Sudan4tech

On the surface, Salesforce seems like a classic Software-as-a-Service (SaaS) platform. Someone might even argue that Salesforce invented the SaaS market. However, the more people work with the full offering of Salesforce, the more they realize that it goes beyond a traditional SaaS platform’s capabilities.

For example, few people talk about managing the security aspects of Salesforce Release Updates. By understanding what Release Updates are, why they pose a security risk, and how security teams can mitigate risk, Salesforce customers can better protect sensitive information.

How to ensure the right configurations for your Salesforce security

What are Salesforce Release Updates?

Since Salesforce does not automatically update its platform, it does not follow the traditional SaaS model. For example, most SaaS platforms have two types of releases, security, and product improvements. Urgent security updates are released as soon as a security vulnerability is known, and product improvements are released on fixed dates, such as quarterly or monthly. As part of the SaaS model, the vendor automatically updates the platform.

The update and patching policy benefits the customer and the SaaS provider. The customers don’t need to worry about updating the system so they can focus on the core aspects of their business. Meanwhile, the SaaS provider does not need to develop multiple update versions or worry about the most recent version installed by the customer.

Better yet, the SaaS provider does not need to worry that customers will experience a security breach because it automatically installs the security patch for everyone. It just makes everyone’s life easier and is one of the reasons that SaaS platforms are immensely popular.

Salesforce Updates Work Differently

Salesforce works differently, very differently. They use a hybrid system that is similar in some ways to traditional software that requires the customer to apply updates until EOL and a modern SaaS platform. Salesforce offers regular seasonal service updates and security updates as needed. However, neither update is implemented automatically.

Salesforce gives admins a “grace period” where they can choose to update the platform. At the end of this period, Salesforce pushed the update through automatically.

For example, Salesforce introduced the Enforce OAuth Scope for Lightning Apps security update in Summer 2021. The provider recommends that organizations apply it by September 2021. However, Salesforce will not enforce it until Winter 2022. This is an important security update, but customers do not need to install it immediately.

Why Salesforce Updates Work Differently

While Salesforce encourages admins to run through a checklist and apply the updates, it realizes that customers rely on the platform’s flexibility and that changes can impact the customizations, like custom developments and integrations.

Since any update can be catastrophic for an organization, Salesforce gives customers time to review the update’s content and prepare the organization’s Salesforce before activating the changes.

What is the importance of Salesforce Security Updates?

The Salesforce Security Updates are, as the name suggests, for security purposes. They are published to fix a security issue, prevent attacks, and strengthen the security posture of a Salesforce tenant. Therefore, customers should install them as soon as possible.

Once Salesforce publishes an update, the vulnerability it is patching becomes general knowledge. This knowledge means the weakness is equal to a common vulnerability or exposure (CVE) but without the assigned number. Bad actors can easily get access to all the information regarding the exposure and create an attack vector that utilizes the published vulnerability. This places all organizations that have not enforced the security update vulnerable to an attack.

Since most attacks are based on known, published, 1-day vulnerabilities, waiting to apply the update creates a data breach risk. All bad actors use 1-day attacks, from script kids to professional ransomware hackers, since weaponizing them is much easier than looking for an unknown vulnerability. Most bad actors look for low-hanging fruits – organizations without updated software or that have lax security.

This is why security professionals call the period from vulnerability until the organization enforcing a security update the golden window for attacks. For that reason, it is critical to update all software to the latest stable version and install security updates as soon as possible.

The case of access control for guest users

This is not just a hypothetical or interesting story. In October of 2020, security researcher Aaron Costello discovered that access control permission settings in Salesforce might allow unauthenticated users (“guest users”) to access more information than intended by using cumulative weaknesses in Salesforce, including

• old and not secure Salesforce instances,
• problematic default configurations,
• complicity and advanced abilities of “@AuraEnabled” methods.

Salesforce suggested security measures for guest users, objects, and APIs, while also pushing Security Updates in the following Winter ’21 and Spring ’21 releases.

Among the Security Updates were Remove View All Users Permission from Guest User Profiles and Reduce Object Permissions for Guest Users.

Both suggestions directly address the security threat’s root cause. Problematically, this was too little too late because bad actors had known about the vulnerability since October 2020. By the time Salesforce pushed the updates to the different tenants, the admins needed to activate the updates manually. This means that a customer might have been at risk for anywhere from 6 – 9 months before fixing the vulnerability themselves.

The security team’s responsibility for Salesforce Security

While Salesforce provides value to organizations, its approach to managing security updates makes it a unique type of SaaS. Additionally, it is an extremely complex system with thousands of configurations. While many don’t seem important to security, they can actually impact a Salesforce tenant’s posture.

Therefore, the CISO or security team needs to be involved more than they normally would when managing Salesforce. They need to:

• make sure configurations are done with security in mind,
• monitor changes,
• make sure updates don’t worsen the organization’s security posture,
• insist that Security Updates are installed as soon as possible
• make sure that the security hygiene of the Salesforce tenant is good.

Fortunately, the category of SaaS Security Posture Management (SSPM) tools address these tasks, and Adaptive Shield is a market-leading solution in this category to enable optimal SaaS security posture automatically.

How can Adaptive Shield help secure Salesforce?

Adaptive Shield understands the complexity of securing Salesforce, among many other SaaS platforms, as Adaptive Shield provides an enterprise’s security teams complete control of their organizations’ SaaS apps with visibility, detailed insights, and remediation across all SaaS apps.

The platform helps Salesforce admins, CISOs, and security teams track and monitor the settings and configuration updateswith security checks that ensure that the Salesforce tenant is configured and secured properly. This includes monitoring permissions, “@AuraEnabled” methods, API security, and authentication.

Adaptive Shield also provides clear priority-based mitigation information so admins and security teams can swiftly secure the Salesforce tenant to maintain a strong security posture. The Adaptive Shield platform makes the task of securing a Salesforce tenant from cumbersome, complex, and time-consuming — to an easy, clear, quick, and manageable experience. This prevents such vulnerabilities as the example above by breaking the chain of misconfigurations and unenforced updates.

Get in touch to ensure your Salesforce, or any other SaaS app, is secure today.

Note: This article is written by Hananel Livneh, Senior Product Analyst at Adaptive Shield.

Multiple cybercriminal groups are leveraging a malware-as-a-service (MaaS) solution to distribute a wide range of malicious software distribution campaigns that result in the deployment of payloads such as Campo Loader, Hancitor, IcedID, QBot, Buer Loader, and SocGholish against individuals in Belgium as well as government agencies, companies, and corporations in the U.S.

Dubbed “Prometheus TDS” (short for Traffic Direction System) and available for sale on underground platforms for $250 a month since August 2020, the service is designed to distribute malware-laced Word and Excel documents and divert users to phishing and malicious sites, according to a Group-IB report shared with The Hacker News.

More than 3,000 email addresses are said to have been singled out via malicious campaigns in which Prometheus TDS was used to send malicious emails, with banking and finance, retail, energy and mining, cybersecurity, healthcare, IT, and insurance emerging the prominent verticals targeted by the attacks.

“Prometheus TDS is an underground service that distributes malicious files and redirects visitors to phishing and malicious sites,” Group-IB researchers said. “This service is made up of the Prometheus TDS administrative panel, in which an attacker configures the necessary parameters for a malicious campaign: downloading malicious files, and configuring restrictions on users’ geolocation, browser version, and operating system.”

The service is also known to employ third-party infected websites that are manually added by the campaign’s operators and act as a middleman between the attacker’s administrative panel and the user. To achieve this, a PHP file named “Prometheus.Backdoor” is uploaded to the compromised website to collect and send back data about the victim, based on which a decision is taken as to whether to send the payload to the user and/or to redirect them to the specified URL.

The attack scheme commences with an email containing a HTML file, a link to a web shell that redirects users to a specified URL, or a link to a Google Doc that’s embedded with an URL that redirects users to the malicious link that when either opened or clicked leads the recipient to the infected website, which stealthily collects basic information (IP address, User-Agent, Referrer header, time zone, and language data) and then forwards this data to the Prometheus admin panel.

In the final phase, the administrative panel takes responsibility for sending a command to redirect the user to a particular URL, or to send a malware-ridden Microsoft Word or Excel document, with the user redirected to a legitimate site like DocuSign or USPS immediately after downloading the file to mask the malicious activity. Besides distributing malicious files, researchers found that Prometheus TDS is also used as a classic TDS to redirect users to specific sites, such as fake VPN websites, dubious portals selling Viagra and Cialis, and banking phishing sites.

“Prometheus TDS also redirected users to sites selling pharmaceutical products,” the researchers noted. “Operators of such sites often have affiliate and partnership programs. Partners, in turn, often resort to aggressive SPAM campaigns in order to increase the earnings within the affiliate program. Analysis of the Prometheus infrastructure by Group-IB specialists revealed links that redirect users to sites relating to a Canadian pharmaceutical company.”

Multiple unpatched security vulnerabilities have been disclosed in Mitsubishi safety programmable logic controllers (PLCs) that could be exploited by an adversary to acquire legitimate user names registered in the module via a brute-force attack, unauthorized login to the CPU module, and even cause a denial-of-service (DoS) condition.

The security weaknesses, disclosed by Nozomi Networks, concern the implementation of an authentication mechanism in the MELSEC communication protocol that’s used to exchange data with the target devices that is used for communication with target devices by reading and writing data to the CPU module.

A quick summary of the flaws is listed below –

• Username Brute-force (CVE-2021-20594, CVSS score: 5.9) – Usernames used during authentication are effectively brute-forceable
• Anti-password Brute-force Functionality Leads to Overly Restrictive Account Lockout Mechanism (CVE-2021-20598, CVSS score: 3.7) – The implementation to thwart brute-force attacks not only blocks a potential attacker from using a single IP address, but it also prohibits any user from any IP address from logging in for a certain timeframe, effectively locking legitimate users out.
• Leaks of Password Equivalent Secrets (CVE-2021-20597, CVSS score: 7.4) – A secret derived from the cleartext password can be abused to authenticate with the PLC successfully.
• Session Token Management – Cleartext transmission of session tokens, which are not bound to an IP address, thus enabling an adversary to reuse the same token from a different IP after it has been generated

Troublingly, some of these flaws can be strung together as part of an exploit chain, permitting an attacker to authenticate themselves with the PLC and tamper with the safety logic, lock users out of the PLC, and worse, change the passwords of registered users, necessitating a physical shutdown of the controller to prevent any further risk.

The researchers refrained from sharing technical specifics of the vulnerabilities or the proof-of-concept (PoC) code that was developed to demonstrate the attacks due to the possibility that doing so could lead to further abuse. While Mitsubishi Electric is expected to release a fixed version of the firmware in the “near future,” it has published a series of mitigations that are aimed at protecting the operational environments and stave off a possible attack.

In the interim, the company is recommending a combination of mitigation measures to minimize the risk of potential exploitation, including using a firewall to prevent unsanctioned access over the internet, an IP filter to restrict accessible IP addresses, and changing the passwords via USB.

“It’s likely that the types of issues we uncovered affect the authentication of OT protocols from more than a single vendor, and we want to help protect as many systems as possible,” the researchers noted. “Our general concern is that asset owners might be overly reliant on the security of the authentication schemes bolted onto OT protocols, without knowing the technical details and the failure models of these implementations.”

Networking equipment major Cisco has rolled out patches to address critical vulnerabilities impacting its Small Business VPN routers that could be abused by a remote attacker to execute arbitrary code and even cause a denial-of-service (DoS) condition.

The issues, tracked as CVE-2021-1609 (CVSS score: 9.8) and CVE-2021-1610 (CVSS score: 7.2), reside in the web-based management interface of the Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers running a firmware release prior to version 1.0.03.22. Both the issues stem from a lack of proper validation of HTTP requests, thus permitting a bad actor to send a specially-crafted HTTP request to a vulnerable device.

Successful exploitation of CVE-2021-1609 could allow an unauthenticated, remote attacker to execute arbitrary code on the device or cause the device to reload, resulting in a DoS condition. CVE-2021-1610, concerns a command injection vulnerability that, if exploited, could permit an authenticated adversary to remotely execute arbitrary commands with root privileges on an affected device, the company noted in its advisory.

Swing of Chaitin Security Research Lab has been credited with reporting the two shortcomings.

Also addressed by Cisco is a high-severity remote code execution bug (CVE-2021-1602, CVSS score: 8.2) impacting Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers that could be leveraged by an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. Small Business RV Series Routers running firmware versions earlier than 1.0.01.04 are susceptible.

“This vulnerability is due to insufficient user input validation. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface,” Cisco said. “A successful exploit could allow the attacker to execute arbitrary commands on an affected device using root-level privileges. Due to the nature of the vulnerability, only commands without parameters can be executed.”

The company noted there’s been no evidence of active exploitation attempts in the wild for any of these flaws, nor are there any workarounds that address the vulnerabilities.

CVE-2021-1602 marks the second time Cisco has fixed critical remote code execution flaws concerning the same set of VPN appliances. Earlier this February, the company patched 35 flaws that could potentially allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device.

A systematic analysis of attacks against Microsoft’s Internet Information Services (IIS) servers has revealed as many as 14 malware families, 10 of them newly documented, indicating that the Windows-based web server software continues to be a hotbed for natively developed malware for close to eight years.

The findings were presented today by ESET malware researcher Zuzana Hromcova at the Black Hat USA security conference.

“The various kinds of native IIS malware identified are server-side malware and the two things it can do best is, first, see and intercept all communications to the server, and second, affect how the requests are processed,” Hromcova told in an interview with The Hacker News. “Their motivations range from cybercrime to espionage, and a technique called SEO fraud.”

IIS is an extensible web server software developed by Microsoft, enabling developers to take advantage of its modular architecture and use additional IIS modules to expand on its core functionality.

“It comes as no surprise that the same extensibility is attractive for malicious actors – to intercept network traffic, steal sensitive data or serve malicious content,” according to a ESET report shared with The Hacker News.

“Moreover, it is quite rare for endpoint (and other) security software to run on IIS servers, which makes it easy for attackers to operate unnoticed for long periods of time. This should be disturbing for all serious web portals that want to protect their visitors’ data, including authentication and payment information.”

IIS malware phases

By collecting over 80 malware samples, the study grouped them into 14 unique families (Group 1 to Group 14), most of which were first detected between 2018 and 2021 and undergoing active development to date. While they may not exhibit any connection to one another, what’s common among all the 14 malware families is that they are all developed as malicious native IIS modules.

“In all cases, the main purpose of IIS malware is to process HTTP requests incoming to the compromised server and affect how the server responds to (some of) these requests – how they are processed depends on malware type,” Hromcova explained. The malware families have been found to operate in one of the five modes –

• Backdoor mode – remotely control the compromised computer with IIS installed
• Infostealer mode – intercept regular traffic between the compromised server and its legitimate visitors, to steal information such as login credentials and payment information
• Injector mode – modify HTTP responses sent to legitimate visitors to serve malicious content
• Proxy mode – turn the compromised server into an unwitting part of command-and-control (C2) infrastructure for another malware family, and relay communication between victims and the actual C2 server
• SEO fraud mode – modify the content served to search engine crawlers in order to artificially boost ranking for selected websites (aka doorway pages)

Infections involving IIS malware typically hinge on server administrators inadvertently installing a trojanized version of a legitimate IIS module or when an adversary is able to get access to the server by exploiting a configuration weakness or vulnerability in a web application or the server, using it to install the IIS module.

infostealing mechanism

After Microsoft released out-of-band patches for ProxyLogon flaws affecting Microsoft Exchange Server 2013, 2016, and 2019 earlier this March, it was not long before multiple advanced persistent threat (APT) groups joined in the attack frenzy, with ESET observing four email servers located in Asia and South America that were compromised to deploy web shells that served as a channel to install IIS backdoors.

This is far from the first time Microsoft web server software has emerged a lucrative target for threat actors. Last month, researchers from Israeli cybersecurity firm Sygnia disclosed a series of targeted cyber intrusion attacks undertaken by an advanced, stealthy adversary known as Praying Mantis targeting internet-facing IIS servers to infiltrate high-profile public and private entities in the U.S.

To prevent compromise of IIS servers, it’s recommended to use dedicated accounts with strong, unique passwords for administration-related purposes, install native IIS modules only from trusted sources, reduce the attack surface by limiting the services that are exposed to the internet, and use a web application firewall for an extra layer of security.

“One of the most surprising aspects of the investigation is how versatile IIS malware is, and the [detection of] SEO fraud criminal scheme, where malware is misused to manipulate search engine algorithms and help boost the reputation of third-party websites,” Hromcova said. “We haven’t seen anything like that before.”

An amalgam of multiple state-sponsored threat groups from China may have been behind a string of targeted attacks against Russian federal executive authorities in 2020.

The latest research, published by Singapore-headquartered company Group-IB, delves into a piece of computer virus called “Webdav-O” that was detected in the intrusions, with the cybersecurity firm observing similarities between the tool and that of popular Trojan called “BlueTraveller,” that’s known to be connected to a Chinese threat group called TaskMasters and deployed in malicious activities with the aim of espionage and plundering confidential documents.

“Chinese APTs are one of the most numerous and aggressive hacker communities,” researchers Anastasia Tikhonova and Dmitry Kupin said. “Hackers mostly target state agencies, industrial facilities, military contractors, and research institutes. The main objective is espionage: attackers gain access to confidential data and attempt to hide their presence for as long as possible.”

The report builds on a number of public disclosures in May from Solar JSOC and SentinelOne, both of which disclosed a malware called “Mail-O” that was also observed in attacks against Russian federal executive authorities to access the cloud service Mail.ru, with SentinelOne tying it to a variant of another well-known malicious software called “PhantomNet” or “SManager” used by a threat actor dubbed TA428.

“The main goal of the hackers was to completely compromise the IT infrastructure and steal confidential information, including documents from closed segments and email correspondence of key federal executive authorities,” Solar JSOC noted, adding the “cybercriminals ensured themselves a high level of secrecy through the use of legitimate utilities, undetectable malware, and a deep understanding of the specifics of the work of information protection tools installed in government bodies.”

Group-IB’s analysis centers on a Webdav-O sample that was uploaded to VirusTotal in November 2019 and the overlaps it shares with the malware sample detailed by Solar JSOC, with the researchers finding the latter to be a newer, partially improvised version featuring added capabilities. The detected Webdav-O sample has also been linked to the BlueTraveller trojan, citing source code similarities and the manner in which commands are processed.

What’s more, further investigation into TA428’s toolset has revealed numerous commonalities between BlueTraveller and a nascent malware strain named “Albaniiutas” that was attributed to the threat actor in December 2020, implying that not only is Albaniiutas an updated variant of BlueTraveller, but also that Webdav-O malware is a version of BlueTraveller.

“It is noteworthy that Chinese hacker groups actively exchange tools and infrastructure, but perhaps it is just the case here,” the researchers said. “This means that one Trojan can be configured and modified by hackers from different departments with different levels of training and with various objectives.”

“Either both Chinese hacker groups (TA428 and TaskMasters) attacked Russian federal executive authorities in 2020 or that there is one united Chinese hacker group made up of different units.”

A threat actor presumed to be of Chinese origin has been linked to a series of 10 attacks targeting Mongolia, Russia, Belarus, Canada, and the U.S. from January to July 2021 that involve the deployment of a remote access trojan (RAT) on infected systems, according to new research.

The intrusions have been attributed to an advanced persistent threat named APT31 (FireEye), which is tracked by the cybersecurity community under the monikers Zirconium (Microsoft), Judgement Panda (CrowdStrike), and Bronze Vinewood (Secureworks).

The group is a “China-nexus cyber espionage actor focused on obtaining information that can provide the Chinese government and state-owned enterprises with political, economic, and military advantages,” according to FireEye.

Positive Technologies, in a write-up published Tuesday, revealed a new malware dropper that was used to facilitate the attacks, including the retrieval of next-stage encrypted payloads from a remote command-and-control server, which are subsequently decoded to execute the backdoor.

The malicious code comes with the capacity to download other malware, potentially putting affected victims at further risk, as well as perform file operations, exfiltrate sensitive data, and even delete itself from the compromised machine.

“The code for processing the [self-delete] command is particularly intriguing: all the created files and registry keys are deleted using a bat-file,” Positive Technologies researchers Denis Kuvshinov and Daniil Koloskov said.

Also worthy of particular note is the malware’s similarities to that of a trojan named DropboxAES RAT that was put to use by the same threat group last year and relied on Dropbox for its command-and-control (C2) communications, with numerous overlaps found in the techniques and mechanisms used to inject the attack code, achieve persistence, and the mechanism employed to delete the espionage tool.

“The revealed similarities with earlier versions of malicious samples described by researchers, such as in 2020, suggest that the group is expanding the geography of its interests to countries where its growing activity can be detected, Russia in particular,” the researchers concluded.

Cybersecurity researchers on Wednesday disclosed 14 vulnerabilities affecting a commonly-used TCP/IP stack used in millions of Operational Technology (OT) devices manufactured by no fewer than 200 vendors and deployed in manufacturing plants, power generation, water treatment, and critical infrastructure sectors.

The shortcomings, collectively dubbed “INFRA:HALT,” target NicheStack, potentially enabling an attacker to achieve remote code execution, denial of service, information leak, TCP spoofing, and even DNS cache poisoning.

NicheStack (aka InterNiche stack) is a closed-source TCP/IP stack for embedded systems that is designed to provide internet connectivity industrial equipment, and is incorporated by major industrial automation vendors like Siemens, Emerson, Honeywell, Mitsubishi Electric, Rockwell Automation, and Schneider Electric in their programmable logic controllers (PLCs) and other products.

“Attackers could disrupt a building’s HVAC system or take over the controllers used in manufacturing and other critical infrastructure,” researchers from JFrog and Forescout said in a joint report published today. “Successful attacks can result in taking OT and ICS devices offline and having their logic hijacked. Hijacked devices can spread malware to where they communicate on the network.”

All versions of NicheStack before version 4.3 are vulnerable to INFRA:HALT, with approximately 6,400 OT devices exposed online and connected to the internet as of March 2021, most of which are located in Canada, the U.S., Spain, Sweden, and Italy.

The list of 14 flaws is as follows –

• CVE-2020-25928 (CVSS score: 9.8) – An out-of-bounds read/write when parsing DNS responses, leading to remote code execution
• CVE-2021-31226 (CVSS score: 9.1) – A heap buffer overflow flaw when parsing HTTP post requests, leading to remote code execution
• CVE-2020-25927 (CVSS score: 8.2) – An out-of-bounds read when parsing DNS responses, leading to denial-of-service
• CVE-2020-25767 (CVSS score: 7.5) – An out-of-bounds read when parsing DNS domain names, leading to denial-of-service and information disclosure
• CVE-2021-31227 (CVSS score: 7.5) – A heap buffer overflow flaw when parsing HTTP post requests, leading to denial-of-service
• CVE-2021-31400 (CVSS score: 7.5) – An infinite loop scenario in the TCP out of band urgent data processing function, causing a denial-of-service
• CVE-2021-31401 (CVSS score: 7.5) – An integer overflow flaw in the TCP header processing code
• CVE-2020-35683 (CVSS score: 7.5) – An out-of-bounds read when parsing ICMP packets, leading to denial-of-service
• CVE-2020-35684 (CVSS score: 7.5) – An out-of-bounds read when parsing TCP packets, leading to denial-of-service
• CVE-2020-35685 (CVSS score: 7.5) – Predictable initial sequence numbers (ISNs) in TCP connections, leading to TCP spoofing
• CVE-2021-27565 (CVSS score: 7.5) – A denial-of-service condition upon receiving an unknown HTTP request
• CVE-2021-36762 (CVSS score: 7.5) – An out-of-bounds read in the TFTP packet processing function, leading to denial-of-service
• CVE-2020-25926 (CVSS score: 4.0) – The DNS client does not set sufficiently random transaction IDs, causing cache poisoning
• CVE-2021-31228 (CVSS score: 4.0) – The source port of DNS queries can be predicted to send forged DNS response packets, causing cache poisoning

The disclosures mark the sixth time security weaknesses have been identified in the protocol stacks that underpin millions of internet-connected devices. It’s also the fourth set of bugs to be uncovered as part of a systematic research study called Project Memoria to study the security of widely-used TCP/IP stacks that are incorporated by various vendors in their firmware to offer internet and network connectivity features –

HCC Embedded, which maintains the C library, has released software patches to address the issues. “Complete protection against INFRA:HALT requires patching vulnerable devices but is challenging due to supply chain logistics and the critical nature of OT devices,” the researchers said.

As mitigations, Forescout has released an open-source script that uses active fingerprinting to detect devices running NicheStack. It’s also recommended to enforce segmentation controls, monitor all network traffic for malicious packets to mitigate the risk from vulnerable devices.

Three distinct clusters of malicious activities operating on behalf of Chinese state interests have staged a series of attacks to target networks belonging to at least five major telecommunications companies located in Southeast Asian countries since 2017.

“The goal of the attackers behind these intrusions was to gain and maintain continuous access to telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers, Web Servers and Microsoft Exchange servers,” Cybereason’s Lior Rochberger, Tom Fakterman, Daniel Frank, and Assaf Dahan revealed in a technical analysis published Tuesday.

The Boston-based cybersecurity firm linked the campaigns to three different Chinese threat actors, namely Gallium (aka Soft Cell), Naikon APT (aka APT30 or Lotus Panda), and TG-3390 (aka APT27 or Emissary Panda).

The activity surrounding the latter of the three clusters started in 2017, while Gallium-related attacks were first observed in Q4 2020, with the Naikon group jumping on the exploitation bandwagon last in Q4 2020. All three espionage operations are believed to have continued all the way to mid-2021.

Calling the attackers “highly adaptive,” the researchers called out their diligent efforts to stay under the radar and maintain persistence on the infected endpoints, while simultaneously shifting tactics and updating their defensive measures to compromise and backdoor unpatched Microsoft Exchange email servers using the ProxyLogon exploits that came to light earlier this March.

“Each phase of the operation demonstrates the attackers’ adaptiveness in how they responded to various mitigation efforts, changing infrastructure, toolsets, and techniques while attempting to become more stealthy,” the researchers noted.

Naikon, on the other hand, was found to leverage a backdoor named “Nebulae” as well as a previously undocumented keylogger dubbed “EnrollLoger” on selected high-profile assets. It’s worth pointing out that Naikon’s use of Nebulae first emerged in April 2021 when the adversary was attributed as behind a wide-ranging cyber-espionage campaign targeting military organizations in Southeast Asia.

Regardless of the attack chain, a successful compromise triggered a sequence of steps, enabling the threat actors to perform network reconnaissance, credential theft, lateral movement, and data exfiltration.

The Emissary Panda cluster is the oldest of the three, primarily involving the deployment of a custom .NET-based OWA (Outlook Web Access) backdoor, which is used to pilfer credentials of users logging into Microsoft OWA services, granting the attackers the ability to access the environment stealthily.

Also of note is the overlap among the clusters in terms of the victimology and the use of generic tools like Mimikatz, with the three groups detected in the same target environment, around the same timeframe, and even on the same systems.

“At this point, there is not enough information to determine with certainty the nature of this overlap — namely, whether these clusters represent the work of three different threat actors working independently, or whether these clusters represent the work of three different teams operating on behalf of a single threat actor,” the researchers said.

“A second hypothesis is that there are two or more Chinese threat actors with different agendas / tasks that are aware of each other’s work and potentially even working in tandem.”