Date: 03/11/2025
Severity: Medium
Summary
"Unmasking the new persistent attacks on Japan" reveals an ongoing cyber campaign targeting Japanese organizations across various sectors across various business verticals, including technology, telecommunications, entertainment, education, and e-commerce, based on our analysis of command and control (C2) server artefacts. The attackers exploited the CVE-2024-4577 vulnerability in PHP to gain initial access, using Cobalt Strike plugins for post-exploitation. They deployed adversarial tools via Alibaba cloud containers, aiming to steal credentials, establish persistence, and escalate privileges, signaling potential future attacks.
Indicators of Compromise (IOC) List
URL/Domain | http://38.14.255.23 |
IP Address | 118.31.18.77 38.14.255.23 |
Hash |
0ff87724012499381266e5eb8481117ed4549f44fa88be2c517afee899c2179f
ccedc244ad5933537231139e24b4cad0df3e44d3b2944ef3b28dea5973396185
73d908725a08dcfebf300ef187dab1c5ba1c3cba8343c678df49335ba7e89e47
3c6511b15e3b0e8c378a549347fa0f0745fd371aaa86206cb03528fdc0a23b29
a2f493769c0cd1cb3518571678f071588d683703ed368830f15405c1eb4028b2
83290b2f6e7b3fb1bcfa90ed1e550acaeb85c7dc0cb4476b35818436af9395d2
cec655cc4c6bfcbc336d3afc4e5537e619bcf58329d291a51f39b3d3a250e962
f7396835d69675b138d0e2bee9b4ceb0a048bf705cb2f1012f1eee51e406d6e6
6b5a75dcc505ac1c065844be27ee6d4693ac51abfc04aaf9bbfc1a06e69a19fd
ad5f610e8fb4f0d74d5d761532c8c8b2b9e01a2a402ba89389794d15ecca8337
07d8a505492566daeb6174c312a4f7114dc60efcd1d17fef12ca0b8d6303fb2b
8015b6036ecbae1f9e850af6bdf361d7598201cd4d4c55ae334ed72cf17ba94d
829c5a07b065b15969ea8c519705d64fc4c1c39c05e898fc9abfbdb289c484d5 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "http://38.14.255.23" or url like "http://38.14.255.23" |
Detection Query 2 | dstipaddress IN ("118.31.18.77","38.14.255.23") or ipaddress IN ("118.31.18.77","38.14.255.23") or publicipaddress IN ("118.31.18.77","38.14.255.23") or srcipaddress IN ("118.31.18.77","38.14.255.23") |
Detection Query 3 |
sha256hash IN ("0ff87724012499381266e5eb8481117ed4549f44fa88be2c517afee899c2179f","ccedc244ad5933537231139e24b4cad0df3e44d3b2944ef3b28dea5973396185","73d908725a08dcfebf300ef187dab1c5ba1c3cba8343c678df49335ba7e89e47","3c6511b15e3b0e8c378a549347fa0f0745fd371aaa86206cb03528fdc0a23b29","a2f493769c0cd1cb3518571678f071588d683703ed368830f15405c1eb4028b2","83290b2f6e7b3fb1bcfa90ed1e550acaeb85c7dc0cb4476b35818436af9395d2","cec655cc4c6bfcbc336d3afc4e5537e619bcf58329d291a51f39b3d3a250e962","f7396835d69675b138d0e2bee9b4ceb0a048bf705cb2f1012f1eee51e406d6e6","6b5a75dcc505ac1c065844be27ee6d4693ac51abfc04aaf9bbfc1a06e69a19fd","ad5f610e8fb4f0d74d5d761532c8c8b2b9e01a2a402ba89389794d15ecca8337","07d8a505492566daeb6174c312a4f7114dc60efcd1d17fef12ca0b8d6303fb2b","8015b6036ecbae1f9e850af6bdf361d7598201cd4d4c55ae334ed72cf17ba94d","829c5a07b065b15969ea8c519705d64fc4c1c39c05e898fc9abfbdb289c484d5") |
Reference:
https://blog.talosintelligence.com/new-persistent-attacks-japan/