Lazarus Group has unleashed a new, fresh wave of tactics. This time, they’ve set up new infrastructure cleverly masquerading as skills assessment portals to advance their social engineering campaigns.
Microsoft’s Insight: Tactics Shift
Microsoft has pointed its finger at a threat actor dubbed Sapphire Sleet. This enigmatic entity, also recognized as APT38, BlueNoroff, CageyChameleon, and CryptoCore, boasts a track record of pulling off cryptocurrency heists through social manipulation.
Mac Attack: ObjCShellz and RustBucket
Adding a twist to the narrative, Jamf Threat Labs has connected Sapphire Sleet to a novel macOS malware family named ObjCShellz.
This sophisticated piece is deemed a late-stage payload, intricately mixed with another macOS vulnerability known as RustBucket.
Evolving Strategies
As the plot thickens, insights from the Microsoft Threat Intelligence team reveal that Sapphire Sleet thrives on platforms like LinkedIn. Once successful in these engagements, the threat actor seamlessly transitions to other digital arenas.
Past exploits by these threat actors involved deploying malicious attachments or embedding links in pages hosted on legitimate platforms like GitHub.
Yet, the swift response in detecting and neutralizing these threats has prompted Sapphire Sleet to craft its network of deceptive websites for distributing malware.
“Several malicious domains and subdomains host these websites, enticing recruiters to register for an account. The websites are shrouded in password protection, acting as a formidable barrier against prying analysis,” Microsoft says.
Sandworm – Digital Havoc in Ukraine!
Google’s Mandiant recently exposed a cyber assault by the notorious Sandworm, a Russian hacking group, on a vital electrical substation in Ukraine.
The October 2022 attack caused a momentary blackout, leaving an indelible mark on the nation’s power grid. Mandiant labeled the incident a “multi-event cyber attack,” revealing a novel approach to disrupting industrial control systems (ICS).
Image description: Execution chain of disruptive OT event
Strategies and Tactics – Something to Stop!
According to Mandiant’s findings, Sandworm threw a curveball by employing OT-level living-off-the-land (LotL) techniques. This cyber sleight-of-hand tripped the substation’s circuit breakers, plunging the region into darkness.
The twist? It happened precisely when mass missile strikes were hitting critical infrastructure across Ukraine! Sandworm didn’t stop there; a second disruptive act followed, introducing a new variant of the notorious CaddyWiper in the victim’s IT domain!
The details of the affected energy facility, blackout duration, and the impacted population are still a secret.
Global Wake-Up Call: Guarding Against Critical Infrastructure Threats!
The implications echo far beyond Ukraine’s borders! With Sandworm’s global threat footprint and the widespread use of Micro SCADA supervisory control systems, the world’s critical infrastructure stands at a crossroads.
Mandiant raises a rallying cry, urging global asset owners to fortify their defenses against Sandworm’s digital onslaught on IT and OT systems!
Confluence Chronicles: Effluence Backdoor Emerges from the Shadows!
In parallel, a stealthy backdoor named Effluence strategically unveiled post-exploitation of a freshly exposed security chink in the Atlassian Confluence Data Center and Server!
Exploiting Chinks!
The twist? Attackers gain a backstage pass to remote access through a slick web shell; no authentication required!
Hold on, there’s more drama! Atlassian spills the beans on the flaw, CVE-2023-22518, a ticking time bomb allowing the creation of rogue admin accounts, posing a triple threat to confidentiality, integrity, and availability!
What steals the spotlight here?
The birth of a backdoor, Effluence, defying Confluence patches! It hands the attackers the keys to lateral movement within the network, enabling covert data exfiltration.
And guess what? Remote access without the hassle of Confluence authentication can also be observed.
Save The Day!
Cybersecurity experts and tech leaders work daily to make cyberspace a better place for us. But, with continuous evolution and efficient techniques, malicious intents leave some damage to us and our society.
The above revelations come to us as a fear that cyber intrusions can damage the whole industrial infrastructure, leaving no traces. Our identity, security, and sovereignty are not safe!
So, what must be done? We constantly need to believe that threats exist, and we need to be cautious individually and as a society.
Marrium Akhtar
November 13, 2023
6 months ago
