Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
October 28, 2022 - TuxCare expert team
Notorious cyber espionage group Budworm has launched deliberate attacks against a number of high-profile targets, including a U.S. state legislature, a Middle Eastern country and a multinational electronics manufacturer.
The attack on the unnamed U.S. state legislatures marks the first time in several years that Budworm has targeted a U.S.-based entity.
According to the Symantec Threat Hunter team, the Budworm gang exploited the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105). The exploited flaws were used to compromise the Apache Tomcat service on servers in order to install web shells. The attackers used Virtual Private Servers (VPS) hosted on Vultr and Telstra as command-and-control (C&C) servers.
“Budworm’s main payload continues to be the HyperBro malware family, which is often loaded using a technique known as dynamic-link library (DLL) side-loading. This involves the attackers placing a malicious DLL in a directory where a legitimate DLL is expected to be found. The attacker then runs the legitimate application (having installed it themselves). The legitimate application then loads and executes the payload,” the report disclosed.
For the most recent attacks, Budworm used the endpoint privilege management software CyberArk Viewfinity to carry out side-loading. The binary has the default name vf_host.exe and is usually left behind by the attackers to disguise itself as a more harmless file.
Although the attackers use the PlugX/Korplug trojan as payload, other tools used during attacks include Cobalt Strike, LaZagne, IOX, Fast Reverse Proxy (FRP), and Fscan.
Cobalt Strike is an off-the-shelf tool used to load shellcode onto victim machines. Although it is a legitimate penetration testing tool, it can be exploited by threat actors. LaZagne is a publicly available credential dumping tool. IOX is a publicly available proxy and port forwarding tool. Fast Reverse Proxy (FRP) is a reverse proxy tool, while Fscan is a publicly available intranet scanning tool.
Adequate security measures are essential to mitigate attacks. Organizations must use the latest patch and install it on their servers. It is also important that organizations conduct periodic pen tests to detect exploitable vulnerabilities in their organizations, as this can allow attackers initial access to any organization.
The sources for this piece include an article in TheHackerNews.
Learn About Live Patching with TuxCare
According to CyberArk researchers, GPT-based models like ChatGPT can be...
Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...
Deep Instinct researchers reported that RATs like StrRAT and Ratty...
According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...
A remote attacker could exploit multiple vulnerabilities in four Cisco...
In a notable IcedID malware attack, the assailant impacted the...