Rewterz Threat Advisory – CVE-2023-45886 – F5 BIG-IP and BIG-IP Next Vulnerability
October 26, 2023Rewterz Threat Advisory – Multiple F5 BIG-IP Vulnerabilities
October 27, 2023Rewterz Threat Advisory – CVE-2023-45886 – F5 BIG-IP and BIG-IP Next Vulnerability
October 26, 2023Rewterz Threat Advisory – Multiple F5 BIG-IP Vulnerabilities
October 27, 2023Severity
High
Analysis Summary
DoNot threat group has been observed using a new .NET-based backdoor called Firebird to target a specific set of victims in Pakistan and Afghanistan. This attack chain also includes a downloader named CSVtyrei, which is named due to its similarity to Vtyrei.
Vtyrei, also known as BREEZESUGAR, is a first-stage payload and downloader used by DoNot Team to distribute a malware framework known as RTY.
“Our thorough investigation uncovered a novel .NET=based backdoor called Firebird, with a main loader and at least three plugins. All samples demonstrated robust protection through ConfuserEx, resulting in an exceptionally low detection rate”, they mentioned in a report.
DoNot APT, alternatively known as APT-C-35, and Origami Elephant is believed to have Indian origins and uses techniques like spear-phishing emails and malicious Android apps to propagate malware. The latest analysis of this threat group shows their use of twin attack sequences in April 2023 in order to deploy the RTY and Agent K11 frameworks.
Alongside DoNot Team, there is another state-backed threat actor from the Asia-Pacific region, codenamed Mysterious Elephant (APT-K-47), has emerged, focusing on Pakistan.
This actor has been associated with a spear-phishing campaign that deploys a novel backdoor named ORPCBackdoor. This backdoor allows for the execution of files and commands on the victim’s computer and the receipt of files or commands from a malicious server.
According to a previously published report, APT-K-47 shares tooling and targeting overlaps with other actors like SideWinder, Patchwork, Confucius, and Bitter, most of which are believed to be aligned with India. These findings underscore the evolving and complex nature of cyber threats in the region and emphasize the importance of cybersecurity measures to counter these activities.
Impact
- Information Theft and Espionage
Remediation
- Never trust or open links and attachments received from unknown sources/senders.
- Deploy advanced endpoint security solutions that can detect and prevent the activities associated with the Firebird backdoor and related malware
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Raise awareness among users about the risks associated with downloading apps from unknown or untrusted sources is crucial. Users should be educated about the importance of verifying app permissions and conducting background research on developers before installing apps.
- Implement reputable mobile security solutions on devices which can help detect and block malicious apps. Mobile antivirus and anti-malware software can provide an additional layer of protection against potential threats.
- Maintain regular and secure backups of critical data, ensuring that data can be restored in case of a cyberattack.
- Employ network monitoring and intrusion detection systems to detect and respond to suspicious activities in real-time.
- Enforce the principle of least privilege, granting users only the minimum access required to perform their tasks.