Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 03/15/2023

    KamiKakaBot Malware Active in Southeast Asia

    Overview

    A group known as Dark Pink (also called Saaiwc) and identified as an advanced persistent threat (APT) has been targeting companies in Southeast Asia using malicious software called KamiKakaBot. This malware enables the execution of any desired commands and offers significant capabilities for exfiltration.

    Potential Impact

    Dark Pink typically uses social engineering attacks to trick targets into downloading ISO image files that contain malicious executables. Once these files are mounted, the group uses multiple Microsoft Windows documents that contain malware to infect the victim’s machines. One of the payloads serves as a dropper, which utilizes DLL side-loading to bypass typical security protections and installs KamiKakaBot. Once installed, KamiKakaBot searches for data stored in web browsers, documents, and keylogged user activity. It then uses Command Prompt (cmd.exe) to exfiltrate this data in various obscure ways. In addition, KamiKakaBot has several persistence methods, such as modifying critical Windows Registry keys.

    Recommended Actions

    While the current attacks are presently confined to Southeast Asia, malware as potent as KamiKakaBot is often traded among APT groups and can spread rapidly across the globe. Organizations must focus on disrupting the cyber kill chain to combat these attacks. Disruption can be accomplished through a series of measures.

    First, companies should provide employees with regular and advanced security awareness training to help them recognize and avoid social engineering attacks. Second, organizations should employ robust endpoint detection and response (EDR) tools to prevent endpoint compromise. Finally, network detection and response (NDR) tools can be used to identify malicious network traffic and potential exfiltration activity.

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Number of Employees - select one:
      Industry - select one:

      New Critical Vulnerability in FortiOS and FortiProxy

      Overview

      Among the 15 vulnerabilities addressed recently by Fortinet is a critical vulnerability, CVE-2023-25610 (CVSS 9.3), impacting FortiOS and FortiProxy that could allow an attacker to compromise affected devices. CVE-2023-25610 is a buffer underwrite vulnerability that affects administrative interfaces.

      Potential Impact

      An unauthenticated, remote attacker could potentially execute arbitrary code and/or perform a DoS on the GUI, via specifically crafted requests. This could also lead to memory corruption that could be weaponized to execute code. Attackers could potentially use this vulnerability for initial access and a foothold for lateral movement and malware deployment. There is not yet evidence of exploitation in the wild, though this may change quickly.

      Recommended Actions

      Fixes are available in FortiOS versions 6.2.13, 6.4.12, 7.0.10, 7.2.4, and 7.4.0; FortiOS-6K7K versions 6.2.13, 6.4.12, and 7.0.10; and FortiProxy versions 2.0.12, 7.0.9, and 7.0.9. As a workaround, administrators should disable the administrative HTTP/HTTPS interface or limit which IP addresses are allowed to reach it. It is also recommended to perform regular vulnerability assessments (internal and external) to ensure vulnerabilities are being addressed efficiently.

      Sources

      https://thehackernews.com/2023/03/new-critical-flaw-in-fortios-and.html

      https://www.fortiguard.com/psirt/FG-IR-23-001

      Critical VMware Vulnerability Being Exploited

      Overview

      CISA has added CVE-2021-39144 to the catalog of known exploited vulnerabilities. CVE-2021-39144 (CVSS 9.8) is an input serialization flaw in the XStream open-source library used by various VMWare products. An unauthenticated attacker can exploit it with a low level of complexity.

      Potential Impact

      Attackers exploiting this vulnerability will be able to execute remote code in the context of the root user on VMware Cloud Foundation (NSX-V) appliances. This could be one step in a large attack chain aimed at encrypting systems or exfiltrating data.

      Recommended Actions

      Security updates to address CVE-2021-39144 are available, including for some end-of-life products. There is a workaround available here: https://kb.vmware.com/s/article/89809. VMware-related vulnerabilities are often targeted, and an effective vulnerability management process is needed to mitigate risk. Internal and external vulnerability assessments are necessary for identifying unpatched critical vulnerabilities.

      Sources

      https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-vmware-rce-flaw-exploited-in-attacks/

      https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-cloud-foundation-remote-code-execution-bug/

      https://kb.vmware.com/s/article/89809

      Blackbaud Agrees to Pay $3 Million Fine in Relation to 2020 Breach

      Overview

      As part of an agreement to settle charges filed by the Securities and Exchange Commission (SEC) for failing to “disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous.”

      The SEC press release related to the matter describes the scenario in which Blackbaud suffered a ransomware attack in May 2020 and made public statements asserting that the “ransomware attacker did not access donor bank account information or social security numbers.” The press release goes on to say that the company learned within days of this public statement that attackers did indeed “exfiltrate this sensitive information.”

      The SEC charged Blackbaud with failing “to maintain disclosure controls and procedures.” Blackbaud agreed to pay a $3 million penalty to settle the SEC charges without confirming or denying their accuracy.

      Potential Impact

      For donors who lost their information in this attack, the impact will be a greater risk of identity theft. Institutions using Blackbaud at the time of the breach face reputational damage.

      Recommended Actions

      Use Blackbaud’s experience as a lesson in incident response handling. A well-crafted incident response plan includes guidance on communication plans and incorporates close coordination with legal counsel. Following such a plan will ensure that disclosure controls and procedures are maintained.

      Sources

      https://www.sec.gov/news/press-release/2023-48

      USB Drive Malware Attacks On Rise

      Overview

      The article referenced below from Recorded Future details a trend of USB-drive based malware infection in Africa and Southeast Asia. This article brings to mind several warnings from the FBI and CISA in the past year involving the use of USB drives by threat actor groups. As technical controls improve for organizations, threat actors have been recycling old tactics such as sending malware-laden USB drives to personnel as “free gifts” or other such enticements to get staff to plug the drives in.

      Potential Impact

      The impact of USB-based malware is network compromise, often leading to exfiltration and ransomware.

      Recommended Actions

      Ensure that your organization’s information security program incorporates technical controls over USB devices, as well as user training, so that rogue or malicious devices do not get plugged into workstations.

      Sources

      https://therecord.media/hackers-using-USB-sticks?category=&sort=articles_date_desc

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Contact Us  
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from - Youtube
      Vimeo
      Consent to display content from - Vimeo
      Google Maps
      Consent to display content from - Google
      Spotify
      Consent to display content from - Spotify
      Sound Cloud
      Consent to display content from - Sound
      Contact Us