Precedence: Routine

BLUF: Chinese APTs Infiltrated U.S. Critical Infrastructure; IOCONTROL Malware Targets OT/IoT & SCADA Devices in US & Israel; Millions of WordPress Sites Affected by Actively-Exploited Critical Vulnerabilities; Prometheus Toolkit Vulnerable to Reconnaissance, Credential Harvesting, and Denial of Service Attacks; Latest Social Engineering Campaigns Use Stealth, Redirection Chains, and Legitimate Services; Linux PUMAKIT Malware Targets Older Kernels with Alteration, Data Exfiltration, and Evasion Techniques; FTC Warning About Task Jobs That Trick Workers Out of Time & Money

---

BEGIN TEARLINE

[National Security] Deeper Insights into Recent US Telecommunication Hacks and Chinese APT Activity

Government-sponsored Chinese threat actors have infiltrated U.S. critical infrastructure to intercept politically-relevant communications and prepare for massive supply-chain cyberattacks (i.e., Cyberwar), should U.S.-China geopolitical tensions rise. Recent Chinese attacks on telecommunications companies have raised awareness and display the growing severity of this issue, though in reality this threat has existed for several years. These attacks are broadly attributed to Salt Typhoon, one of four major Chinese APT groups relevant to this campaign. Specifically, a major Beijing-based cybersecurity company is responsible for some of Salt Typhoon’s operations, and is also known to sponsor cyber ranges and hacking competitions that funnel talent to China’s intelligence agencies.

These threat actors employ layers of stealth by proxying through massive botnets comprised of SOHO routers and IoT devices (IP, NVR, and DVR cameras, NAS devices, etc.), as well as using LOTL ("living off the land") techniques.

These threat actors also expand influence not only through direct infiltration of the network perimeter, but by exploiting business relationships and poisoning/finding exploits in software updates and firmware supply chains.

AC: (SirPicklJohn) What a time to be a cybersecurity professional! Proof and in-depth information for defenders, investigators, detection engineers, and anyone curious can be found in the investigation writeup and expanded story in our Infophreak blog.

[National Security] Iran-Linked IOCONTROL Malware Targets SCADA, OT, IoT Devices

Team82 from Claroty has obtained a sample of a malware deemed "IOCONTROL" used to attack SCADA, OT, and IoT devices in the US & Israel. The initial IOCONTROL sample was found in a fuel management system and links the attacks to an Iranian APT named CyberAv3ngers. Devices affected by the malware campaign include IP cameras, routers, SCADA systems, PLCs, HMIs, and firewalls from vendors such as Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics. IOCONTROL uses the MQTT standard for IoT messaging for C2 communications and lateral movement between devices. It allows for remote control & code execution. It also allows for futher recon and scanning of other connected devices, and attempts to hide its C2 infrastructure by using DNS over HTTPS. It also employs evasion techniques such as self-deletion.

AC: (ResidentGood) Campaigns such as this are likely to continue as geopolitical tensions arise in the Middle East. As these campaigns often target civilian infrastructure, these findings are relevant to many organizations across the public and private sectors. CyberAv3ngers is an APT with ties to Iran's Islamic Revolutionary Guard Corps. It is known for carrying out cyber warfare against OT, IoT, and SCADA devices. Targets include civilian & mililtary infrastructure in the United States & Israel. Mitigation: Team82 has released a list of IOCs and relevant environment variables. They also have released a decrypted configuration from the malware sample. For the full in-depth report see Team82's Post.

[Major Vulnerabilities] Critical, Actively-Exploited WordPress Vulnerabilities Affecting Millions of Sites due to Improper Authorization Checks

Improperly implemented authentication and permissions checks, or the complete absence of these checks, have recently caused several critical vulnerabilities (CVSS 9.8/10) in WordPress plugins with millions of users. These plugins are actively being exploited by attackers in the wild, which has forced vendor patching and even forced updates directly from the WordPress.org plugins team. Despite this, attackers have been persistent in finding workarounds and vulnerabilities within the patches.

A common attack chain in some of these high-impact vulnerabilities involves exploiting a vulnerable plugin to install another severely outdated, unsupported plugin with known RCE vulnerabilities (CVSS 10/10) onto the WordPress site.

Affected plugins include WPForms from 1.8.4 <= 1.9.2.1; Hunk Companion < 1.9.0, CleanTalk's 'Spam protection, Anti-Spam, and FireWall' plugin < 6.45; and Really Simple Security (formerly Really Simple SSL) < 9.1.2.

AC: (SirPicklJohn) WordPress Administrators should ensure their plugins are updated to the latest version, frequently audit their sites for unauthorized plugins, and WordPress plugin developers should ensure they are following secure development practices.

[Major Vulnerabilities] Prometheus Toolkit Vulnerabilities Discovered

Researchers at Aqua security are warning that thousands of Prometheus monitoring & alerts toolkit instances could be vulnerable to attack. Poor authentication configuration can allow the harvesting of credentials & API keys. DoS attacks are also possible due to the exposed nature of the "/debug/pprof" endpoints. Hundreds of thousands of Prometheus instances & exporters are exposed to the internet which makes these potential vulnerabilities quite risky if left unmitigated. Espionage is also possible due to the "/metrics" endpoints and the data they expose if not properly secured. 8 exporters in Prometheus' official docs were susceptible to RepoJacking but, thankfully, this was addressed in September of this year.

AC: (ResidentGood) While this could potentially cause a very bad day, these threats are quite easy to protect against. When properly secured, this open-source software is still very useful. Mitigation: Secure Prometheus instances with adequate authentication, reduce public internet visibility, monitor for unusual activity at the endpoints listed, be wary of RepoJacking attacks resulting from defunct GitHub repo names being impersonated by attackers, and put in place limits on CPU/RAM usage to avoid DoS attacks.

[Adversary TTPs] Stealth, Redirection, and The Abuse of Legitimate Services - Latest Social Engineering Tactics, Techniques, and Procedures

Recent social-engineering campaigns have been utilizing complex redirection chains from malicious advertisements spread via legitimate ad networks, legitimate links to online services like MS Teams and Google Calendar/Drawing, fake CAPTCHAs, AI-deepfakes of celebrity video testimonials, and "pig-butchering" investment scams (which are now being referred to as "romance baiting" scams by INTERPOL to encourage more victims to step forward and provide important information to the authorities, rather than hiding in shame). Stealth techniques have also been used to prevent the efficacy of phishing-detection tools, including obfuscated JavaScript, links from legitimate and popular services, and client-side cloaking that dynamically loads malicious content after a page renders.

MITIGATIONS: Phishing awareness training should become a focused priority, with the topics addressed including common phishing techniques like sender address spoofing, immediacy or urgency, the use of legitimate brands and logos, phishing from compromised internal email addresses, and unsolicited links or communications that request something from the end-user. Administrators and security engineers should look into implementing advanced email security tools, predictive filtering systems, behavioral analytics tools, and, of course, 2FA/MFA.

AC: (SirPicklJohn) It only takes a few seconds to pause and analyze a website or email for suspicious components, and if somebody wants something from you, they can almost always wait the few extra minutes that it takes to verify their identity!

[Research] PUMAKIT Linux Rootkit

Researchers at Elastic Security Lab have discovered a Linux rookit named "PUMAKIT." Their research originates from artifacts residing on VirusTotal. PUMAKIT features a fairly complex architecture that is designed for Linux systems. Its components include a dropper cron, 2 executables in memory /memfd:tgt & /memfd:wpn, a Loadable Kernel Module rootkit puma.ko, and a Shared Object userland rootkit lib64/libs.so. The rmdir() syscall is used for privilege escalation in the environment. It uses ftrace to connect to various kernel functions and alter the system. It features some evasion techniques as well. It runs checks before deploying the payload to ensure the system is ripe for the taking. It hides files in memory so they are less visible. It also has the ability to hide from basic logs & process lists. The LKM rootkit involved does not use kprobes which means the target is kernels older than version 5.7. Exfiltration of data occurs via the Kitsune Shared Object rootkit which communicates with the C2 servers.

AC: (ResidentGood) This is quite an advanced malware campaign. The best way to fight this threat is to get ahead of it via detection. Mitigation: Elastic Security has published file hashes & a YARA rule to help in detecting PUMAKIT threats.

[Cybercrime] FTC Warns of Online Task Job Scams

The Federal Trade Commission is warning the public about scams parading as gig work. The campaign begins with SMS or WhatsApp messages about a vague work opportunity. Victims are told to deposit money and they will get paid commission for doing enough tasks. This turns out to be a way to extract money from victims, sometimes up to 4 figures. However, victims never end up getting paid from these jobs in a meaningful way. Often they initially give small payouts for small gigs to make it seem more legitimate to deposit money for a larger payout. People who show hesitation with believing the scammer are pointed towards alleged success stories from the task job without actual verification.

AC: (ResidentGood) Cybercrime campaigns targeting job seekers is nothing new. With the current state of the global labor market, it is imperative to not let desperation lead you into one of these traps. Luckily they are still easy to spot if you remain curious. Mitigation: Red flags of this campaign include use of cryptocurrency payouts, use of words like "product boosting" & "app optimization" and unsolicited job offers involving liking or rating products online.

END REPORT

---

If you are interested in anything Cybersecurity, come check out our Discord!

Sources:

Chinese Hacks on U.S. Telcos:

1. Chairman Green Introduces “Cyber PIVOTT Act” to Tackle Government Cyber Workforce Shortage, Create Pathways for 10,000 New Professionals (September 24, 2024)
2. 'Large number' of Americans' metadata stolen by Chinese hackers, senior official says (December 4, 2024)
3. The Rise of Chinese APT Campaigns: Volt Typhoon, Salt Typhoon, Flax Typhoon, and Velvet Ant (October 24, 2024)
4. Joint Cybersecurity Advisory - People's Republic of Chine State-Sponsored Cyber Actor Living off the Land to Evade Detection (June 1, 2023)
5. Salt Typhoon - Wikipedia (December 2024)
6. Volt Typhoon - MITRE ATT&CK (May 21, 2024)
7. Volt Typhoon targets US critical infrastructure with living-off-the-land techniques (May 24, 2023)
8. FBI Affidavit and Search and Seizure Warrant (September 9, 2024)
9. Cyber Attribution Agencies: A Sceptical View - QIL (July 31, 2024)
10. Joint Advisory - People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations (September 18, 2024)
11. Director Wray's Remarks at the 2024 Aspen Cyber Summit (September 18, 2024)
12. Company listed on Shanghai stock exchange accused of aiding Chinese cyberattacks (September 18, 2024)
13. Wyden proposes bill to secure US telecoms after Salt Typhoon hacks (December 10, 2024)
14. Counterintelligence director reveals extent of damage from China telecom hacks (December 12, 2024)
15. Investigation into Chinese hacking reveals ‘broad and significant’ spying effort, FBI says (November 13, 2024)
16. Chinese hack of global telecom providers is 'ongoing,' officials warn (December 3, 2024)

IOCONTROL Malware Targets OT & IoT Devices:

1. Iran-linked IOCONTROL malware targets critical IoT/OT infrastructure in Israel, US (December 13, 2024)
2. Iranian Hackers Use IOCONTROL Malware to Target OT, IoT Devices in US, Israel (December 13, 2024)
3. Inside a New OT/IoT Cyberweapon: IOCONTROL (December 10, 2024)
4. Dark Web Profile: Cyber Av3ngers (December 22, 2023)

Critical WordPress Vulnerabilities:

1. WPForms Plugin Vulnerability Affects Up To 6 Million Sites (December 9, 2024)
2. WPForms 1.8.4 - 1.9.2.1 - Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation - Wordfence Intelligence (December 10, 2024)
3. Hunk Companion, WP Query Console Vulnerabilities Chained to Hack WordPress Sites (December 12, 2024)
4. Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.43.2 - Authorization Bypass via Reverse DNS Spoofing to Unauthenticated Arbitrary Plugin Installation - Wordfence Intelligence (November 26, 2024)
5. Critical Plugin Flaw Exposed 4 Million WordPress Websites to Takeover (November 15, 2024)

Prometheus Vulnerabilities:

1. Over 300K Prometheus Instances Exposed: Credentials and API Keys Leaking Online (December 12, 2024)
2. 336K Prometheus Instances Exposed to DoS, 'Repojacking' (December 12, 2024)
3. 300,000+ Prometheus Servers and Exporters Exposed to DoS Attacks (December 12, 2024)

Latest Social Engineering TTPs:

1. Hackers Exploiting HTML Functions to Bypass Email Security Filters (December 11, 2024)
2. Protection Highlight: Unblur the HTML - How Phishing Attacks Exploit HTML Function (December 10, 2024)
3. Hackers Weaponize Google Drive Links to Breach Corporate Networks (December 13, 2024)
4. Analysis of APT-C-60 Attack on South Korea (November 24, 2022)
5. Attackers Leveraging a Fake Google reCAPTCHA System to Steal Office 365 Credentials (March 11, 2021)
6. DeceptionAds Delivers 1M+ Daily Impressions via 3,000 Sites, Fake CAPTCHA Pages (December 16, 2024)
7. New Investment Scam Leverages AI, Social Media Ads to Target Victims Worldwide (December 16, 2024)
8. INTERPOL Pushes for "Romance Baiting" to Replace "Pig Butchering" in Scam Discourse (December 18, 2024)
9. Hackers Exploiting Microsoft Teams to Gain Remote Access to User’s System (December 16, 2024)

PUMAKIT Linux Malware:

1. New stealthy Pumakit Linux rootkit malware spotted in the wild (December 12, 2024)
2. New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection (December 13, 2024)
3. Declawing PUMAKIT (December 11, 2024)

FTC Warns of Task Job Scams:

1. FTC warns of online task job scams hooking victims like gambling (December 13, 2024)
2. New FTC Data Show Skyrocketing Consumer Reports About Game-Like Online Job Scams (December 12, 2024)
3. Paying to get paid: gamified job scams drive record losses (December 12, 2024)