Vercara’s Open-Source Intelligence (OSINT) Report – November 22 – November 28, 2024

APT-K-47 uses Hajj-themed lures to deliver advanced Asyncshell malware. 

(TLP: CLEAR) The article from The Hacker News reports that the APT-K-47, a hacker group with ties to North Korea, has been using Hajj-themed lures in a new cyber-attack campaign. The group is exploiting the religious significance of the Hajj pilgrimage, a major event for Muslims, to craft phishing emails that encourage recipients to click on malicious links or download infected attachments. The attack is aimed at compromising the systems of organizations and individuals involved in Hajj-related logistics and administration. 

(TLP: CLEAR) Comments: APT-K-47’s tactics include crafting messages that appear to be related to Hajj travel information, such as flight bookings and visa details, to trick recipients into downloading malware. This is part of a broader trend of cyber espionage groups leveraging timely and culturally relevant events as part of their social engineering tactics. The campaign emphasizes the ongoing threat from APT groups using geopolitical or cultural themes to bypass security measures and gain access to sensitive systems. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 2 modes of onboarding DNS queries and protecting endpoints from phishing and malware: forwarding from an on-network resolver such as a firewall or Active Directory domain controller or via an endpoint client that captures and forwards DNS queries to UltraDDR’s servers. 
Source: https://thehackernews.com/2024/11/apt-k-47-uses-hajj-themed-lures-to.html   

PyPI python library “aiocpa” found exfiltrating crypto keys via Telegram bot. 

(TLP: CLEAR) A malicious Python library named “aiocpa” was discovered on PyPI (Python Package Index). This library contained a backdoor that could potentially allow attackers to compromise systems using it. The package was designed to appear as a legitimate library for asynchronous programming in Python, but it contained code that could steal sensitive information, such as environment variables and credentials, from developers’ systems. The malicious code was specifically crafted to execute certain commands on infected machines, exfiltrating data and making the system vulnerable to further exploitation.  

(TLP: CLEAR) Comments: The discovery of the “aiocpa” library highlights the ongoing risks associated with third-party packages in open-source ecosystems like PyPI, where malicious actors can upload seemingly harmless libraries to compromise users. As a result of the discovery, the library was removed from PyPI, and developers were advised to carefully audit any third-party libraries they use, especially those not widely recognized or reviewed. 

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION  

Control:  

• Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.  
• Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures.  
• Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection. 
• Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. 

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 
Source: https://thehackernews.com/2024/11/pypi-python-library-aiocpa-found.html   

Russian script kiddie assembles massive DDoS botnet. 

(TLP: CLEAR) The Dark Reading article discusses how a Russian script kiddie (a hacker with limited skills who uses pre-written scripts or tools) has managed to assemble a massive Distributed Denial-of-Service (DDoS) botnet. This botnet is being used to launch powerful DDoS attacks, which flood targeted websites with traffic to disrupt services. The hacker leveraged existing malware and tools to infect vulnerable devices and create a network of bots capable of launching high-volume attacks. 

(TLP: CLEAR) Comments: The botnet is reportedly made up of thousands of compromised machines, including IoT devices, making it highly effective and difficult to defend against. Experts believe that the hacker’s ability to build such a large botnet signals a growing threat of “script kiddies” being able to execute sophisticated cyberattacks, which were previously reserved for more experienced attackers. 

The article highlights the risks associated with the increasing use of IoT devices and other poorly secured technology, which are often targeted for creating botnets. The attacks have raised concerns about the effectiveness of current cybersecurity practices and the potential for more widespread and damaging DDoS campaigns in the future. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Source address spoofing is often combined with reflection and amplification from poorly administered open internet servers (e.g., DNS, NTP) to multiply the attack traffic volume by a factor of 50 or more. The attacker may use a single high-capacity computer with a high bandwidth internet connection or a botnet consisting of many compromised devices to send query requests to high-performance internet servers. The attacking systems employ source address spoofing, which inserts the IP address of the target as the source address in the requests. For internet services that use the User Datagram Protocol (UDP) (e.g., DNS, NTP), the query and response are each contained in a single packet, and the exchange does not require the establishment of a connection between the source and the server (unlike Transmission Control Protocol (TCP)). The responses from such open internet servers are directed to the attack target since the target’s IP address was forged as the source address field of the request messages. Often, the response from the server to the target address is much larger than the query itself, amplifying the effect of the DoS attack. Such reflection and amplification attacks can result in massive DDoS with attack volumes in the range of hundreds of Gbps.” 

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect scrubs malicious traffic away from your infrastructure, defusing the large, complex attacks that make headlines every day and threaten your operational stability. Powerful automation allows you to activate on-demand cloud protection through means that include DNS Redirection, BGP Redirection, and API triggering. The result is an incredibly fast response against DDoS trouble when you need it most. 
Source: https://www.darkreading.com/cyberattacks-data-breaches/russian-script-kiddie-assembles-massive-ddos-botnet   

Hackers exploit ProjectSend flaw to backdoor exposed servers. 

(TLP: CLEAR) Hackers are actively exploiting a vulnerability in the ProjectSend software to backdoor servers exposed to the internet. ProjectSend is an open-source file sharing application, and the flaw (CVE-2024-4129) allows attackers to gain unauthorized access to the server, potentially leading to remote code execution. The flaw stems from improper input validation in the software, enabling attackers to inject malicious code through specially crafted requests. Once the vulnerability is exploited, the attackers can install a backdoor, allowing them to execute commands on the compromised server, steal sensitive data, or use it for further attacks. 

(TLP: CLEAR) Comments: The flaw is particularly dangerous because many ProjectSend servers are exposed to the internet, making them attractive targets for hackers. Organizations using the software are urged to update to the latest version to mitigate the risk and avoid potential breaches. The article also emphasizes the broader risk of vulnerabilities in widely used open-source applications and the importance of regular patching and security audits to protect systems from exploitation. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “Application firewalls can enable the identification of unexpected sequences of commands, such as issuing the same command repeatedly or issuing a command that was not preceded by another command on which it is dependent. These suspicious commands often originate from buffer overflow attacks, DoS attacks, malware, and other forms of attack carried out within application protocols such as HTTP. Another common feature is input validation for individual commands, such as minimum and maximum lengths for arguments. For example, a username argument with a length of 1000 characters is suspicious—even more so if it contains binary data.” 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. Its always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats. 
Source: https://www.bleepingcomputer.com/news/security/hackers-exploit-projectsend-flaw-to-backdoor-exposed-servers/