This aims to keep readers abreast of developments in the cyber security space from an intel perspective. The news covers the trending cyber security news over a timeframe of 7 days before the publication day of each report.
This week’s wrap will be centered around Operation Triangulation, Agent Tesla being used to exploit CVE-2017-11882, an analysis of Kimsuky Group’s Attacks Using AppleSeed, the Nim-based campaign impersonating the Nepali Government, and APT 28.

Operation Triangulation: The last (hardware) mystery

Key Takeaways:

• Operation Triangulation is an advanced, zero-click iMessage attack chain targeting iOS devices (up to iOS 16.2), utilizing four zero-days, including CVE-2023-41990 and CVE-2023-32434.
• The attack involves sophisticated techniques like return/jump oriented programming, usage of JavaScript for privilege escalation, and manipulation of JavaScriptCore and kernel memory.
• CVE-2023-38606 concerns an undisclosed hardware feature in Apple-designed SoCs (A12–A16 Bionic) that bypasses hardware-based kernel memory protection by manipulating MMIO registers; its discovery is unprecedented.
• The attackers’ motivations and methods for uncovering and exploiting this hardware feature are still unknown, raising concerns about “security through obscurity” in hardware security.
• Apple’s mitigation in iOS 16.6 includes adding certain MMIO ranges to the pmap-io-ranges to prevent physical address mapping and highlight the vulnerability’s sensitivity.

Threat Actors Exploit CVE-2017-11882 To Deliver Agent Tesla

Key Takeaways:

• Threat actors are exploiting the CVE-2017-11882 vulnerability in Microsoft Office to deliver the Agent Tesla malware.

• Threat actors use spam emails with malicious attachments containing the CVE-2017-11882 exploit to target users.
• The infection sequence involves the use of obfuscated VBS files, malicious JPG files, and a Base64-encoded DLL to evade detection and deliver the Agent Tesla payload.
• Agent Tesla is an advanced keylogger that steals data from various browsers, mail clients, and FTP applications.
• The exfiltrated data is sent to a Telegram bot controlled by the threat actors.

Trend Analysis on Kimsuky Group’s Attacks Using AppleSeed

Key Takeaways:

• The Kimsuky threat group, known to be supported by North Korea, has been active since 2013 and primarily targets national defense, defense industries, media, diplomacy, national organizations, and academic sectors. –
• The group uses spear phishing attacks for initial access, with recent attacks involving shortcut-type malware in LNK file format, JavaScripts, and malicious documents.
• AppleSeed is a backdoor used by the Kimsuky group for control over infected systems, with features such as downloading additional malware, keylogging, taking screenshots, and stealing information.
• The group has been using a variant of AppleSeed called AlphaSeed, which uses Golang and communicates with the C&C server using ChromeDP.
• The Kimsuky group has also been observed using Meterpreter and VNC (TightVNC and HVNC) malware to control infected systems.

A Look at the Nim-based Campaign Using Microsoft Word Docs to Impersonate the Nepali Government

Key Takeaways:

• Threat actors are increasingly using uncommon programming languages like Nim to develop malware, making it harder for security analysts to detect and analyze the threats.
• This report analyzes a recent campaign that impersonates the Nepali government using Microsoft Word documents. The documents contain a malicious backdoor written in Nim.
• The campaign starts with the delivery of a Word document via email, which prompts the recipient to enable macros. Once enabled, the macros execute code that drops the Nim backdoor onto the victim’s system.
• The backdoor communicates with command and control (C&C) servers to receive and execute commands. It utilizes various anti-analysis techniques to evade detection, including checking for running analysis tools and terminating itself if any are detected.
• To maintain persistence, the campaign creates scripts and scheduled tasks to ensure the backdoor is executed upon system startup.

APT28: From Initial Damage to Domain Controller Threats in an Hour

Key Takeaways:

• A new threat group is targeting Ukrainian organizations with a malware campaign.
• The threat actors are using well-known malware tools such as Emotet and TrickBot.
• The campaign is motivated by financial gain, as the threat actors are likely to use the malware for stealing sensitive information and conducting banking fraud.
• Ukrainian organizations are advised to enhance their security measures and educate their employees about phishing and social engineering techniques.
• It is crucial for organizations to keep their security software and systems updated to prevent exploitation of known vulnerabilities.

Sources

https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/?utm_source=podia&utm_medium=broadcast&utm_campaign=1763672

https://www.zscaler.com/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla?utm_source=podia&utm_medium=broadcast&utm_campaign=1763672

https://asec.ahnlab.com/en/60054/?utm_source=podia&utm_medium=broadcast&utm_campaign=1763672

https://www.netskope.com/blog/a-look-at-the-nim-based-campaign-using-microsoft-word-docs-to-impersonate-the-nepali-government?utm_source=podia&utm_medium=broadcast&utm_campaign=1763672

https://cert.gov.ua/article/6276894?utm_source=podia&utm_medium=broadcast&utm_campaign=1763672