Monthly Advisory • 3 MIN READ

June Threat Advisory – Top 5

by Leonardo Maroso • Jun 2022

SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of June 2022.

Credit to SecurityHQ team members: Devendra Bendre, Harsh Gajbhiya, Mandeep Sheoran, Geethu Krishna G

New stealthy malware “Symbiote” infecting Linux systems.

Threat Reference: Global

Risks: Malware

Advisory Type: Threats

Priority: Standard

Researchers have discovered a new Linux malware named “Symbiote”. Instead of being a standalone executable file, the malware is a shared object (SO) library that is loaded into all running processes using LD-PRELOAD to hijack the environment variables. This allows an attacker to gain access to victim’s process memory, system or network resources, also, possibly elevate privileges along with rootkit functionality which provides the ability to harvest credentials and remote access over system.

It is also observed that Symbiote utilizes BPF (Berkeley Packet Filter) to hide malicious network traffic by adding it’s bytecode at the start of the packet which allows an attacker to filter out the packets from not getting detected by packet-capturing tools.

Recommendation

  • Analyse Endpoint solutions – EDR, AV, Email Anti-malware solution logs for the presence of IOCs.
  • Update the Anti-malware solutions at endpoint and perimeter level solutions to include IOCs.
  • Avoid handling files or URL links in emails, chats, or shared folders from untrusted sources.
  • Provide awareness training to your employees/contractors.

New ‘Follina’ Zero-day Vulnerability Variant using Windows URI Protocol Handler ’search-ms’.

Threat Reference: Global

Risks: Remote Code Execution

Advisory Type: Zero-day exploits

Priority: Elevated

Security researchers have identified another variant of “Follina” zero-day vulnerability using Windows ‘search-ms’. This vulnerability can be exploited through URI protocol handler known as ‘search-ms’ which lets applications and HTML links launch customized search on device. Later on, threat actors can exploit this vulnerability via phishing campaigns where it will automatically launch windows search on recipients’ devices to trick them into launching malware.

Recommendation

Workaround:

To mitigate this vulnerability, admins and users can delete the search-ms protocol handler from the Windows Registry by following procedure:

  • Run Command Prompt as Administrator.
  • To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\search-ms search-ms.reg”
  • Execute the command “reg delete HKEY_CLASSES_ROOT\search-ms /f”

People’s Republic of China State sponsored Threat actors targeting telecommunication and network service providers.

Threat Reference: Global

Risks: Distributed Denial of Service (DDOS), Privilege escalation

Advisory Type: Threats

Priority: Standard

Security researchers discovered People’s Republic of China state sponsored Threat actors conducting widespread campaigns to compromise unpatched network devices by exploiting common vulnerabilities. Successful exploitation of these common security vulnerabilities will allow threat actors to gain access to victim accounts using publicly available exploit codes against Virtual Private Networks (VPN) or public facing applications.

Attack scenario:

Initially, threat actors used open-source router specific software frameworks, to find vulnerabilities and further the exploitation.

After gaining initial access to any telecommunication or network service provider, attackers identified critical users and systems in the network.

Once attackers identified a critical Remote Authentication Dial-In User Service (RADIUS) server, they gained access to underlying Structured Query Language (SQL) database credentials and then dumped the credentials of other users and administrative accounts by using SQL commands.

Attackers used obtained credentials with custom automated scripts to authenticate to a router via Secure Shell (SSH), execute router commands, and save the output.

Finally, all outputs were exfiltrated off network to the attacker’s infrastructure.

Recommendation

  • Keep systems and products updated with latest released patches.
  • Immediately remove or isolate suspected compromised devices from the network.
  • Segment networks to limit or block lateral movement.
  • Disable unused or unnecessary network services, ports, protocols, and devices.
  • Enforce multifactor authentication (MFA) for all users, and on all VPN connections without exception.
  • Perform regular data backup procedures and maintain up-to-date incident response and recovery procedures.

Security Researchers Discovered APT Group Known “GALLIUM” is Using difficult-to-detect trojan named PingPull.

Threat Reference: Global

Risks: Trojan

Advisory Type: Threats

Priority: Standard

Security researchers discovered APT group GALLIUN a.k.a Softcell observed to have targeted telecommunications, government, and finance organizations operating in Southeast Asia, Europe, and Africa.

GALLIUM is observed to be using PingPull, a difficult-to-detect remote access trojan. PingPull can use ICMP, HTTP(S) and raw TCP protocols for command and control. It can use ICMP tunneling technique to make it more difficult to detect its command-and-control communication.

Recommendation

  • Deploy Endpoint Detection & Response (EDR) tools to detect latest malware and suspicious activities on endpoints.
  • Update the Anti-malware solutions at endpoint and perimeter level solutions to include IOCs.
  • Analyse Endpoint solutions – EDR, AV, Email Anti-malware solution logs for the presence of IOCs.
  • Avoid handling files or URL links in emails, chats, or shared folders from untrusted sources.
  • Provide phishing awareness training to your employees/contractors.

A China-linked APT Group Known Aoqin Dragon Discovered Spying on Organization.

Threat Reference: Global

Risks: Malware, DLL Hijacking.

Advisory Type: Threats

Priority: Standard

Security researchers discovered a newly found china-linked APT group that has been spying on organizations for the last 10 years and was observed targeting government, education, and telecommunication organizations.

Aoqin Dragon mostly targets organizations using document exploit techniques like DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.

Recommendation

  • Deploy Endpoint Detection & Response (EDR) tools to detect latest malware and suspicious activities on endpoints.
  • Update Anti-malware solutions at endpoint and perimeter level solutions to include IOCs.
  • Analyse Endpoint solutions – EDR, AV, Email Anti-malware solution logs for the presence of IOCs.
  • Avoid handling files or URL links in emails, chats, or shared folders from untrusted sources.
  • Provide phishing awareness training to your employees/contractors.

Having conducted incident response investigations across a wide range of industries, SecurityHQ are best placed to work with businesses large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.