Sunday , July 7 2024

Secretive operation! Asia’s gov.t entities targeted by Gelsemium hackers

infosecbulletin Saturday , September 23 2023 International

A secretive cyber attack known as Gelsemium, which lasted for six months from 2022 to 2023, targeted a government in Southeast Asia. The cyberespionage group known as Gelsemium has been actively operating since 2014, with a focus on targeting government institutions, educational organizations, and electronic manufacturers in East Asia and the Middle East.

ESET’s 2021 report describes the threat group as “quiet,” highlighting their extensive technical skills and programming knowledge that have allowed them to avoid detection for a long time. A recent report from Palo Alto Network’s Unit 42 shows that a new Gelsemium campaign is using backdoors that are not commonly seen. These backdoors are connected to threat actors with moderate confidence.

RockYou2024: Massive 10-Billion Password Leak

By infosecbulletin / Sunday , July 7 2024
A huge collection of passwords, containing almost ten billion unique passwords, was leaked on a popular hacking forum. The Cybernews...
Read More
RockYou2024: Massive 10-Billion Password Leak

ISPC first get together held with a festive look

By infosecbulletin / Sunday , July 7 2024
First get together of information security professionals community (ISPC) was held at Dhaka with a festive look with the participation...
Read More
ISPC first get together held with a festive look

ISACA Dhaka chapter election
Iqbal hossain president, Azad secretary for ISACA Dhaka chapter

By infosecbulletin / Saturday , July 6 2024
Mohammed Iqbal Hossain has been elected as the president of ISACA Dhaka chapter and Md. Abul Kalam Azad has been...
Read More
ISACA Dhaka chapter election Iqbal hossain president, Azad secretary for ISACA Dhaka chapter

Emerging Eldorado ransomware focuses on Windows, VMware ESXi VMs

By infosecbulletin / Saturday , July 6 2024
A new ransomware named Eldorado appeared in March and has locker versions for VMware ESXi and Windows. The gang has...
Read More
Emerging Eldorado ransomware focuses on Windows, VMware ESXi VMs

OVHcloud faces record 840 million DDoS Attack Using MikroTik Routers

By infosecbulletin / Friday , July 5 2024
French cloud computing firm OVHcloud recently handled the largest DDoS attack in terms of packet rate. This attack occurred during...
Read More
OVHcloud faces record 840 million DDoS Attack Using MikroTik Routers

New report; Polyfill[.]io Attack Impacts Over 380,000 Hosts

By infosecbulletin / Friday , July 5 2024
The web development community was affected by a supply chain attack on the popular Polyfill.io JavaScript library last week. Polyfill.js...
Read More
New report; Polyfill[.]io Attack Impacts Over 380,000 Hosts

Apache HTTP Server Update Patches Critical Source Code Disclosure Flaw

By infosecbulletin / Friday , July 5 2024
Apache Software Foundation released Apache HTTP Server version 2.4.61 to fix a serious source code disclosure vulnerability (CVE-2024-39884). This flaw...
Read More
Apache HTTP Server Update Patches Critical Source Code Disclosure Flaw

Microsoft Uncovers Flaws in Rockwell Automation PanelView Plus

By infosecbulletin / Thursday , July 4 2024
Microsoft's cybersecurity team found two major vulnerabilities in Rockwell Automation's PanelView Plus, a widely used human-machine interface in industrial settings....
Read More
Microsoft Uncovers Flaws in Rockwell Automation PanelView Plus

Researchers detect 28 new Ransomwares in June

By infosecbulletin / Thursday , July 4 2024
Cybersecurity experts found 28 new types of ransomware in June. These malicious programs are a big threat to individuals and...
Read More
Researchers detect 28 new Ransomwares in June

Vote for DHAKA, Vote for ISACA at 6 July

By infosecbulletin / Wednesday , July 3 2024
ISACA Dhaka Chapter election is going to be held on Saturday (6 July) 2024. This year 23 candidates will fight...
Read More
Vote for DHAKA, Vote for ISACA at 6 July
Palo Alto Network’s Unit 42 blog screenshot

Recent Gelsemium attacks

Gelsemium successfully initiated its first attack by installing web shells, possibly by exploiting vulnerabilities in servers exposed to the internet. Unit 42 has identified the presence of web shells known as ‘reGeorg,’ ‘China Chopper,’ and ‘AspxSpy.’ These web shells are widely accessible and utilized by various threat groups, posing a challenge when it comes to attribution.

Gelsemium leveraged the power of web shells to carry out essential network reconnaissance, expertly maneuver through SMB, and skillfully retrieve additional payloads. There are several powerful tools that can assist in lateral movement, data collection, and privilege escalation. These include OwlProxy, SessionManager, Cobalt Strike, SpoolFool, and EarthWorm.

Cobalt Strike is an extensively employed suite for penetration testing, EarthWorm serves as a readily accessible SOCKS tunneler, and SpoolFool stands as an open-source tool for local privilege escalation. Therefore, it is important to note that these three resources, though not exclusive to Gelsemium, are highly valuable in their own right.

Palo Alto Network’s Unit 42 blog screenshot

According to Unit 42, the OwlProxy is an exceptional and specialized HTTP proxy and backdoor tool. It has been reported by Unit 42 that Gelsemium used this tool in a previous attack aimed at the Taiwanese government.

In the latest campaign, the attacker placed a file (wmipd.dll) on the compromised system’s disk and created a service to run it.

Check Also

google

Google to pays $250,000 for KVM zero-day vulnerabilities

Google launched a new bug bounty program called kvmCTF to enhance the security of its …

Leave a Reply

Your email address will not be published. Required fields are marked *

Mail: [email protected]
© Copyright 2024, All Rights Reserved InfoSecBulletin