Between February and July 2022, researchers observed malicious activity linked to the North Korean state-sponsored threat actor – Lazarus Group. In this campaign attack vectors involved exploiting VMWare products’ vulnerabilities to gain initial footholds into corporate networks, which was followed by known custom malware implants from VSingle and YamaBot malware families and also lead to the discovery of a previously unknown implant dubbed MagicRAT.
The same campaign had also been partially disclosed by other researchers previously in April and May 2022. In the recently observed activity, energy organizations especially from Canada, the U.S., and Japan appear to be the primary target, and the goal is suspected to be maintaining long-term access for espionage for the North Korean government.
The initial vector was identified to be exploiting Log4j on vulnerable VMware Horizon servers. The campaign spanned several attacks on multiple victims. However, two instances have been highlighted by researchers which largely represent the playbook employed by Lazarus Group. In some of the cases, the attacker also used additional tools including Mimikatz, procdump, SOCKS proxy/ 3proxy.
Albania, a member of NATO, was a victim of malign cyber activity first in July 2022. The attackers calling on Telegram themselves “HomeLand Justice”, most probably sponsored and/or directed from Iran, were probably reacting to a planned and later canceled conference held in Tirana, Albania. The conference was supposed to be attended by members of Mujahedeen-e-Khalq (MEK), an opposition Iranian group advocating the overthrow of the Iranian government and dismantling of the ruling regime.
The Prime Minister of Albania, Edi Rama, representing the center-left Socialist Party, stated that state-backed aggressors: “threatened to paralyze public services, delete systems, and steal state data, steal electronic communications within the government system and fuel insecurity and chaos in the country.”
Albania in answer expelled Iranian diplomats and embassy staff to leave within 24 hours on 7th September. Albania is therefore the first known state ever severing ties with a country over a cyber-attack. On the 8th of September, the police systems of Albania were attacked again, with the attack taking offline the Total Information Management System (TIMS), by now fully restored. TIMS is designed to enhance capabilities in criminal investigation, border control, criminal intelligence, and case management.
U.S. Ministry of Treasury imposed sanctions on the Ministry of Intelligence of the Islamic Republic of Iran (MOIS alias VAJA / VEVAK) and Minister Esmail Khatib in an answer to the attack. “The United States will take further action to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace,” said National Security Council spokesperson Adrienne Watson. According to the US Ministry of Treasury, MOIS has orchestrated cyber-operations against unfriendly governments and private corporations since 2007. The news of the U.S. sanctions came as it is been revealed that Iran is stalling the nuclear policy talks with the EU and the United States.
As the United States is preparing for the upcoming midterm elections, taking place on November 8th, concerns about cyber-security are on the rise. A US-based cyber-threat detecting company is “highly confident” that DDoS attacks, ransomware, and other subversive activity such as phishing campaigns will emerge during the elections, although not specifically targeting or influencing voting machines. Researchers predict that attempts to influence the U.S. election are almost certain.
The cyber-threat company has tracked activity emerging from “usual suspects” threat actors from Russia, China, Iran, and North Korea predominantly. Experts expect various advanced persistent threat (APT) groups such as APT41, APT31, APT29, or APT42 to continue and intensify their activities.
The Cybersecurity and Infrastructure Security Agency (CISA) Director has also stated concerns about Russian interference in the midterm elections as well as a threat of a disinformation campaign. The head of election security at the CISA has also warned about insufficient workforce and “inside threats” from local and state adversaries.
While performing a code review of some of the popular Java open-source projects, researchers found some interesting bypass flaws in two open-source projects, namely Apache Shiro and dotCMS. The identified vulnerabilities are as follows:
For both vulnerabilities, researchers discovered path filter bypass methods that lead to the above issues.
In the case of authentication bypass vulnerability for Apache Shiro when using Spring Boot, the flaw exists due to Apache Shiro and Spring Boot parsing the URL Path differently which allowed researchers to access protected content. In the case of dotCMS XSSPreventionWebInterceptor Bypass using Matrix Parameter, to overcome the path filter mechanism researchers performed a bypass on PATH instead of Origin/Referer header. Researchers found the bypass using matrix parameters instead of query parameters which can be accepted anywhere in the path.