News Items

The FBI recently released a brief statement about a recent cyber-incident that occurred at one of its highest-profile field offices. The FBI claimed that the incident is now under control. The FBI stated that a malicious incident impacted part of its network used in investigations of images of child sexual exploitation. The FBI is currently working on gaining more information about the incident and does not have any further information at this time. This is not the first time hackers have targeted the bureau. In 2021, an official email address was reportedly compromised and used to spam at least 100,000 recipients.

Infosecurity reports: "FBI 'Contains' Cyber-Incident on its Network"

Healthcare data breaches had the most impact in the second quarter of 2022 compared to previous years, with a 35 percent rise in the number of patient records compromised, according to Crucial Insight's H2 2022 Healthcare Data Breach Report. Based on a review of breach data submitted to the HHS by healthcare organizations, the report discovered that victims of healthcare data breaches had 28.5 million records exposed in the second half of 2022, up from 21.1 million in 2019. Although the number of people affected by data breaches increased, the total number of breaches declined in 2022, resulting in a higher ratio of people affected per breach. In the second half of 2022, each breach affected about 91,028 patients, compared to only 61,246 in the first half of 2022. According to other health Information Technology (IT) vendors, most data breaches stemmed from hacking, which aligns with Crucial Insight's finding that hackers caused about 78 percent of healthcare data breaches. The percentage of hacking incidents rose from 61 percent in 2019 to 79 percent in 2022, while unauthorized access decreased from 27 percent in 2019 to 15 percent in 2022. Although hacking caused more breaches, the report found that unauthorized access exposes more records per breach. This article continues to discuss key findings from Critical Insight's H2 2022 Healthcare Data Breach Report.

HealthITSecurity reports "35% More Patients Impacted by Healthcare Data Breaches in H2 2022"

According to reports, an estimated 14,000 employees at a Liverpool NHS hospital trust have been informed that their data was leaked via email due to human error. Victims received an apology letter from the hospital trust's chief executive James Sumner. Sumner noted that a file containing sensitive payroll information was sent to hundreds of NHS managers and 24 external accounts. The spreadsheet file included a hidden tab that contained staff personal information. Sumner noted that while it was not visible to those receiving the email, it should not have been included in this spreadsheet. The information in this hidden tab included names, addresses, DOBs, NI numbers, gender, ethnicity, and salary. It did not include bank account details. Sumner reported that each of the 24 external recipients have been notified and confirmed the deletion of the file. Human error of this sort is a common cause of data leaks. According to Verizon, the "error" category accounted for 13% of breaches it analyzed last year. It contributed to a massive 82% of breaches that feature the "human element."

Infosecurity reports: "Data Leak Hits Thousands of NHS Workers"

According to the EU Agency for Cybersecurity (ENISA) and the Computer Emergency Response Team for the EU institutions, bodies, and agencies (CERT-EU), several Chinese state-sponsored threat groups have recently been observed targeting businesses and governments in the European Union. The advanced persistent threats (APTS) mentioned include APT27, APT30, APT31, Ke3chang, Gallium, and Mustang Panda. According to ENISA and CERT-EU, these threat actors present significant and ongoing threats to the European Union. Recent operations pursued by these actors focused mainly on information theft, primarily via establishing persistent footholds within the network infrastructure of organizations of strategic relevance. In July 2021, the EU urged Chinese authorities to take action against malicious cyber activities undertaken from their territory and linked to APT31.

Infosecurity reports: "EU Cybersecurity Agency Warns Against Chinese APTs"

Researchers at Abnormal Security have identified two groups who are using executive impersonation to carry out Business Email Compromise (BEC) attacks in at least 13 different languages. The researchers noted that while attacking targets in multiple regions and using multiple languages are not new tactics, in the past, these operations were typically performed by sophisticated groups with large budgets and resources. Due to the rise of automated translation tools such as Google Translate, threat actors can translate emails into any language they need, with greater ease. Abnormal Security has discovered two groups: Midnight Hedgehog, which engages in payment fraud, and Mandarin Capybara, which conducts payroll diversion attacks. The two groups have launched BEC attack campaigns in Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Portuguese, Spanish, and Swedish. This article continues to discuss the growth in BEC attacks and the launch of BEC campaigns in multiple languages by Midnight Hedgehog and Mandarin Capybara.

SC Media reports "BEC Groups Launch Executive Impersonation Attacks in at Least 13 Languages"

According to researchers at ESET, Chinese-speaking users are being targeted by the FatalRAT malware, which is spread via fake websites of widely-used apps. The FatalRat malware was first discovered in August 2021. It can record keystrokes, change a victim's screen resolution, download and execute files, and steal or delete browser-stored data. The researchers have not yet attributed this campaign to any known hacker group, and the attackers' purpose also remains unclear. The threat actors behind the campaign could be stealing information such as web credentials to sell on underground forums or use in other malicious activities. Most attacks were detected between August 2022 and January 2023, with Taiwan, China, and Hong Kong as the primary targets. Malaysia, Japan, the Philippines, Thailand, Singapore, Indonesia, and Burma have also faced a small number of attacks. The malware was spread via phishing websites posing as popular apps, including Google Chrome, Firefox, Telegram, WhatsApp, Signal, and Skype. Some of the websites provided fake Chinese-language versions of software that is unavailable in China, such as Telegram. This article continues to discuss the FatalRAT malware campaign.

The Record reports "Hackers Target Chinese Language Speakers With FatalRat Malware"

Hackers are launching a new malware named Frebniis on Microsoft's Internet Information Services (IIS), stealthily executing commands sent via web requests. Frebniis was found by Symantec's Threat Hunter Team, who revealed that an unidentified threat actor is using it against targets in Taiwan. Microsoft IIS is a web server software that serves as a web server and web app hosting platform for services such as Outlook on the Web for Microsoft Exchange. In the attacks observed by Symantec, hackers exploit an IIS feature called "Failed Request Event Buffering" (FREB), which is responsible for gathering request metadata (i.e., IP address, HTTP headers, and cookies). Its objective is to help server administrators troubleshoot unexpected HTTP status codes or request processing issues. The Frebniis malware injects malicious code into a certain function of a DLL file that controls FREB, allowing an attacker to intercept and monitor all HTTP POST requests sent to the ISS server. When the malware detects specific HTTP requests sent by an attacker, it parses the requests to identify which commands to execute on the server. This article continues to discuss findings regarding the new Frebniis malware.

Bleeping Computer reports "Hackers Backdoor Microsoft IIS Servers With New Frebniis Malware"

Deep Reinforcement Learning (DRL) is a form of Artificial Intelligence (AI) that scientists have taken a significant step toward using to defend computer networks. DRL was effective in preventing adversaries from achieving their goals up to 95 percent of the time when confronted with sophisticated cyberattacks in a rigorous simulation environment. The result suggests a potential role for autonomous AI in proactive cyber defense. Researchers at the Department of Energy's (DOE) Pacific Northwest National Laboratory (PNNL) documented their findings in a research paper and presented them at a workshop on AI for Cybersecurity during the annual meeting of the Association for the Advancement of AI in Washington, DC. The development of a simulation platform for testing multistage attack scenarios involving different types of adversaries was the initial step. The creation of such a dynamic attack-defense simulation environment allows researchers to examine the effectiveness of various AI-based defense strategies in controlled test conditions. Such tools are necessary for assessing the performance of DRL algorithms. The method is becoming an effective decision-support tool for cybersecurity experts. It provides a defense agent that can learn, quickly adapt, and make decisions autonomously. Although other forms of AI are commonly used to detect intrusions or filter spam messages, DRL enhances defenders' ability to orchestrate sequential decision-making plans in their everyday confrontations with attackers. According to the researchers, DRL offers smarter cybersecurity, the ability to detect changes in the cyber landscape earlier, and the chance to take preventative measures against a cyberattack. This article continues to discuss the PNNL scientist's research on DRL for cyber system defense under dynamic adversarial uncertainties.

Pacific Northwest National Laboratory reports "Cybersecurity Defenders Are Expanding Their AI Toolbox"

Security researchers at Avanan, a Check Point company, found that threat actors have been leveraging the online payments system PayPal to send malicious invoices directly to users through the platform. The researchers noted that this is different from others attacks spoofing Paypal as this malicious invoice comes directly from PayPal. The researchers stated that the phishing email seen as part of the malicious campaign warned users that there had been fraud on the account and threatened a fine of $699.99 should the victim not take action. The researchers noted that the body of the email could alert some cautious users that the email was not authentic. First, the grammar and spelling are all over the place. Second, the phone number they list is not related to PayPal. The researchers stated that the general goal of the threat actors is to have victims call the number or follow up for more details. If a victim calls that number, now they have the person's cell phone number and can use it for more attacks. The threat actors will also try to scam the victim while on call with them. According to the researchers, the perks of using PayPal for threat actors are several, including the ability to send many invoices at a time and make them professional-looking. The researchers noted that an email that comes directly from PayPal will pass all SPF, DKIM, and DMARC checks.

Infosecurity reports: "Hackers Leverage PayPal to Send Malicious Invoices"

Security researchers at Picus Security have warned that a growing number of versatile malware variants are capable of performing multiple malicious actions across the cyber-kill chain. Picus Security compiled its Red Report 2023 by analyzing over 500,000 malware samples last year, identifying their tactics, techniques, and procedures (TTPs), and extracting over 5.3 million "actions." The vendor then mapped these actions to MITRE ATT&CK techniques. The researchers found that the average malware variant now leverages 11 TTPs or nine MITRE ATT&CK techniques. One-third (32%) uses more than 20 TTPs, and one in 10 leverages over 30 TTPs. The researchers noted that this "Swiss Army knife" malware can enable attackers to move through networks undetected at great speed, obtain credentials to access critical systems, and encrypt data. The researchers found that 40% of the most prevalent MITRE ATT&CK techniques they identified were used to help with lateral movement. These included tried-and-tested techniques such as Command and Scripting Interpreter and OS Credential Dumping and newer ones such as Remote Services, Remote System Discovery, and WMI. The researchers noted that the most common technique used was Command and Scripting Interpreter, which involves the abuse of legitimate interpreters such as PowerShell, AppleScript, and Unix shells to execute arbitrary commands. The researchers stated that this highlights how hackers favor legitimate existing tools in their attacks rather than custom-developed ones. The second most common technique used was OS Credential Dumping, which attackers use to hijack accounts and move laterally. Third, came Data Encrypted for Impact, which reveals the continued threat posed by ransomware.

Infosecurity reports: "Experts Warn of Surge in Multipurpose Malware"

Internet users have become increasingly fascinated with Artificial Intelligence (AI)-based tools such as ChatGPT and DALL-E, but few have likely considered the security consequences of contributing text or images to such programs. Cybernews researchers have found that Cutout.pro, an AI-based visual design platform headquartered in Hong Kong, exposed user-generated content through an unprotected ElasticSearch instance. With the help of an AI-based Application Programming Interface (API), Cutout.pro's services enable users to alter photos and create images. The functionality allows the integration of the company's services into third-party applications. According to the team, Cutout.pro exposed usernames and images made by customers with the company's tools. The instance also contained information regarding the number of user credits, a virtual in-service currency, as well as links to Amazon S3 buckets containing generated images. The exposed instance had about 22 million log entries that referenced usernames for individual users and business accounts, but this does not mean that the same number of users were exposed, as there were duplicate log entries. This article continues to discuss the exposure of data by the AI media manipulation service Cutout.pro.

Cybernews reports "AI-Based Visual Editing Service Leaks User Images and Customer Data"

According to research conducted by Elevate Security, about 10 percent of the workforce is composed of high-risk users, who are in every department and function of the business. In addition, the study uncovered multiple unexpected findings. For example, contractors are less likely to pose a high risk than employees, and simulated phishing is not a reliable indicator of who poses a high risk for real phishing attacks. This study debunks the idea that many traditional ways to decrease user risk rely on simulated phishing tests as the major determinant for detecting potentially risky individuals. Although they constitute a small portion of the population, high-risk users pose a significant threat to the organization. This article continues to discuss key findings from Elevate Security's research on high-risk users.

Help Net Security reports "High-Risk Users May Be Few, but the Threat They Pose Is Huge"

Two new vulnerabilities affecting Schneider Electric Modicon Programmable Logic Controllers (PLCs) have been reported by security researchers at Forescout. These vulnerabilities could allow authentication bypass and Remote Code Execution (RCE). The vulnerabilities, tracked as CVE-2022-45788 and CVE-2022-45789, are part of a larger set of security vulnerabilities identified by Forescout as OT:ICEFALL. A successful attack using the vulnerabilities could allow an adversary to execute unauthorized code, cause a Denial-of-Service (DoS) condition, or disclose sensitive data. According to the cybersecurity firm, a threat actor can chain the vulnerabilities with known vulnerabilities from other vendors to achieve deep lateral movement in Operational Technology (OT) networks. This movement enables attackers to obtain deep access to Industrial Control Systems (ICS) and cross often-overlooked security perimeters, enabling them to carry out highly granular and covert manipulations and to circumvent functional and safety constraints. A proof-of-concept (PoC) cyber-physical attack revealed that the vulnerabilities could be exploited to evade safety guardrails and cause damage to a movable bridge's infrastructure. This article continues to discuss the new critical security flaws impacting Schneider Electric Modicon PLCs.

THN reports "Researchers Warn of Critical Security Bugs in Schneider Electric Modicon PLCs"

According to Alberto G. Alexander, Ph.D., cyber resilience combines information security, business continuity, and organizational resilience. He has described the components of an effective cyber resilience strategy and highlighted a cyber resilience framework's elements. Adverse cyber events have a negative impact on the availability, integrity, or confidentiality of networked Information Technology (IT) systems and the associated data and services. These incidents could be intentional, such as a cyberattack, or unintentional, like a software update failure. Humans, nature, or a combination of both may also cause adverse cyber events. The purpose of cyber resilience is to sustain the entity's ability to consistently deliver the desired outcome at all times. This requires doing so even when normal distribution systems have failed, such as during a crisis or a security breach. In addition, the idea of cyber resilience encompasses the ability to restore or recover regular delivery methods following such incidents, as well as the ability to continuously update or adapt these delivery mechanisms as risks and threats evolve. In the process of restoring delivery methods, backups and disaster recovery procedures are included. This article continues to discuss the elements of a successful cyber resilience strategy, the components of a cyber resilience framework, and the best cyber practices presented by Dr. Alberto G. Alexander.

Continuity Central reports "Developing a Successful Cyber Resilience Framework"

Group-IB's analysis of an intercepted spear-phishing email provides further insight into the hacking techniques of the Chinese state-sponsored espionage threat actor known as Tonto Team. According to the security firm, a spear-phishing attempt against its own employees in July 2022 was made by the Chinese threat actor that historically targeted South Korea, Japan, Taiwan, and the US but has since expanded operations to include additional Asian and Eastern European nations. The US-China Economic and Security Review Commission's analysis found that Tonto Team is likely a unit of the People's Liberation Army, which in 2017, allegedly hacked multiple South Korean organizations involved in the deployment of an American anti-ballistic missile defense system. In 2021, the cybersecurity company ESET identified it as a participant in the wave of Chinese state-sponsored hackers exploiting vulnerabilities in Microsoft Exchange. During the summer, Malwarebytes discovered that the group was extending its eavesdropping operations against Russian government agencies. No single indicator prompted Group-1B to believe that Tonto Team was behind their phishing attempt, but evidence began to mount. Attached to the phishing email was a document containing metadata that revealed the default language to be "Chinese People's Republic of China." The attachment was a rich text format file created with the Royal Road RTF Weaponizer, a malware tool primarily used by Chinese Advanced Persistent Threat (APT) groups. This article continues to discuss findings regarding the Chinese state-sponsored espionage threat actor Tonto Team.

DataBreachToday reports "Chinese Threat Group Leaks Hacking Secrets in Failed Attack"

Scandinavian airline SAS was hit by a cyberattack yesterday that reportedly downed its website and app and may have leaked customer information for a brief time. Customers were urged to refrain from using the airline's mobile app as they may be served incorrect information. Some users were apparently logged into the wrong accounts and therefore had access to the personal details of other customers. The company's website was also reportedly down for a time. Customers claimed that they were also not able to buy plane tickets yesterday. It's unclear whether all of the reported issues have been resolved because the company has yet to share much information about the cyberattack or what impact the cyberattack has had on its operations. Threat actors also targeted several Scandinavian media companies yesterday, including Swedish TV channel svt. The DDoS attacks were claimed by a group describing itself as "Anonymous Sudan," who said they were retaliating against a recent incident of Quran burning near Turkey's embassy in Stockholm. Experts are claiming that the DDoS attack may be a Russian false-flag campaign designed to continue whipping up hatred towards Sweden in Muslim countries like Turkey.

Infosecurity reports: "SAS App and Website Hit as Attacks Target Swedish Firms"

Intel recently announced patches for dozens of vulnerabilities across its product portfolio, including critical and high-severity issues. The most severe of these flaws is CVE-2021-39296 (CVSS score of 10), which impacts the Integrated Baseboard Management Controller (BMC) and OpenBMC firmware of several Intel platforms. Intel noted that the bug was identified in 2021 in the netipmid (IPMI lan+) interface and could allow an attacker to obtain root access to the BMC, bypassing authentication using crafted IPMI messages. Four other vulnerabilities were addressed in BMC, and OpenBMC firmware, including a high-severity, out-of-bounds read issue that could lead to denial-of-service (DoS). Intel has addressed these bugs with the release of Integrated BMC firmware versions 2.86, 2.09, and 2.78, and OpenBMC firmware versions 0.72, wht-1.01-61, and egs-0.91-179. The company noted that patches were also released for a high-severity privilege escalation defect in Xeon processors with SGX (CVE-2022-33196). Both BIOS and microcode updates that address this issue are now available. Intel also warned of a high-severity escalation of privilege issue (CVE-2022-21216) impacting Atom and Xeon processors and released microcode updates for Xeon to address CVE-2022-33972, an incorrect calculation bug that could lead to information disclosure. Intel also announced updates that resolve high-severity privilege escalation defects in the BIOS firmware and Trusted Execution Technology (TXT) Secure Initialization (SINIT) Authenticated Code Modules (ACM) of some processors. Updates were also released to resolve high-severity flaws in Driver Support Assistant (DSA) software and high and medium severity vulnerabilities in Battery Life Diagnostic Tool, oneAPI Toolkits, System Usage Report (SUR), Server Platform Services (SPS) firmware, and Quartus Prime Pro and Standard edition software. The company noted that various medium-severity vulnerabilities were also resolved in the FPGA SDK for OpenCL Quartus Prime Pro software, Integrated Sensor Solution, Media Software Development Kit (SDK), Trace Analyzer and Collector software, and Xe MAX drivers for Windows. Intel recommends that users update to the latest available firmware and software versions as soon as possible.

SecurityWeek reports: "Dozens of Vulnerabilities Patched in Intel Products"

In 2021, SideWinder, also known as Hardcore Nationalist (HN2), targeted more than 60 organizations in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka, according to Group-IB. By a wide margin, government agencies were the most heavily attacked, with 44 targeted versus only four military organizations, while nearly half of the attacks were directed at targets in Nepal. Group-IB also noticed SideWinder using the popular messaging application Telegram to process data from targeted systems. According to Group-IB, due to its relative ease of use, the communication platform has gained popularity as a command-and-control (C2) center or base of operations among Advanced Persistent Threat (APT) groups and financially-motivated cybercriminals during the past year. SideWinder was also found to be improving its toolkit, with Group-IB identifying SideWinder.StealerPy as one of the tools. It is described as a Python-written information stealer that exfiltrates data stolen from the victim's computer. This article continues to discuss researchers' findings and observations regarding the SideWinder group.

Cybernews reports "India-Linked Group Used Telegram to Mastermind Cyberattacks Across Asia, Says Analyst"

Trellix, the leading Data Loss Prevention (DLP) vendor, is urging customers to patch a high-severity vulnerability that allows local attackers to circumvent restrictions and exfiltrate sensitive data. The vulnerability, tracked as CVE-2023-0400, affects Windows versions of Trellix DLP (11.9.x) issued in August 2022. Customers should upgrade to Trellix for Windows 11.10.0, which mitigates the vulnerability. Security researchers warn that the flaw is not a straightforward upgrade, increasing the likelihood that security teams would overlook the fix. Trellix considers the flaw to be of "medium severity." However, the National Institute of Standards and Technology (NIST) gave it a high-severity rating. According to Trellix, the vulnerability can only be exploited during product installation. Trellix said that an adversary must be able to map a network drive to their local system in order to exploit this vulnerability. In addition, according to a description of the flaw by Trellix, the attacker would need permission to either access data already on the mapped drive or copy data to the mapped drive. This article continues to discuss the potential impact and exploitation of the DLP flaw that affects Trellix for Windows.

SC Media reports "High-Severity DLP Flaw Impacts Trellix for Windows"

Two recently released studies highlight the hidden dangers to physical operations in today's Operational Technology (OT) networks posed by wireless devices, cloud-based applications, and nested networks of Programmable Logic Controllers (PLCs), effectively disproving traditional insight regarding the security of network segmentation and third-party network connections. In one set of discoveries, a Forescout Technologies research team was able to circumvent safety and functional guardrails in an OT network and move laterally across different network segments at the lowest network levels. Researchers exploited two newly discovered Schneider Modicon M340 PLC vulnerabilities to compromise the PLC and escalate the attack. In another study, a team of researchers from the ICS security company Otorio discovered 38 vulnerabilities in products such as cellular routers from Sierra Wireless and InHand Networks, as well as a remote access server for machines from ETIC Telecom. Dozens of additional vulnerabilities are still in the disclosure process with affected companies and were not identified in the study. The vulnerabilities include two dozen Web interface bugs that could provide the attacker a direct line of access to OT networks. This article continues to discuss the findings from the two new studies that have highlighted cyber threats to physical operations in OT networks.

Dark Reading reports "OT Network Security Myths Busted in a Pair of Hacks"

Researchers have discovered a new piece of evasive malware named Beep, which is designed to evade detection and drop additional payloads on a compromised system. Natalie Zargarov, a researcher at Minerva Labs, stated that the creators of this malware appear to be trying to implement as many anti-debugging and anti-VM tactics as they could find. One of these techniques was delaying execution using the Beep API function, hence the name of the malware. The first component of Beep is a dropper responsible for creating a new Windows Registry key and executing a Base64-encoded PowerShell script within it. This article continues to discuss researchers' findings regarding the new Beep malware.

THN reports "Experts Warn of 'Beep' - A New Evasive Malware That Can Fly Under the Radar"

Dong Chen, assistant professor of computer science at Colorado School of Mines, has won a National Science Foundation (NSF) CAREER Award for research aimed at providing smart home device users greater control over their data privacy. Chen will receive $586,000 over the course of five years for his efforts to develop a family of algorithms, mechanisms, and prototypes that will enhance Internet of Things (IoT) security and privacy for smart homes. As part of his project, Chen will also establish IoT cybersecurity workshops for middle and high school instructors in Colorado public schools, focusing on districts with populations of underrepresented students in STEM. Hands-on course modules will be developed to cover IoT systems, cybersecurity, and Artificial Intelligence (AI), which will be used to train students from K-12, undergraduate, and graduate levels. For the purpose of guiding the next generation of IoT, cybersecurity, and AI researchers, outreach activities will be held at local elementary, middle, and high schools. This article continues to discuss the different aspects of Chen's CAREER project, from empowering users of smart home devices to protect their privacy to improving diversity in the cybersecurity field.

Colorado School of Mines reports "Dong Chen Wins NSF CAREER Award for Project on Cybersecurity, Smart Home Device Data"

According to researchers from the security firm Sucuri, nearly 11,000 websites have been infected with a backdoor capable of redirecting visitors to websites that generate fake views of Google Adsense advertisements. All of the infected websites discovered by Sucuri use the WordPress Content Management System (CMS) and have an obfuscated PHP script injected into their legitimate files. These files include "index.php," "wp-signup.php," "wp-activate.php," and "wp-cron.php," and more. In addition, some of the infected websites inject obfuscated code into wp-blog-header.php and other files. The additional injected code functions as a backdoor designed to prevent the malware from being eradicated by loading itself into files that run whenever the targeted server is rebooted. Sucuri researcher Ben Martin explained that these backdoors download additional shells and a Leaf PHP mailer script from a remote domain and place them in files with random names in the wp-includes, wp-admin, and wp-content directories. Since the additional malware injection is embedded in the wp-blog-header.php file, it will execute each time the website is loaded and reinfect it. This guarantees that the environment will remain infected until all traces of the infection have been eliminated. This article continues to discuss the infection of about 11,000 websites with malware that is effective at evading detection.

Ars Technica reports "11,000 Sites Have Been Infected With Malware That's Good at Avoiding Detection"

The Chinese state-sponsored threat actor DEV-0147 has recently been spotted targeting diplomatic entities in South America with the ShadowPad remote access Trojan (RAT), also known as PoisonPlug. Microsoft stated that the threat actor's new campaign represents a notable expansion of the group's data exfiltration operations that previously targeted government agencies and think tanks in Asia and Europe. From a technical standpoint, Microsoft noted that it observed DEV-0147 deploy ShadowPad, a RAT associated with other China-based actors, to achieve persistence, and QuasarLoader, a webpack loader, to download and execute additional malware. The company stated that "DEV-0147's attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for recon and lateral movement and the use of Cobalt Strike for command and control and data exfiltration." Microsoft noted that Microsoft 365 Defender detects these DEV-0147 attacks through Microsoft Defender for Identity and Defender for Endpoint. Microsoft is urging organizations to enforce multi-factor authentication (MFA). DEV-0147 is not the only threat actor in China leveraging ShadowPad in recent times. A June 2022 advisory by Kaspersky saw Chinese threat actors using the malware to target unpatched Microsoft Exchange servers in different Asian countries. According to security researchers at Secureworks, ShadowPad has evolved from the PlugX malware.

Infosecurity reports: "Chinese Hackers Infiltrate South American Diplomatic Networks"