Quick take - Kaspersky’s Global Research and Analysis Team has released its quarterly summary for Q3 2024, detailing the evolving tactics of advanced persistent threat (APT) actors, including the use of the P8 framework in attacks on Vietnam’s financial sector, ongoing cyber-espionage activities, and the identification of a zero-day vulnerability in Windows, highlighting the need for continuous monitoring of the cyber threat landscape.

Fast Facts

Kaspersky’s GReAT released a quarterly summary on APT activity, highlighting significant cyber threats and evolving tactics observed in Q3 2024.
The P8 framework, linked to attacks on Vietnam’s financial and real estate sectors, features sophisticated architecture with plugins executed in memory, leaving no traces on disk.
The TetrisPhantom threat actor was associated with compromised USB drives that contained malicious code for file theft and propagation, while other campaigns targeted Russian government entities using various malware.
The report noted a broadening scope of targeting among threat actors, with ongoing cyber-espionage and the use of open-source tools, emphasizing the need for continuous threat monitoring.
A zero-day vulnerability (CVE-2024-30051) in Windows Desktop Window Manager was identified, prompting Microsoft to issue an immediate patch to prevent exploitation.

Kaspersky’s Quarterly Summary on APT Activity

Kaspersky’s Global Research and Analysis Team (GReAT) has released its latest quarterly summary on advanced persistent threat (APT) activity, focusing on developments observed during the third quarter of 2024. This report continues a tradition of over seven years of providing insights into significant cyber events and findings derived from extensive threat intelligence research. The summary highlights various cyber threats and their evolving tactics.

Notable Threats and Frameworks

In the second half of 2022, an unidentified threat actor launched attacks using a novel framework known as P8. These attacks primarily targeted victims in Vietnam’s financial and real estate sectors. In 2023, Elastic Lab reported an attack linked to the OceanLotus APT (APT32) that utilized malicious tools called Spectral Viper. However, P8 has not been definitively connected to OceanLotus.

The P8 framework is noted for its sophisticated architecture. It comprises a loader and multiple plugins typically downloaded from a command and control (C2) server and executed in memory, leaving no residual traces on disk. The framework appears to be an enhancement of the open-source project C2Implant. Initial infections attributed to P8 are believed to have occurred via spear-phishing emails, with attackers using an outdated version of the Kaspersky Removal Tool to side-load the P8 beacon. Vulnerabilities in SMB and printer drivers were exploited to facilitate lateral movement within targeted networks. A follow-up report detailed the use of 12 plugins for various malicious functions, including credential theft and data exfiltration, with the threat actor’s focus remaining on financial institutions in Vietnam.

Recent Campaigns and Threat Actors

In early 2024, a compromised secure USB drive was discovered, featuring malicious code designed to infiltrate its access management software. This code enabled the theft of sensitive files and propagation to similar USB drives. The TetrisPhantom threat actor has been linked to these incidents, involving Trojanized USB management software called UTetris.

Other notable campaigns referenced in the summary include the ExCone campaign, detected in July 2021, which targeted Russian government entities using VLC media player to deploy the FourteenHi backdoor. This campaign has connections to the ShadowPad malware and the HAFNIUM threat actor. A 2022 campaign targeted Russian government institutions through spear-phishing emails, employing an updated version of the Pangolin Trojan. A more recent July 2024 campaign involved a JavaScript loader distributed via spear-phishing, ultimately delivering a new backdoor aimed at Russian educational institutions. The Scieron backdoor was identified in attacks against a government entity in Africa and a telecom provider in Central Asia, with noted updates to its infection chain.

The Awaken Likho campaign has remained active since July 2021, with over 120 identified targets, primarily in government organizations. The campaign has evolved its tactics through the use of the legitimate remote administration tool UltraVNC.

Evolving Threat Landscape

The report also highlights various threat actors. The FruityArmor group employs a sophisticated backdoor named DeadGlyph. MuddyWater, an APT actor active since 2017, is known for its multi-stage PowerShell execution techniques. Other groups like Kimsuky and PhantomNet have been observed utilizing various malicious tools and tactics, with Kimsuky employing malware-as-a-service for persistence.

Recent trends noted in Q3 2024 indicate a broadening scope of targeting among threat actors, with ongoing cyber-espionage activities and the use of open-source tools. The report underscores the necessity for continuous monitoring of the threat landscape, as advanced and undetected attacks remain a significant concern for organizations worldwide. Additionally, a zero-day vulnerability in the Windows Desktop Window Manager was identified as CVE-2024-30051, prompting immediate patching by Microsoft to mitigate potential exploitation.

Overall, the findings from Kaspersky’s latest summary emphasize the dynamic and evolving nature of cyber threats.

Original Source: Read the Full Article Here