May 21, 2025Ravie LakshmananCyber Espionage / Vulnerability Russian cyber threat actors have been attributed to a state-sponsored campaign targeting Western logistics entities and technology companies since 2022. The activity has been assessed to be orchestrated by APT28 (aka BlueDelta, Fancy Bear, or Forest Blizzard), which is linked to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, Military Unit 26165. Targets of the campaign include companies involved in the coordination, transport, and delivery of foreign assistance to Ukraine, according to a joint advisory released by agencies from Australia, Canada, Czechia, Denmark, Estonia, France, Germany, the Netherlands, Poland, the United Kingdom, and the United States. "This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors' wide scale targeting of IP cameras in Ukraine and bordering NATO nations," the bulletin said. The alert comes weeks after France's foreign ministry accused APT28 of mounting cyber attacks on a dozen entities including ministries, defense firms, research entities, and think tanks since 2021 in an attempt to destabilize the nation. Then last week, ESET took the wraps off a campaign dubbed Operation RoundPress that it said has been ongoing since 2023 by exploiting cross-site scripting (XSS) vulnerabilities in various webmail services like Roundcube, Horde, MDaemon, and Zimbra to single out governmental entities and defense companies in Eastern Europe, as well as governments in Africa, Europe, and South America. According to the latest advisory, cyber attacks orchestrated by APT28 are said to have involved a combination of password spraying, spear-phishing, and modifying Microsoft Exchange mailbox permissions for espionage purposes. The primary targets of the campaign include organizations within NATO member states and Ukraine spanning defense, transportation, maritime, air traffic management, and IT services verticals. No less than dozens of entities in Bulgaria, Czechia, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States are estimated to have been targeted. Initial access to targeted networks is said to have been facilitated by leveraging seven different methods - Brute-force attacks to guess credentials Spear-phishing attacks to harvest credentials using fake login pages impersonating government agencies and Western cloud email providers that were hosted on free third-party services or compromised SOHO devices Spear-phishing attacks to deliver malware Exploitation of Outlook NTLM vulnerability (CVE-2023-23397) Exploitation of Roundcube vulnerabilities (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026) Exploitation of internet-facing infrastructure such as corporate VPNs using public vulnerabilities and SQL injection Exploitation of WinRAR vulnerability (CVE-2023-38831) Once the Unit 26165 actors gain foothold using one of the above methods, the attacks proceed to the post-exploitation phase, which involves conducting reconnaissance to identify additional targets in key positions, individuals responsible for coordinating transport, and other companies cooperating with the victim entity. The attackers have also been observed using tools like Impacket, PsExec, and Remote Desktop Protocol (RDP) for lateral movement, as well as Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. "The actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection," the agencies pointed out. "The actors used manipulation of mailbox permissions to establish sustained email collection at compromised logistics entities." Another notable trait of the intrusions is the use of malware families like HeadLace and MASEPIE, to establish persistence on compromised hosts and harvest sensitive information. There is no evidence that malware variants like OCEANMAP and STEELHOOK have been used to directly target logistics or IT sectors. During data exfiltration, the threat actors have relied on different methods based on the victim environment, often utilizing PowerShell commands to create ZIP archives to upload the collected data to their own infrastructure, or employing Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) to siphon information from email servers. "As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine's territorial defense, Unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid," the agencies said. "These actors have also targeted internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments." The disclosure comes as Cato Networks revealed that suspected Russian threat actors are leveraging Tigris Object Storage, Oracle Cloud Infrastructure (OCI) Object Storage, and Scaleway Object Storage to host fake reCAPTCHA pages that make use of ClickFix-style lures to trick users into downloading Lumma Stealer. "The recent campaign leveraging Tigris Object Storage, OCI Object Storage, and Scaleway Object Storage builds upon earlier methods, introducing new delivery mechanisms aimed at evading detection and targeting technically proficient users," researchers Guile Domingo, Guy Waizel, and Tomer Agayev said. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

May 20, 2025Ravie LakshmananMalware / Cyber Espionage High-level government institutions in Sri Lanka, Bangladesh, and Pakistan have emerged as the target of a new campaign orchestrated by a threat actor known as SideWinder. "The attackers used spear phishing emails paired with geofenced payloads to ensure that only victims in specific countries received the malicious content," Acronis researchers Santiago Pontiroli, Jozsef Gegeny, and Prakas Thevendaran said in a report shared with The Hacker News. The attack chains leverage spear-phishing lures as a starting point to activate the infection process and deploy a known malware referred to as StealerBot. It's worth pointing out that the modus operandi is consistent with recent SideWinder attacks documented by Kaspersky in March 2025. Some of the targets of the campaign, per Acronis, include Bangladesh's Telecommunication Regulatory Commission, Ministry of Defence, and Ministry of Finance; Pakistan's Directorate of Indigenous Technical Development; and Sri Lanka's Department of External Resources, Department of Treasury Operations, Ministry of Defence, and Central Bank. The attacks are characterized by the use of years-old remote code execution flaws in Microsoft Office (CVE-2017-0199 and CVE-2017-11882) as initial vectors to deploy malware capable of maintaining persistent access in government environments across South Asia. The malicious documents, when opened, trigger an exploit for CVE-2017-0199 to deliver next-stage payloads that are responsible for installing StealerBot by means of DLL side-loading techniques. One noteworthy tactic adopted by SideWinder is that the spear-phishing emails are coupled with geofenced payloads to ensure that only victims meeting the targeting criteria are served the malicious content. In the event the victim's IP address does not match, an empty RTF file is sent instead as a decoy. The malicious payload is an RTF file that weaponizes CVE-2017-11882, a memory corruption vulnerability in the Equation Editor, to launch a shellcode-based loader that runs the StealerBot malware. StealerBot, according to Kaspersky, is a .NET implant that's engineered to drop additional malware, launch a reverse shell, and collect a wide range of data from compromised hosts, including screenshots, keystrokes, passwords, and files. "SideWinder has demonstrated consistent activity over time, maintaining a steady pace of operations without prolonged inactivity — a pattern that reflects organizational continuity and sustained intent," the researchers said. "A closer analysis of their tactics, techniques, and procedures (TTPs) reveals a high degree of control and precision, ensuring that malicious payloads are delivered only to carefully selected targets, and often only for a limited time." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

May 13, 2025Ravie LakshmananVulnerability / Threat Intelligence A recently disclosed critical security flaw impacting SAP NetWeaver is being exploited by multiple China-nexus nation-state actors to target critical infrastructure networks. "Actors leveraged CVE-2025-31324, an unauthenticated file upload vulnerability that enables remote code execution (RCE)," EclecticIQ researcher Arda Büyükkaya said in an analysis published today. Targets of the campaign include natural gas distribution networks, water and integrated waste management utilities in the United Kingdom, medical device manufacturing plants oil and gas exploration and production companies in the United States, and government ministries in Saudi Arabia that are responsible for investment strategy and financial regulation. The findings are based on a publicly exposed directory uncovered on attacker-controlled infrastructure ("15.204.56[.]106") that contained event logs capturing the activities across multiple compromised systems. The Dutch cybersecurity company has attributed the intrusions to Chinese threat activity clusters tracked as UNC5221, UNC5174, and CL-STA-0048, the last of which was linked to attacks targeting high-value targets in South Asia by exploiting known vulnerabilities in public-facing IIS, Apache Tomcat, and MS-SQL servers to drop web shells, reverse shells, and the PlugX backdoor. It also noted that an uncategorized China-nexus threat actor is conducting a widespread internet scanning and exploitation campaign against SAP NetWeaver systems. The server hosted at the IP address "15.204.56[.]106" has been found to contain multiple files, including - "CVE-2025-31324-results.txt," which has recorded 581 SAP NetWeaver instances compromised and backdoored with a web shell "服务数据_20250427_212229.txt," which lists 800 domains running SAP NetWeaver likely for future targeting "The exposed open-dir infrastructure reveals confirmed breaches and highlights the group's planned targets, offering clear insight into both past and future operations," Büyükkaya noted. The exploitation of CVE-2025-31324 is followed by the threat actor deploying two web shells that are designed to maintain persistent remote access to the infected systems and execute arbitrary commands. In addition, three different Chinese hacking groups have been observed exploiting the SAP NetWeaver vulnerability as part of efforts to maintain remote access, conduct reconnaissance, and drop malicious programs - CL-STA-0048, which has attempted to establish an interactive reverse shell to "43.247.135[.]53," an IP address previously identified as used by the threat actor UNC5221, which has leveraged a web shell to deploy KrustyLoader, a Rust-based malware that can used to serve second-stage payloads like Sliver, set up persistence, and execute shell commands UNC5174, which has leveraged a web shell to download SNOWLIGHT, a loader that initiates a connection with a hard-coded server to fetch a Go-based remote access trojan named VShell and a backdoor known as GOREVERSE "China-linked APTs are highly likely to continue targeting internet-exposed enterprise applications and edge devices to establish long-term strategic and persistence access to critical infrastructure networks globally," Büyükkaya said. "Their focus on widely used platforms like SAP NetWeaver is a strategic move, as these systems are deeply integrated into enterprise environments and often host unpatched vulnerabilities." SAP Patches New NetWeaver Flaw in May 2025 Patch The disclosure comes days after another China-linked unnamed threat actor dubbed Chaya_004 has also been attributed to the exploitation of CVE-2025-31324 to deploy a Go-based reverse shell called SuperShell. SAP security firm Onapsis said it is "seeing significant activity from attackers who are using public information to trigger exploitation and abuse web shells placed by the original attackers, who have currently gone dark." Further analysis of these attacks has led to the discovery of another critical defect in NetWeaver's Visual Composer Metadata Uploader component. Tracked as CVE-2025-42999 (CVSS score: 9.1), it has been described as a deserialization vulnerability that could be exploited by a privileged user to upload untrusted or malicious content. In light of ongoing active exploitation, customers of SAP NetWeaver are recommended to update their instances to the latest version as soon as possible. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    