Today’s Cybersecurity Threats and Trends - 09/26/2024

SloppyLemming, SaltTyphoon, and a SilentSelfie assault Cyberspace.

Author

J.W. Croley
September 26, 2024

Before we dive in, I would like to thank all of you for supporting us with your subscription! My goal is to bring both actionable insights and information regarding cybersecurity threats to the non-tech and technical professional alike. If this sounds like something that would help someone you know, please share the newsletter!

1. SloppyLemming Lurks in South Asia

Primary Threat: SloppyLemming, an advanced persistent threat (APT) group, has been carrying out extensive operations targeting South Asian countries, including Pakistan, Bangladesh, and Sri Lanka. Cloudflare’s research reveals that the group uses cloud services for credential harvesting, malware distribution, and command-and-control (C2) operations. The group primarily targets government, defense, and telecommunications sectors in Pakistan and beyond, using sophisticated phishing campaigns and leveraging cloud infrastructure to evade detection.

  • MITRE Tactics: Credential Access, Command and Control

  • Risk: High – The group targets critical infrastructure, making their activity particularly dangerous.

2. Kimsuky Keyloggers Compromise Critical Systems

Primary Threat: North Korean hacking group Kimsuky has deployed new malware variants, KlogExe and ReconAPO, as part of a broader espionage campaign. Unit 42's research reveals that KlogExe functions as a keylogger, while ReconAPO serves as a backdoor, providing the attackers with remote access to compromised systems. These tools are used to gather sensitive information, primarily targeting government and financial institutions.

  • MITRE Tactics: Credential Access, Persistence

  • Risk: High – The new malware tools enhance Kimsuky’s ability to spy on and steal from targeted organizations.

Did you know…?

The term Advanced Persistent Threat (APT) was first used in 2006 by the U.S. Air Force to describe nation-state sponsored cyberattacks that were highly targeted, persistent, and stealthy. Since then, APTs like SloppyLemming and Kimsuky have become infamous for their sophisticated, long-term cyber espionage campaigns, focusing on critical infrastructure, governments, and high-value industries worldwide.

3. SilentSelfie: Kurdish Watering Hole Attacks

Primary Threat: A significant watering hole campaign targeting Kurdish political and media websites has been uncovered. The Sekoia blog post details how the attack, dubbed SilentSelfie, is used to deliver malware to visitors of the compromised sites, with the goal of espionage. The attack primarily affects users in the Kurdish regions, including those involved in political activism.

  • MITRE Tactics: Initial Access, Persistence

  • Risk: Medium – The campaign is highly targeted but poses serious risks to individuals and groups involved.

4. Salt Typhoon Strikes Communications Infrastructure

Primary Threat: A Chinese hacking group, tracked as Salt Typhoon, has infiltrated U.S. internet service providers, targeting critical communications infrastructure. According to the Wall Street Journal, this group, also known as FamousSparrow and GhostEmperor, exploits vulnerabilities to gain long-term access to compromised systems. The attack focuses on intercepting sensitive communications, potentially affecting national security.

  • MITRE Tactics: Persistence, Command and Control

  • Risk: Critical – Targeting communication infrastructure poses serious risks to both public and private sectors.

5. HPE Aruba Patches RCE Vulnerabilites

Primary Threat: HPE Aruba has issued patches for three critical remote code execution (RCE) vulnerabilities affecting its access points. The vulnerabilities (CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507) can be exploited by sending specially crafted packets to the Aruba PAPI protocol. This could allow attackers to execute arbitrary code on affected devices, potentially leading to system compromise.

  • MITRE Tactics: Execution, Initial Access

  • Risk: High – These RCE flaws could be leveraged to compromise enterprise networks.

IN SUMMARY:

Today's cybersecurity landscape reveals a mix of state-sponsored espionage and critical infrastructure threats.

SloppyLemming targets South Asian governments, while North Korean hackers deploy new malware variants for spying.

Meanwhile, watering hole campaigns hit Kurdish sites, and Chinese hackers infiltrate U.S. internet providers.

Lastly, HPE Aruba's critical access point vulnerabilities remind us that patching remains one of the most important defenses against attack.

Stay sharp, stay patched, and stay paranoid!

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)