Suspected Threat Actors: Mustang Panda
Summary:
Researchers have recently found a campaign by the China-based APT group Mustang Panda that leverages the PlugX malware family to target Myanmar-based users. While analyzing the samples, within the embedded configuration the researchers found C2 domains that impersonated Myanmar news outlets. This is not the first time a campaign targeting Myanmar has impersonated its news outlets or used the PlugX malware. Based on TTPs and other supporting evidence including previous activities, the researchers assess that the China-based threat group known as Mustang Panda is behind this campaign.
In late May this year, researchers identified unusual network traffic to the domain www[.]myanmarnewsonline[.]org which appeared similar to a Myanmar news website.
The files communicating with the domain had a low detection ratio on VirusTotal and followed a naming convention that made them look like legitimate utilities relating to Hewlett-Packard (HP) printers. The files contained a legitimate signed utility from HP, alongside a DLL loader and a DAT – an encrypted PlugX payload.
In June, a separate researcher on Twitter shared another such file, linked to the sub-domain of the above-mentioned domain images[.]myanmarnewsonline[.]org which was found associated with PlugX and the Mustang Panda APT group.
Insights:
The Mustang Panda APT threat actor group has a long history of using the PlugX malware and its target includes nations throughout the South-East Asian region. The same threat actor group has carried out a campaign targeting Myanmar government entities using custom lures and compromised the website of the office of Myanmar’s President.
Killnet, a Russian hacktivist group suspected by researchers to act on the behest of the Kremlin, has brought down some of the US state government services. The states that have been targeted in this campaign include Kentucky, Colorado. and Mississippi. One of the services disrupted in the attack was Kentucky’s Board of Elections. However, according to preliminary reports the attacks does not seem to have developed above a nuisance level and no sensitive data have likely been compromised.
While some services were rendered unavailable by a DdoS attack, other websites were defaced in low-grade vandalism attacks, with pictures of the Statue of Liberty in front of a scene of an atomic bombing, embellished with vulgar threats towards NATO.
Killnet, the group that took responsibility for the attack has also recently attacked the websites of several major US airports including Atlanta, Chicago, Los Angeles, New York, Phoenix, and St Louis. These attacks took the form of a simple DDoS attack, knocking the websites temporarily offline and causing inconvenience. These attacks have only affected the public-facing websites of the airports, which supply flight and services information thereby hindering the core airport functions.
Since the start of the war waged by Russia in Ukraine, Killnet has also claimed responsibility for similar cyberattacks against government and corporate websites in the Baltic countries (mainly Lithuania and Estonia), Romania or Japan.
The Lloyd’s of London, the biggest insurance marketplace in the world believes its networks have been possibly targeted by a cyberattack after an unusual activity was detected. Researchers have not been able to provide any attribution yet, but the company is among the prominent supporter of sanctions against Russia during the present war. It is also a major hub for insurance in maritime shipping, which Ukraine needs for its grain exports. From a geopolitical point of view, this would make Lloyd’s a prime target for Russian APTs. As of October 10, no sensitive data leakage has been confirmed.
The US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) have issued a joint advisory on the top vulnerabilities being targeted by Chinese state-sponsored threat actors. According to the statement, Chinese state-backed hackers have been actively targeting U.S. and allied networks as well as companies across a large set of industries, mainly in information technology including telecommunications providers, defense industry, energy, and other critical infrastructure organizations, to steal intellectual property and develop access into sensitive networks. The list of vulnerable CVEs includes security holes in Apache Log4j, Microsoft Exchange, Hikvision Webserver and Apache HTTP Server. CYFIRMA has provided an early warning on these vulnerabilities to its clients in the past.
Matrix Networks Impacted by LockBit Ransomware
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed Matrix Networks (mtrx.com) – a company dealing in support business technology solutions – being impacted by the LockBit ransomware group. The ransomware group claimed Matrix Networks as one of their victims by disclosing the update on their dedicated leak site on 12 October 2022 at 04:09 UTC. It is suspected that a large amount of business- critical and sensitive data has been exfiltrated. At the time of CTI’s observation, the ransomware group provided a deadline of 19 October 2022 04:09:41 UTC, and a ransom of USD 35000 has been demanded.
Insights:
