Wednesday 18th December 2024
Aidan Dickenson
Business Development Manager // Tailored solutions to enhance security, improve efficiency, and drive growth.
Good morning. If your router could talk, it’d probably say, “Patch me before it’s too late!” Between ransomware gangs exploiting DrayTek routers, rogue RDP attacks masquerading as legit connections, and newly flagged vulnerabilities from CISA, it’s a rough week for network security.
Today, we’re looking into how red team tools are falling into the wrong hands, why IoT devices like webcams are under fire, and why your organisation’s RDP settings might need a second look. Cybercriminals are innovating—*are your defences keeping up?*
Let’s dig in. 🔒
The Mask Returns: Cyber Espionage Actor Strikes Again
A notorious yet under-the-radar cyber espionage group, The Mask (aka Careto), has reemerged, targeting a Latin American organization in two sophisticated attacks in 2019 and 2022, according to Kaspersky researchers. Active since at least 2007, The Mask typically zeroes in on high-profile entities like governments and research institutions.
Their playbook? Initial access via spear-phishing emails that exploit browser vulnerabilities, followed by malware deployment. Notably, the group has devised methods to exploit legitimate tools—like the MDaemon webmail server and HitmanPro Alert driver—to maintain persistence and spread across networks.
Fast forward to 2024: The Mask has been linked to fresh infection techniques, cementing their ability to innovate with advanced malware capabilities. Cybersecurity pros, stay sharp—this actor clearly hasn’t dropped the curtain.
Earth Koshchei Strikes Again: Weaponising Red Team Tools
APT group Earth Koshchei (aka APT29/Midnight Blizzard) is back in the spotlight, this time exploiting red team methodologies to execute a massive rogue RDP attack. Trend Micro reports that the espionage-focused group—allegedly linked to Russia's SVR—used rogue RDP configuration files to gain partial control of victim systems and exfiltrate sensitive data.
The campaign peaked on October 22, 2024, with targeted spear-phishing emails hitting governments, militaries, academic researchers, and Ukrainian entities. Victims unknowingly connected to malicious RDP servers set up across 193 proxies and 34 backend servers, allowing the attackers to:
Earth Koshchei’s extensive infrastructure—enabled by VPNs, TOR, and residential proxies—further complicates attribution, though the group’s fingerprints are evident.
Big Picture: This attack highlights the risk of red team techniques being repurposed by APTs. Blocking outbound RDP connections and filtering RDP files over email are critical defences for organisations.
CISA Flags New Exploited Flaws as FBI Tracks HiatusRAT Escalation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two new vulnerabilities to its Known Exploited Vulnerabilities catalog, warning of active exploitation:
Federal agencies are urged to patch systems by January 6, 2025, as PoC exploits for both vulnerabilities are publicly available.
Meanwhile, the FBI warned of HiatusRAT campaigns expanding beyond routers to exploit IoT devices like Hikvision and D-Link webcams, leveraging outdated vulnerabilities and weak passwords. Tools like Ingram and Medusa are reportedly used for brute-force attacks.
Over 20,000 DrayTek routers were exploited in a ransomware spree involving multiple threat actors—Monstrous Mantis, Ruthless Mantis, and LARVA-15. The campaign showcased a structured workflow:
The findings highlight lingering weaknesses in device security, urging vendors to prioritise root cause analysis and systematic code reviews.
Senior Security Program Manager | Leading Cybersecurity Initiatives | Driving Strategic Security Solutions| Cybersecurity Excellence | Cloud Security
2dIt's crucial for both businesses and individuals to recognize the risks associated with unpatched devices, especially in our increasingly interconnected world. Aidan Dickenson