Will the real APT32 please stand up? The OceanLotus APT group have been hitting the headlines a lot recently, but it’s reasonably unprecedented for an APT group’s identity to be outed in the way Facebook doxed the group this week.
The social media giant fingered Vietnamese IT company CyberOne Security as the entity behind APT32 activity that has targeted victims including human rights activists, news agencies, governmental and NGO agencies, as well as a wide range of businesses from agriculture and health to tech and IT. Researchers from Facebook identified Windows malware, a macOS backdoor and TTPs that include malicious Play Store apps, watering hole attacks, and fake FB and other social media personas to lure victims.
Facebook say they have disrupted the group’s behaviour by blocking associated domains from being posted on the platform, removing the group’s accounts and notifying suspected victims. As for the fake “CyberOne Security” company, journalists’ attempts to contact anyone via phone and email went, perhaps unsurprisingly, unanswered.
It’s all about the APTs this week. While the security industry has rallied round to help enterprises defend against an APT attack on FireEye that resulted in the theft of offensive red teaming tools, it appears that Russian APT groups have been actively taking advantage of a vulnerability in VMware systems, according to a 3-page US National Security Agency advisory published this week.
Successfully exploiting the bug, CVE-2020-4006, allows threat actors to execute commands of choice on a compromised system running the vulnerable software. The agency reported that attackers have been exploiting the vulnerability via installing a web shell as a gateway into networks and accessing protected data by means of forged SAML assertions.
The VMware products affected by the security flaw are:
- VMware Access 20.01 and 20.10 on Linux
- VMware vIDM 3.3.1, 3.3.2, and 3.3.3 on Linux
- VMware vIDM Connector 3.3.1, 3.3.2, 3.3.3, 19.03
- VMware Cloud Foundation 4.x
- VMware vRealize Suite Lifecycle Manager 8.x
Malicious activity based on the flaw occurs within the TLS tunnel associated with the devices. Security teams that lack visibility into encrypted connections can hunt for post-compromise indicators in the configurator log (
/opt/vmware/horizon/workspace/logs/configurator.log), specifically for an ‘exit’ statement followed by a 3-digit number, the NSA advised.
Patches for the above have been available since December 3rd, and all users are advised to update as soon as possible. In addition, since exploitation of the bug requires password-based access to the web-based management interface of a targeted device, admins are urged to ensure that they follow best practice to avoid weak passwords and, where possible, to ensure the web-based management interface is not accessible from the internet. Other workarounds where patching is not immediately possible are suggested in the NSA advisory.
As we noted last week, there’s been a disturbing trend recently among both crimeware actors and sophisticated adversaries of targeting research data, organizations and infrastructure related to developing, manufacturing and distributing COVID-19 vaccines.
That trend continued this week with a cyberattack on the European Medicines Agency. The organization’s terse statement offered no further details other than to confirm an attack had taken place, but subsequent reports say documents relating to regulatory submission of the Pfizer/BioNTech vaccine, BNT162b2, had been accessed.
EMA is in the midst of the approval process for the vaccine and the documents were stored on an EMA server, according to a press release from BioNTech.
It is not clear whether such documents were the primary target of the attack or what other data may have been compromised, but there is no indication to date that any PPI belonging to staff or persons involved in vaccine trials was exposed. Reportedly, EMA have said the cyberattack will not delay regulatory approval of the vaccine in the EU, which is expected to be within the next few weeks.