runs JavScript, apparently, The Verge, 18 August 2022. Available online at https://www.theverge.com/2022/8/18/23206110/james-webb-space-telescope-javascript-jwst-instrument-control.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.