ClickCease Budworm hackers target U.S. organizations

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Budworm hackers target U.S. organizations with new espionage attacks

Obanla Opeyemi

October 28, 2022 - TuxCare expert team

Notorious cyber espionage group Budworm has launched deliberate attacks against a number of high-profile targets, including a U.S. state legislature, a Middle Eastern country and a multinational electronics manufacturer.

The attack on the unnamed U.S. state legislatures marks the first time in several years that Budworm has targeted a U.S.-based entity.

According to the Symantec Threat Hunter team, the Budworm gang exploited the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105). The exploited flaws were used to compromise the Apache Tomcat service on servers in order to install web shells. The attackers used Virtual Private Servers (VPS) hosted on Vultr and Telstra as command-and-control (C&C) servers.

“Budworm’s main payload continues to be the HyperBro malware family, which is often loaded using a technique known as dynamic-link library (DLL) side-loading. This involves the attackers placing a malicious DLL in a directory where a legitimate DLL is expected to be found. The attacker then runs the legitimate application (having installed it themselves). The legitimate application then loads and executes the payload,” the report disclosed.

For the most recent attacks, Budworm used the endpoint privilege management software CyberArk Viewfinity to carry out side-loading. The binary has the default name vf_host.exe and is usually left behind by the attackers to disguise itself as a more harmless file.

Although the attackers use the PlugX/Korplug trojan as payload, other tools used during attacks include Cobalt Strike, LaZagne, IOX, Fast Reverse Proxy (FRP), and Fscan.

Cobalt Strike is an off-the-shelf tool used to load shellcode onto victim machines. Although it is a legitimate penetration testing tool, it can be exploited by threat actors. LaZagne is a publicly available credential dumping tool. IOX is a publicly available proxy and port forwarding tool. Fast Reverse Proxy (FRP) is a reverse proxy tool, while Fscan is a publicly available intranet scanning tool.

Adequate security measures are essential to mitigate attacks. Organizations must use the latest patch and install it on their servers. It is also important that organizations conduct periodic pen tests to detect exploitable vulnerabilities in their organizations, as this can allow attackers initial access to any organization.

The sources for this piece include an article in TheHackerNews.

Summary
Budworm hackers target U.S. organizations with new espionage attacks
Article Name
Budworm hackers target U.S. organizations with new espionage attacks
Description
Notorious cyber espionage group Budworm has launched deliberate attacks against a number of high-profile targets, including a U.S. state legislature, a Middle Eastern country, and a multinational electronics manufacturer.
Author
Publisher Name
Tuxcare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023