Tag Archive for: espionage

State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage

/in


Apr 25, 2024NewsroomVulnerability / Zero-Day

Cisco Zero-Day Vulnerabilities

A new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments.

Cisco Talos, which dubbed the activity ArcaneDoor, attributed it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft).

“UAT4356 deployed two backdoors as components of this campaign, ‘Line Runner’ and ‘Line Dancer,’ which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement,” Talos said.

Cybersecurity

The intrusions, which were first detected and confirmed in early January 2024, entail the exploitation of two vulnerabilities

  • CVE-2024-20353 (CVSS score: 8.6) – Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial-of-Service Vulnerability
  • CVE-2024-20359 (CVSS score: 6.0) – Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability

It’s worth noting that a zero-day exploit is the technique or attack a malicious actor deploys to leverage an unknown security vulnerability to gain access into a system.

While the second flaw allows a local attacker to execute arbitrary code with root-level privileges, administrator-level privileges are required to exploit it. Addressed alongside CVE-2024-20353 and CVE-2024-20359 is a command injection flaw in the same appliance (CVE-2024-20358, CVSS score: 6.0) that was uncovered during internal security testing.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the shortcomings to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the vendor-provided fixes by May 1, 2024.

Cisco Zero-Day Vulnerabilities

The exact initial access pathway used to breach the devices is presently unknown, although UAT4356 is said to have started preparations for it as early as July 2023.

A successful foothold is followed by the deployment of two implants named Line Dancer and Line Runner, the former of which is an…

Source…

Unraveling the Intricate Web of State-Sponsored Cyber Espionage

/in


In an era where digital frontiers are continually expanding, the specter of state-sponsored cyber espionage looms large. Recent revelations have shed light on the intricate web of cyber activities orchestrated by nations like China and Russia, targeting global infrastructures and posing unprecedented threats to international security. This narrative unfolds against the backdrop of accusations leveled against these countries, involving sophisticated hacking operations that not only breach the digital defenses of corporations but also insidiously infiltrate the very core of critical national infrastructures.

The Genesis of Cyber Espionage: Unveiling ‘Bitter’

At the heart of this digital battleground is ‘Bitter’, an advanced persistent threat (APT) group with suspected origins in India, active since at least November 2013. Bitter’s modus operandi is emblematic of the shadows cast by cyber espionage on global politics. Through meticulously crafted spear phishing and watering hole attacks, this group has targeted a swath of countries including Pakistan, Bangladesh, Mongolia, and China. Their actions, ranging from impersonating embassies to deploying malicious files via compromised email accounts, are not merely acts of cyber vandalism but calculated moves on the chessboard of international intelligence gathering.

The activities of Bitter, connected to other groups like Patchwork, SideWinder, and Donot, underscore a broader narrative of cyber operations focused on extracting sensitive information. Cybersecurity firms have linked several attacks over the past two years to Bitter, revealing a pattern of espionage that underscores the strategic importance of digital intelligence in modern geopolitical maneuvering.

Escalating Threats: China’s Cyber Prowess and Global Responses

China’s ever-expanding cyber capabilities have come under intense scrutiny, with accusations of state-sponsored hacking that targets critical infrastructure, notably in countries like Japan. The Deputy Director of Japan’s National Center of Incident Readiness and Strategy for Cybersecurity has voiced concerns over the rising tide of cyber threats,…

Source…

Ex-CIA Officer Imprisoned For ‘Heinous Crimes Of Espionage’

/in


CIA 3d rendering of American flag cyber

iStockphoto

Ex-CIA officer Joshua Adam Schulte sent to prison for “committing some of the most brazen, heinous crimes of espionage in American history.”

The 35-year-old Schulte was sentenced to 40 years in prison for crimes of espionage, computer hacking, contempt of court, and making false statements to the FBI.

Schulte was employed by the CIA as a software developer in the Center for Cyber Intelligence (CCI) from 2012 to 2016.

“Mr. Schulte severely harmed U.S. national security and directly risked the lives of CIA personnel, persisting in his efforts even after his arrest,” Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division, said in a statement.

In March 2016, Schulte was moved within branches of CCI as a result of personnel disputes between Schulte and another developer. Following that transfer, in April 2016, Schulte abused his administrator powers to grant himself administrator privileges over a development project from which he had been removed as a result of the branch change. Schulte’s abuse of administrator privileges was detected, and CCI leadership directed that administrator privileges would immediately be transferred from developers, including Schulte, to another division. Schulte was also given a warning about self-granting administrator privileges that had previously been revoked.

Schulte had, however, secretly opened an administrator session on one of the servers before his privileges were removed. On April 20, 2016, after other developers had left the CCI office, Schulte used his secret server administrator session to execute a series of cyber-maneuvers on the CIA network to restore his revoked privileges, break in to the backups, steal copies of the entire CCI tool development archives (the Stolen CIA Files), revert the network back to its prior state, and delete hundreds of log files in an attempt to cover his tracks. Schulte’s theft of the Stolen CIA Files is the largest data breach in CIA history.

From his home computer, Schulte then transmitted the Stolen CIA Files to WikiLeaks, using anonymizing tools recommended by WikiLeaks to potential leakers, such as the Tails operating system and the…

Source…

Ivanti VPN vulnerabilities exploited by suspected espionage group UNC5221

/in


New details have emerged surrounding two zero-day vulnerabilities impacting Ivanti Connect Secure VPN (formerly known as Pulse Secure) and Ivanti Policy Security appliances. These vulnerabilities have been published by cybersecurity firm Mandiant. The reported vulnerabilities have seen active exploitation in the wild, beginning as early as December 2023.

Threat actor UNC5221, a suspected espionage group currently being monitored by Mandiant, is believed to be behind the exploitation of these vulnerabilities. As highlighted by Mandiant Consulting CTO Charles Carmakal, these CVEs, when chained together, result in unauthenticated remote code execution.

UNC5221 reportedly employed multiple custom malware families to conduct post-exploitation espionage activity after successfully exploiting the zero-day vulnerabilities. This includes establishing footholds for continued access to the Connect Secure (CS) appliances.

According to Mandiant’s researchers, the group’s preparation for maintaining persistent access to the CS appliances suggests that these are not just opportunistic attacks. It would seem UNC5221 planned to maintain its presence on a subset of high-priority targets compromised after an eventual patch release.

Mandiant’s researchers added that, similar to UNC5221, they had previously noted multiple suspected APT actors resorting to appliance-specific malware to facilitate post-exploitation and evade detection. These cases, coupled with findings related to targeting, have led Mandiant to believe that this could be an espionage-motivated APT campaign.

While Mandiant continues to investigate these attacks in detail, early findings also note that UNC5221 primarily utilised compromised, out-of-support Cyberoam VPN appliances for its command and control. The compromised devices were domestic to the victims, likely further aiding the threat actor in evading detection.

Patches are currently being developed, with Ivanti customers advised to stay updated on release timelines. At present, Mandiant has not linked this activity to a previously known group. It also doesn’t currently have enough data to ascertain the origin of UNC5221.

The custom malware families used by…

Source…