Today’s Topics:

• Infiltration by Resume: How Fake North Korean Workers Tricked Over 300 U.S. Companies
• Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware
• How can Netizen help?

Infiltration by Resume: How Fake North Korean Workers Tricked Over 300 U.S. Companies

Google’s Mandiant team recently uncovered a scheme where an American collaborator helped fake North Korean IT workers land jobs at U.S. companies, raking in roughly $6.8 million over three years. The operation, known as UNC5267, involved stealing identities and using fake resumes to infiltrate over 300 companies between 2020 and 2023.

According to Mandiant, North Korea is behind the effort, using these jobs to generate revenue, dodge sanctions, and fund its nuclear and missile programs. The IT workers, mostly based in China and Russia, use clever evasion tactics, such as fake companies and money laundering, to juggle multiple jobs at once. One individual even used over 60 stolen identities to keep the operation going.

These workers gain access to U.S. companies through “laptop farms” run by paid facilitators, who remotely manage company devices using tools like GoToRemote, AnyDesk, and TeamViewer. The workers connect from abroad via VPNs like Astrill and avoid video chats, often producing below-average work, making them difficult to spot without strict vetting.

In one case, security firm KnowBe4 caught a North Korean operative trying to install malware just 25 minutes after getting hired. Mandiant warns that while espionage hasn’t been confirmed yet, the high-level access these workers gain could be leveraged in the future. The report also found that many of the profiles feature AI-generated photos and fake credentials, making it tricky for employers to identify the scam during the hiring process.

To counter these risks, Mandiant advises companies to tighten their background checks with biometric verification and ensure on-camera interviews are conducted. They also recommend monitoring remote tools and VPN usage while training HR and IT teams to spot potential hiring fraud.

Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware

A sophisticated cyber-espionage campaign, believed to be orchestrated by Chinese hackers, has been targeting government organizations and industries across the Asia-Pacific (APAC) region. According to research conducted by Trend Micro, the attacks exploited a recently patched vulnerability in OSGeo GeoServer GeoTools, and introduced a new malware strain dubbed EAGLEDOOR. The threat actor behind these activities, known as Earth Baxia, has been active since July 2024.

The campaign focused on government agencies, telecommunication companies, and energy organizations in countries like Taiwan, South Korea, Vietnam, Thailand, and the Philippines. Researchers also discovered lure documents written in Simplified Chinese, suggesting that sectors within China may have been targeted as well, though more evidence is needed to confirm this.

The identified method of intrusion involved spear-phishing emails and exploitation of a critical vulnerability in GeoServer (CVE-2024-36401, with a CVSS score of 9.8). This flaw, if exploited, allows attackers to deliver a combination of Cobalt Strike—a common tool used in post-exploitation frameworks—and the newly discovered EAGLEDOOR malware.

EAGLEDOOR is designed for information gathering and remote control, using multiple methods to communicate with its command-and-control (C2) servers over DNS, HTTP, TCP, and even Telegram. While the first three protocols serve to monitor victim status, the core malware capabilities are driven by Telegram Bot API, allowing attackers to upload and download files, execute commands, and further infiltrate compromised systems.

Researchers highlighted that Earth Baxia used the GrimResource and AppDomainManager injection techniques, paired with decoy files, to maintain persistence and deploy additional malware. One notable payload, dubbed RIPCOY, was hidden within a ZIP archive attachment, masquerading as a legitimate file.

Interestingly, Earth Baxia’s tactics mirror those observed in campaigns attributed to APT41, a notorious Chinese cyber-espionage group. Both groups leveraged similar spear-phishing techniques and utilized Cobalt Strike with domains mimicking public cloud providers like Amazon Web Services (AWS) and Microsoft Azure. These domains, such as “s3cloud-azure” and “s3bucket-azure,” helped obscure their malicious activities and made detection more difficult.

Japanese cybersecurity company NTT Security Holdings recently uncovered a cluster of activity that shares many characteristics with the Earth Baxia campaign, specifically targeting military and energy sectors in Taiwan, the Philippines, and Vietnam.

The sophistication of these attacks highlights the evolving tactics used by Earth Baxia and other Chinese-linked APT groups. By exploiting critical vulnerabilities in software and leveraging public cloud services like AWS and Microsoft Azure, these groups can infiltrate systems while maintaining a low profile. The deployment of customized malware, such as EAGLEDOOR, underscores their adaptability and intent to exfiltrate sensitive data from high-value targets.

While the specific end goal of these operations may still be unclear, the elevated system access gained through EAGLEDOOR and Cobalt Strike presents a significant risk for future exploitation or potential espionage.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Today’s Topics:

• Windows 11 to Redefine How Anti-Malware Tools Operate After Costly Disruption
• Hadooken Malware: A Powerful Combo Attack of Crypto Mining and DDoS on Linux Servers
• How can Netizen help?

Windows 11 to Redefine How Anti-Malware Tools Operate After Costly Disruption

The fallout from a major IT disruption in July, caused by a faulty CrowdStrike update, has spurred Microsoft to rethink how anti-malware tools interact with the Windows kernel. With billions of dollars lost and systems worldwide affected, Microsoft is now focusing on making Windows 11 more resilient by reconfiguring how third-party security vendors operate.

In response, Microsoft plans to implement a fundamental change in how security software integrates with its operating system. Rather than allowing these tools to access the Windows kernel—an area where any malfunction can cause widespread system failures—the company is redesigning its platform so that third-party vendors can function outside of kernel mode. This effort, still in development, aims to safeguard against future disruptions like those that left CrowdStrike customers struggling during the July outage.

David Weston, Microsoft’s Vice President of Enterprise and OS Security, outlined the company’s approach following a summit held in Redmond. Weston said the goal is to boost both security and system stability without the inherent risks that come with kernel-level access. According to him, these changes are designed to better support security vendors while increasing the flexibility and reliability of Windows-based systems.

“Our focus is on ensuring solution providers can secure systems without needing kernel access,” Weston said. “With Windows 11, we can offer greater flexibility by moving vendors out of the kernel, while still maintaining the necessary level of protection.”

Microsoft’s push also includes reinforcing Safe Deployment Practices (SDP) for Endpoint Detection and Response (EDR) vendors. SDP calls for a phased, controlled release of updates, which would allow any potential problems to be identified before they reach a large user base. Weston highlighted how this could prevent incidents like the July CrowdStrike update, where a single faulty release caused significant downtime and disruptions for many businesses.

The summit addressed additional concerns, including the challenges of operating outside kernel mode and maintaining anti-tampering measures. Microsoft is particularly focused on ensuring the next generation of security tools doesn’t compromise system performance while remaining secure against cyber threats.

As part of this broader strategy, Microsoft is encouraging vendors to share more information about their products’ stability and compatibility, not only during development but after updates are released. This transparency is meant to foster greater cooperation between Microsoft and its security partners, ensuring a more streamlined response when incidents occur.

By overhauling how third-party tools interact with its system, Microsoft is clearly signaling a shift toward long-term reliability. The upcoming platform changes in Windows 11 could set a new precedent for how security software integrates with operating systems, minimizing the risk of widespread outages while keeping critical systems secure.

Hadooken Malware: A Powerful Combo Attack of Crypto Mining and DDoS on Linux Servers

A newly discovered malware campaign is targeting Linux environments by exploiting vulnerabilities in Oracle Weblogic servers to conduct cryptocurrency mining and spread botnet malware, according to cloud security researchers at Aqua Security.

The malware, dubbed Hadooken, is designed to infiltrate Linux-based systems and deliver a double payload: a cryptocurrency miner and a distributed denial-of-service (DDoS) botnet known as Tsunami (also called Kaiten). Tsunami has previously been linked to attacks on Jenkins and Weblogic services deployed within Kubernetes environments.

The attackers are using known vulnerabilities in Oracle Weblogic, as well as common misconfigurations, such as weak credentials, to gain an initial foothold in targeted systems. Once compromised, the system executes arbitrary code via two primary payloads—one written in Python and the other as a shell script. Both payloads are designed to retrieve Hadooken from remote servers located at “89.185.85[.]102” or “185.174.136[.]204.”

One notable aspect of the shell script version is its ability to comb through directories containing SSH data, such as user credentials and host information. Using this data, the malware spreads laterally across connected systems, further propagating Hadooken within the targeted infrastructure.

Once Hadooken is deployed, it drops both a cryptocurrency miner and the Tsunami botnet, the latter of which has been linked to attacks on Kubernetes environments. The malware ensures persistence by creating cron jobs that run the cryptocurrency miner periodically, keeping the malicious activity ongoing at irregular intervals to evade detection.

Hadooken employs several defense evasion tactics, including the use of Base64-encoded payloads and disguising malicious processes under seemingly benign names such as “bash” and “java.” This technique allows the malware to blend in with legitimate system processes, reducing the likelihood of detection by security tools. Additionally, Hadooken cleans up after itself by deleting any artifacts of its malicious activity post-execution.

Both IP addresses linked to the malware—89.185.85[.]102 and 185.174.136[.]204—are associated with the hosting company Aeza International LTD. Aeza is a bulletproof hosting provider, with operations based in Germany and links to data centers in Moscow and Frankfurt. This type of hosting service is notorious for sheltering cybercriminals, making it difficult to trace and shut down operations.

A report from cybersecurity firm Uptycs in February 2024 had previously linked Aeza to the 8220 Gang, another cybercrime group responsible for a cryptocurrency campaign exploiting vulnerabilities in Apache Log4j and Atlassian Confluence.

With its multi-faceted attack strategy—combining cryptocurrency mining, lateral movement, and DDoS botnet deployment—Hadooken poses a significant threat to organizations running vulnerable systems.

Security teams managing Linux systems, especially those leveraging Oracle Weblogic or Kubernetes, should remain vigilant and ensure all vulnerabilities are patched, misconfigurations are addressed, and monitoring tools are in place to detect any suspicious activity.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Today’s Topics:

• CISA Responds to Controversial ‘Airport Security Bypass’ Vulnerability
• U.S. Offers $10 Million for Info on Russian Cadet Blizzard Hackers Behind Major Attacks
• How can Netizen help?

CISA Responds to Controversial ‘Airport Security Bypass’ Vulnerability

In late August 2024, cybersecurity researchers Ian Carroll and Sam Curry revealed a potentially alarming security flaw within FlyCASS, a third-party web-based application utilized by smaller airlines as part of the Cockpit Access Security System (CASS) and Known Crewmember (KCM) programs. These programs play a critical role in enabling Transportation Security Administration (TSA) security officers to verify the identity and employment status of airline crewmembers, allowing pilots and flight attendants to bypass regular security screening procedures.

The disclosed vulnerability, an SQL injection flaw, could allegedly allow malicious actors to gain unauthorized access to the application’s administrative functions. With this access, attackers could manipulate the list of pilots and flight attendants associated with a participating airline. According to Carroll and Curry, they successfully added a fictitious employee to the database, highlighting the severity of the issue.

“Surprisingly, there is no further check or authentication to add a new employee to the airline. As the administrator of the airline, we were able to add anyone as an authorized user for KCM and CASS,” the researchers stated. They further warned that with basic knowledge of SQL injection, an attacker could theoretically bypass airport security screening and access the cockpits of commercial airliners.

The vulnerabilities were reported in April 2024 to several agencies, including the Federal Aviation Administration (FAA), ARINC (which operates the KCM system), and the Cybersecurity and Infrastructure Security Agency (CISA). In response, the FlyCASS service was swiftly disabled within the KCM and CASS systems, and the identified issues were patched.

However, the researchers expressed dissatisfaction with the disclosure process. While CISA acknowledged the issue initially, the researchers allege that communication from the agency abruptly ceased, leaving them without further updates. Additionally, they criticized the TSA for issuing what they described as “dangerously incorrect statements” regarding the vulnerability, denying the severity of the findings.

The TSA responded to the situation by downplaying the potential impact of the FlyCASS vulnerability. A TSA spokesperson emphasized that the flaw was not present in a TSA system and did not connect to any government infrastructure. The spokesperson assured that there was no impact on transportation security, and that the vulnerability had been promptly resolved by the third party responsible for the software.

“In April, TSA became aware of a report that a vulnerability in a third party’s database containing airline crewmember information was discovered and that through testing of the vulnerability, an unverified name was added to a list of crewmembers in the database. No government data or systems were compromised and there are no transportation security impacts related to the activities,” the spokesperson said.

Furthermore, the TSA clarified that they do not solely rely on the database in question for crewmember verification and have additional procedures in place to ensure security.

Initially silent on the matter, CISA has now issued a statement in response to inquiries. While the statement did not provide specific details about the potential impact of the vulnerabilities, CISA confirmed its awareness and involvement in addressing the issue.

“CISA is aware of vulnerabilities affecting software used in the FlyCASS system. We are working with researchers, government agencies, and vendors to understand the vulnerabilities in the system, as well as appropriate mitigation measures,” a CISA spokesperson stated. The agency also noted that it is actively monitoring for any signs of exploitation, though none have been observed to date.

The disclosure of the FlyCASS vulnerability has sparked a debate over the extent of its impact and the effectiveness of the response from the involved agencies. While the researchers who discovered the flaw warn of significant security risks, the TSA maintains that the vulnerability posed no immediate threat to transportation security. As CISA and other stakeholders continue to investigate, this incident serves as a reminder of the ongoing challenges in securing critical infrastructure against evolving cyber threats.

U.S. Offers $10 Million for Info on Russian Cadet Blizzard Hackers Behind Major Attacks

The U.S. government, along with a coalition of international partners, has officially linked a Russian hacking group known as Cadet Blizzard to the General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).

“These cyber actors have been responsible for network operations targeting global entities for espionage, sabotage, and reputational damage since at least 2020,” the authorities said in a statement. “Since early 2022, their focus appears to be on disrupting efforts to provide aid to Ukraine.”

The attacks have primarily targeted critical infrastructure and key resource sectors, including government services, financial services, transportation, energy, and healthcare sectors across NATO member states, the European Union, Central America, and Asia.

The advisory, released last week as part of Operation Toy Soldier, is a coordinated effort involving cybersecurity and intelligence agencies from the U.S., the Netherlands, the Czech Republic, Germany, Estonia, Latvia, Ukraine, Canada, Australia, and the U.K.

Cadet Blizzard, also known as Ember Bear, FROZENVISTA, Nodaria, Ruinous Ursa, UAC-0056, and UNC2589, first gained attention in January 2022 for deploying the destructive WhisperGate (also known as PAYWIPE) malware against multiple Ukrainian organizations in the lead-up to Russia’s full-scale invasion.

In June 2024, Amin Timovich Stigal, a 22-year-old Russian national, was indicted in the U.S. for his role in carrying out destructive cyberattacks on Ukraine using wiper malware. However, WhisperGate is not exclusive to this group alone.

The U.S. Department of Justice (DoJ) has also charged five officers associated with Unit 29155 with conspiracy to commit computer intrusions and wire fraud conspiracy. These charges cover a wide range of targets, including Ukraine, the U.S., and 25 other NATO nations.

The five officers charged are:

• Yuriy Denisov (Юрий Денисов), a colonel in the Russian military and commanding officer of Cyber Operations for Unit 29155
• Vladislav Borovkov (Владислав Боровков), Denis Denisenko (Денис Денисенко), Dmitriy Goloshubov (Дима Голошубов), and Nikolay Korchagin (Николай Корчагин), all lieutenants in the Russian military assigned to Unit 29155 for cyber operations.

“The defendants acted to create panic among Ukrainian citizens regarding the security of their government systems and personal data,” according to the DoJ. “Their targets included systems and data with no military or defense roles. Later, they expanded to target countries providing aid to Ukraine.”

In conjunction with the indictment, the U.S. Department of State’s Rewards for Justice program has announced a reward of up to $10 million for information leading to the defendants’ locations or information about their cyber activities.

Unit 29155 has been implicated in numerous destabilizing activities across Europe, including attempted coups, sabotage, influence operations, and assassination plots. Since 2020, they have extended these efforts to offensive cyber operations aimed at espionage, reputational damage, and destruction of valuable systems.

According to the advisory, Unit 29155 is composed of junior GRU officers who collaborate with known cybercriminals and civilian enablers like Stigal to execute their missions. Their operations include website defacements, infrastructure scanning, data exfiltration, and leaking or selling sensitive data.

Their attack methods typically begin with scanning for known vulnerabilities in platforms like Atlassian Confluence Server and Data Center, Dahua Security, and Sophos’ firewall systems. After breaching a victim’s environment, they use tools like Impacket to facilitate post-exploitation and lateral movement, ultimately exfiltrating data to designated servers.

The advisory also mentioned that the group may have used the Raspberry Robin malware as an access broker. Another tactic involved targeting Microsoft Outlook Web Access (OWA) infrastructure with password spraying techniques to steal valid credentials.

Organizations are urged to take immediate action to reduce their vulnerability to such attacks. Recommendations include regular system updates, prompt remediation of known vulnerabilities, network segmentation to limit the spread of malicious activity, and implementing phishing-resistant multi-factor authentication (MFA) for all externally facing account services.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.