Weekly Threat Report - 29th May 2020
Exim flaw highlighted by NSA
The US National Security Agency has published an advisory this week relating to the ongoing exploitation of Exim vulnerability CVE-2019-10149.
Russian military cyber actors, known as Sandworm, have been exploiting a vulnerability in Exim mail transfer agent. To mitigate the CVE -2019-10149 vulnerability, providers should update Exim immediately by installing version 4.93 or newer.
The NCSC published a statement in support of the NSA’s findings and has previously published an advisory which provides details and mitigation advice on a number of Exim vulnerabilities.
The UK and its allies have previously exposed numerous campaigns by the GRU of indiscriminate and reckless cyber attacks. Earlier this year, the UK government publicly condemned an unacceptable campaign of cyber attacks against Georgia. The NCSC assessed with the highest level of probability that the Russian GRU was behind these attacks
Researchers disclose new features of latest ComRAT malware
In a whitepaper published this week, cyber security firm ESET detail how new features of the ComRAT v4 malware are being used to target political institutions.
TURLA, one of Russia’s most notorious hacker groups, has targeted two ministries of Foreign Affairs and a national parliament using the ComRAT v4 malware.
The malware uses a complex backdoor to steal sensitive documents and upload these to a public cloud service.
Hackers are now using ComRAT to collect antivirus logs from infected computers. They also noted that ComRAT can use the Gmail web interface to receive commands and exfiltrate data.
This means hackers can take over a victim’s web browser to load malware that takes commands from emails that hackers send to the victim. This is different to the traditional method of using HTTP to execute instructions to victim’s devices.
ComRAT has been used to target political institutions in the past and this appears to be continuing. ESET’s whitepaper provides insight into the attacker’s activity and helpfully provides a list of MITRE ATT&CK techniques.
Our Cyber Assessment Framework (CAF) contains a section on building resilient networks and systems against cyber attacks but these other pieces of guidance might be useful:
Topics Cyber threat