Critical RCE Vulnerability Patched in Progress Software’s LoadMaster
September 9, 2024Multiple Apache Airflow Vulnerabilities
September 9, 2024Critical RCE Vulnerability Patched in Progress Software’s LoadMaster
September 9, 2024Multiple Apache Airflow Vulnerabilities
September 9, 2024Severity
High
Analysis Summary
A previously unidentified threat actor that most likely has connections to Chinese-speaking threat groups has targeted Taiwanese drone manufacturers in a cyberattack campaign that started in 2024.
Given the emphasis on military-related supply chains, cybersecurity researchers say the activity is espionage-driven and follows the adversary under the codename TIDRONE. It is currently unknown exactly which initial access vector was utilized to penetrate targets; the research revealed that custom malware like CXCLNT and CLNTEND were deployed using remote desktop technologies like UltraVNC.
An intriguing similarity noted in several victims is using the same enterprise resource planning (ERP) software, suggesting a potential supply chain intrusion. The attack chains then go via three distinct steps intended to enable privilege escalation through disabling antivirus software installed on the hosts, credential dumping, and a User Access Control (UAC) bypass.
Threat actors can obtain a variety of sensitive data by side-loading a malicious DLL through the Microsoft Word program, which opens both backdoors. Basic upload and download functions are included in CXCLNT, along with tools for erasing evidence, gathering victim data including file descriptions and computer names, and downloading DLL and next-generation portable executable (PE) files for execution.
First identified in April 2024, CLNTEND is a found remote access tool (RAT) that facilitates communication via a broader range of network protocols, such as TCP, HTTP, HTTPS, TLS, and SMB (port 445). The conclusion that this campaign is probably being carried out by an as-yet-unidentified Chinese-speaking threat group is supported by the consistency of file compilation timings and the threat actor's operation time with previous Chinese espionage-related activities.
Impact
- Cyber Espionage
- Sensitive Data Theft
- Privilege Escalation
- Security Bypass
Indicators of Compromise
Domain Name
- server.microsoftsvc.com
MD5
- 161040ae34aa6333270704af595963f5
- 26ff6fac8ac83ece36b95442f5bb81ce
- b010e9152586cebd0343135577c30b95
- 798a707e1abac44b0ad7b1114bcd10a6
- 6c8258a7c2abae878872d432cdbce438
- 20ae363a3470402ad79618648d580ef7
- d03236a7a6d06ebfe14500c1479b24c8
- 90ad04fe9d7e68d33ddb78595ae1d7fa
SHA-256
- f13869390dda83d40960d4f8a6b438c5c4cd31b4d25def7726c2809ddc573dc7
- 19bbc2daa05a0e932d72ecfa4e08282aa4a27becaabad03b8fc18bb85d37743a
- 0d91dfd16175658da35e12cafc4f8aa22129b42b7170898148ad516836a3344f
- 1b08f1af849f34bd3eaf2c8a97100d1ac4d78ff4f1c82dbea9c618d2fcd7b4c8
- 4b5f609c6b6788bdf0b900dd3df3c982cd547e7925840000bdc4014f8a980070
- 1f22be2bbe1bfcda58ed6b29b573d417fa94f4e10be0636ab4c364520cda748e
- db600b0ae5f7bfc81518a6b83d0c5d73e1b230e7378aab70b4e98a32ab219a18
- f3897381b9a4723b5f1f621632b1d83d889721535f544a6c0f5b83f6ea3e50b3
SHA-1
- 48c4617b360aac1d1684aefad966a8a5c88884c0
- 6ab0e2ede4e0968eae2bdc63864971054a534f7b
- 1efc081d7520c113a7469d1c39eec3bc31578dd9
- 92d28c4201e0d56c46b2d750aa25856f60f2facb
- c3426f960aeabd1838abf5f1b7081407ab62c4e8
- 203358b897344694ba949288afc1b3067ae47bee
- 707f55096157aaf84174c2238f56f7addcd76f8d
- bb77094c2c03fbc17eb4f829b320278b65f64f5e
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Emails from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
- Maintain daily backups of all computer networks and servers.
- Keep operating systems and software up to date as threat actors often exploit vulnerabilities in software and operating systems. Keeping these up to date can help prevent vulnerabilities from being exploited.
- Implementing strong password policies and multifactor authentication can make it more difficult for attackers to gain access.
- Provide regular security awareness training for employees that can help them recognize phishing emails and other types of social engineering attacks that are commonly used to spread malware.