Chinese Hacker Group ‘Flea’ Targets American Ministries with Graphican Backdoor
Foreign affairs ministries in the Americas have been targeted by a Chinese state-sponsored actor named Flea as part of a recent campaign that spanned from late 2022 to early 2023.
The cyber attacks, per Broadcom’s Symantec, involved a new backdoor codenamed Graphican. Some of the other targets included a government finance department and a corporation that markets products in the Americas as Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Python based WIREFIRE web shell Attacking Ivanti Connect Secure (ICS) VPN appliances
Recently, QuoIntelligence’s research team unearthed a previously undetected variant of the notorious WIREFIRE web shell, a Python-based implant targeting compromised Ivanti Connect Secure (ICS) VPN appliances.
This discovery unveils a cunning tactic employed by threat actors to evade detection and extend their malicious reach.
The story unfolds in December 2023, when security researchers identified a global attack campaign exploiting zero-day vulnerabilities in Ivanti Connect Secure VPN appliances.
This campaign, attributed to the UNC5221 threat actor group, involved the deployment of web shells on both internal and external-facing web applications, granting the attackers unauthorized access and control.
Open Suspicious Files & Links in the ANY RUN Sandbox Safely; Try All Features for Free. Understand malware behavior, collect IOCs, and easily map malicious actions to TTPs — all in our interactive sandbox.
The Familiar Foe with a New Disguise: The WIREFIRE Variant
While investigating this incident, QuoIntelligence researchers stumbled upon a crucial piece of the puzzle: a previously unreported variant of the WIREFIRE web shell.
Unlike its known counterpart residing in the “/api/resources/visits.py” file, this variant resided in the “/api/resources/category.py” file, showcasing a strategic shift in location to bypass existing detection mechanisms.
Under the Hood: Dissecting the Variant’s Capabilities
This variant, though subtly different, retained the core functionality of its predecessor.
It intercepted POST requests containing encrypted data payloads, decrypted them, and executed them directly in memory, leaving no incriminating traces on the file system.
However, it introduced two noteworthy modifications:
Cookie-Based Payload Delivery: The variant adopted a cookie-based approach to transmit encrypted payloads, moving away from the GIF file method used in the original version.
Persistent Execution Through exec(): A novel code addition leveraging the “exec()” function enabled the execution of malicious code across successive POST requests, potentially facilitating data persistence.
The discovery of this variant exposed a critical limitation in existing detection methods.
The YARA rule provided by Mandiant, designed to identify the WIREFIRE web shell, was rendered ineffective due to the variant’s different location.
This highlights the threat actors’ cunning strategy of deploying modified versions in various locations to evade detection based on specific file paths.
David Miller, Security Advocate: “This incident underscores the importance of patching vulnerabilities promptly.
The exploited zero-day vulnerabilities were patched in February 2024, but attackers are still exploiting unpatched systems. Organizations need to prioritize vulnerability management.”
Responding to the Threat: A New YARA Rule Emerges
To address this gap in detection, QuoIntelligence researchers promptly developed a temporary YARA rule with broader scope.
This rule focuses on commonalities across different web shell locations within the “/api/resources/” directory, effectively identifying both the original and the variant.
The emergence of this WIREFIRE variant underscores the dynamic nature of cyber threats and the importance of continuous vigilance.
Organizations utilizing Ivanti Connect Secure VPN appliances are urged to:
Implement the new YARA rule to enhance detection capabilities.
Regularly update systems and patch vulnerabilities.
Employ robust security solutions and threat intelligence feeds.
Maintain heightened awareness of evolving cyber threats.
Malicious web redirect scripts stealth up to hide on hacked sites
Security researchers looking at more than 10,000 scripts used by the Parrot traffic direction system (TDS) noticed an evolution marked by optimizations that make malicious code stealthier against security mechanisms. […] Read More
Cisco has released security fixes to address multiple security flaws, including a critical bug, that could be exploited by a threat actor to take control of an affected system or cause a denial-of service (DoS) condition.
The most severe of the issues is CVE-2023-20238, which has the maximum CVSS severity rating of 10.0. It’s described as an authentication bypass flaw in the Cisco BroadWorks Read More
The Hacker News | #1 Trusted Cybersecurity News Site