CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
99.8%
A Taiwanese government-affiliated research institute that specializes in computing and associated technologies was breached by nation-state threat actors with ties to China, according to new findings from Cisco Talos.
The unnamed organization was targeted as early as mid-July 2023 to deliver a variety of backdoors and post-compromise tools like ShadowPad and Cobalt Strike. It has been attributed with medium confidence to a prolific hacking group tracked as APT41.
âThe ShadowPad malware used in the current campaign exploited an outdated vulnerable version of Microsoft Office IME binary as a loader to load the customized second-stage loader for launching the payload,â security researchers Joey Chen, Ashley Shen, and Vitor Ventura said.
âThe threat actor compromised three hosts in the targeted environment and was able to exfiltrate some documents from the network.â
Cisco Talos said it discovered the activity in August 2023 after detecting what it described were âabnormal PowerShell commandsâ that connected to an IP address to download and execute PowerShell scripts within the compromised environment.
The exact initial access vector used in the attack is not known, although it involved the use of a web shell to maintain persistent access and drop additional payloads like ShadowPad and Cobalt Strike, with the latter delivered by means a Go-based Cobalt Strike loader named CS-Avoid-Killing.
âThe Cobalt Strike malware had been developed using an anti-AV loader to bypass AV detection and avoid the security product quarantine,â the researchers said.
Alternately, the threat actor was observed running PowerShell commands to launch scripts responsible for running ShadowPad in memory and fetch Cobalt Strike malware from a compromised command-and-control (C2) server. The DLL-based ShadowPad loader, also called ScatterBee, is executed via DLL side-loading.
Some of the other steps carried out as part of the intrusion comprised the use of Mimikatz to extract passwords and the execution of several commands to gather information on user accounts, directory structure, and network configurations.
âAPT41 created a tailored loader to inject a proof-of-concept for CVE-2018-0824 directly into memory, utilizing a remote code execution vulnerability to achieve local privilege escalation,â Talos said, noting the final payload, UnmarshalPwn, is unleashed after passing through three different stages.
The cybersecurity outfit also pointed out the adversaryâs attempts to avoid detection by halting its own activity upon detecting other users on the system. âOnce the backdoors are deployed the malicious actor will delete the web shell and guest account that allowed the initial access,â the researchers said.
The disclosure comes as Germany revealed earlier this week that Chinese state actors were behind a 2021 cyber attack on the countryâs national mapping agency, the Federal Office of Cartography and Geodesy (BKG), for espionage purposes.
Responding to the allegations, Chinaâs embassy in Berlin said the accusation is unfounded and called on Germany âto stop the practice of using cybersecurity issues to smear China politically and in the media.â
Found this article interesting? Follow us on Twitter ď and LinkedIn to read more exclusive content we post.
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
99.8%