Global agencies issue alert on APT40 cyber threat

Last week, the cybersecurity landscape witnessed significant developments across various threat vectors. These included Google announcing its upcoming ban on Entrust certificates in Chrome due to compliance and security concerns, a joint advisory highlighting APT40’s persistent cyber espionage activities, researchers uncovering the Golang-based Zergeca botnet, emergence of a new ransomware-as-a-service (RaaS) Eldorado, and the EstateRansomware group targeting Veeam Backup software. Cybersecurity vigilance, multi-factor authentication, and proactive threat mitigation strategies are crucial amid these escalating risks.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Google to ban Entrust certificates in Chrome beginning November 2024

Google has announced plans to block websites using Entrust certificates in its Chrome browser starting around November 1, 2024, citing Entrust’s repeated compliance failures and security issues. This action stems from concerns over Entrust’s handling of incident reports and its failure to meet improvement commitments, which has led to a loss of confidence in their role as a trusted certificate authority.

Chrome versions 127 and higher on Windows, macOS, ChromeOS, Android, and Linux will no longer trust TLS server authentication certificates from Entrust by default. Website operators are advised to migrate to other certificate authorities in the Chrome Root Store to avoid disruptions in service and ensure secure connections for users.

2. Joint advisory warns of China-linked APT40’s rapid exploitation of vulnerabilities

Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. have issued a joint advisory on APT40, a China-linked cyber espionage group affiliated with China’s Ministry of State Security. Active since 2011, APT40 rapidly exploits newly disclosed vulnerabilities to target global organizations, stealing valuable data through sophisticated techniques.

The group has conducted high-profile intrusions, including using the ScanBox framework and exploiting WinRAR flaws, targeting widely used software like Log4j, Atlassian Confluence, and Microsoft Exchange. APT40’s tactics include deploying web shells, leveraging outdated devices, and using living-off-the-land techniques. Recommendations to safeguard your organization include applying multi-factor authentication, robust patch management, regular updates, network segmentation, and deploying Endpoint Detection and Response (EDR) solutions.

3. Golang-based Zergeca botnet emerges with high-impact DDoS capabilities

Cybersecurity researchers have discovered a new botnet named Zergeca, developed in Golang and capable of launching distributed denial-of-service (DDoS) attacks, among other malicious activities like proxying, scanning, and reverse shell operations. Zergeca, notable for its use of DNS-over-HTTPS (DoH) for C2 server resolution and sophisticated evasion tactics, is linked to the same IP previously used by the Mirai botnet, suggesting experienced operators.

Active since April 2024, it targets devices with x86-64 CPU architecture, using modules for persistence, proxying, and malware removal, and has primarily executed ACK flood DDoS attacks against Canada, Germany, and the U.S. Security recommendations include continuous network monitoring, DNS security measures, up-to-date endpoint protection, and strict access controls.

4. Eldorado: New ransomware-as-a-service targets VMware ESXi VMs and Windows

The new ransomware-as-a-service (RaaS) Eldorado, targeting VMware ESXi and Windows systems, has claimed 16 victims across sectors like real estate, education, healthcare, and manufacturing. It encrypts data using ChaCha20 and RSA algorithms and recruits affiliates via RAMP ransomware forums. The Go-based malware targets both Windows and Linux systems, adding the “.00000001” extension to encrypted files and dropping ransom notes titled “HOW_RETURN_YOUR_DATA.TXT.”

Eldorado encrypts network shares via SMB protocol, deletes shadow volume copies on Windows, and avoids essential system files to maintain functionality. Recommendations include implementing multi-factor authentication, using Endpoint Detection and Response (EDR), regular data backups, and AI-based analytics for real-time intrusion detection.

5. EstateRansomware: New threat group exploiting Veeam Backup software vulnerability

A security flaw in Veeam Backup & Replication software, CVE-2023-27532, is being exploited by the new EstateRansomware. Attackers initially breach networks through a dormant Fortinet FortiGate SSL VPN account (‘Acc1’), pivot laterally, and establish RDP connections to deploy a persistent backdoor named “svchost.exe.” This backdoor connects to a command-and-control server, enabling further malicious actions.

Exploiting the Veeam flaw, attackers enable xp_cmdshell, create rogue user accounts, and conduct network reconnaissance using tools like NetScan and AdFind. They disable defenses and deploy ransomware using PsExec.exe, following a double extortion model that involves data exfiltration before encryption. Recommendations include implementing multi-factor authentication, network segmentation, application control, endpoint detection and response solutions, strict access controls, and intrusion detection systems to mitigate such attacks effectively.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider