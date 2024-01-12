ARTICLE

Ransomware/Malware Activity

North Korean State-sponsored Threat Group Introduces SpectralBlur Backdoor

A new backdoor for macOS has been discovered by security researchers that appears to have coding similarities with a known malware family known as KANDYKORN (SockRacket), an implant remote access trojan used by North Korean state sponsored threat actors. Known as SpectralBlur, it is a backdoor that can run shells, delete files, sleep, etc. based on commands received from the threat actor's C2 server infrastructure. TA444, also known as BlueNoroff, is believed to be behind this campaign according to Proofpoint threat researchers, as this is also the group that deployed KANDYKORN against cryptocurrency exchanges in November of last year. Proofpoint researcher Greg Lesnewich points out that TA444 is continually creating new malware to target macOS users, which is a stark difference to many other North Korean threat actors that typically use recycled or off the shelf malware to accomplish their goals. TA444 has also been seen combining various pieces of malware together to avoid detection and create rapidly evolving new threats. This campaign further expands upon the desire by North Korean APT groups to target cryptocurrency exchanges and their users for financial gain. CTIX will continue to monitor the developments of DPRK threat actor groups and the malware they use and produce.

Threat Actor Activity

Turkish Hackers Run Cyber Espionage Campaign on Dutch IT and Telecom Companies

A new cyber espionage campaign has emerged that is targeting telecommunications, media, internet service providers (ISPs), IT service providers, and Kurdish websites in the Netherlands. This current campaign against Dutch IT and telecom companies is reportedly being led by a Turkish threat group known as Sea Turtle, also commonly known as Cosmic Wolf, Marbled Dust, or UNC1326, which has previously performed state-sponsored attacks in the past targeting public and private entities in the Middle East and North Africa. The group was first documented in April 2019, but there has been ongoing activity associated with it since at least January 2017, where the group is most notoriously observed utilizing DNS hijacking for credential harvesting purposes. Researchers have also seen Sea Turtle collecting intelligence aligned with strategic Turkish interests from countries including Armenia, Cyprus, Greece, Iraq, and Syria. As part of this ongoing campaign, the threat actors have been seen collecting the personal information of minority groups and potential political dissents by targeting infrastructures susceptible to supply chain and island-hopping attacks. The adversary has also been found using a simple reverse TCP shell for Linux/Unix systems called SnappyTCP that has basic command-and-control (C2) capabilities and is speculated to be used for establishing persistence. CTIX will continue to monitor and report on threat actor activity.

Vulnerabilities

Ivanti Patches Critical Vulnerability in Endpoint Manager Solution

US-based software provider Ivanti has released a patch for a critical vulnerability in their Endpoint Manager (EPM) solution that could be exploited by threat actors to conduct remote code execution (RCE). Ivanti, the asset management software system, is used by organizations to remotely manage and inventory desktop computers. The flaw, tracked as CVE-2023-39336, is an SQL injection vulnerability which if exploited, could allow attackers who've gained access to the internal network to execute arbitrary SQL queries retrieving the output without the need for authentication. If successfully exploited, this flaw could allow the attacker to take complete control over any machines running the Ivanti EPM agent. Also, if the core server is configured for Microsoft SQL Express, exploitation may lead to RCE on the core server. Currently, there is no indication that this vulnerability is under active exploitation, but Ivanti zero-day EPM vulnerabilities have been exploited in the past. CTIX analysts recommend that all administrators responsible for instances of Ivanti EPM ensure that they are patching any vulnerable servers to prevent any future exploitation of this flaw.

