Sign up to save your podcasts
Or
Share China Chopper Chops Again: Feds Pwned by APT41's GeoServer Goof—Patch or Perish!
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
China Chopper Chops Again: Feds Pwned by APT41's GeoServer Goof—Patch or Perish!
This is your China Hack Report: Daily US Tech Defense podcast.
Hey listeners, I’m Ting, here with your China Hack Report: Daily US Tech Defense, and if you missed the last 24 hours, trust me—this is not the day to leave your firewall down.
Let’s start with the headline: US CISA just dropped a bombshell analysis about a federal agency breach linked to a GeoServer vulnerability, that juicy CVE-2024-36401. If you’ve slept on patching, think twice before you hit snooze again. Attackers scored remote code execution with a CVSS of 9.8—basically, the cyber equivalent of a bullseye. What makes this spicy is the technique: attackers leveraged proof-of-concept exploits, did a bit of Burp Suite scanning, and then chained this unpatched flaw to pop two separate GeoServer instances. Once in, they got comfy, lateral-moving to web and SQL servers and dropping web shells—including the infamous China Chopper, which should have its own VIP pass as the APT41 house special. Then they cooked up persistence with cron jobs, user accounts, and scripts to escalate privileges. Dirty Cow, anyone?
Here’s the kicker: these cyber threat actors stuck around for three weeks, pulling off living-off-the-land shenanigans for stealth, using Stowaway for multi-level proxy traffic and blending in via xp_cmdshell and BITS jobs. Only after an EDR alert went off did security teams catch a whiff, and CISA’s post-mortem says most organizations would miss this too if their patching or alert reviews lag. Also, brute force attacks took center stage for creds, while PowerShell downloads and network discovery rounded out the tool lineup.
CISA’s official stance: Don’t just patch—automate enforcement. If a CVE is in KEV, get it closed or yank the machine from the network. They also called out failures in incident response, slow EDR deployment, and weak alert reviews. If you’re not exercising your incident response plan regularly or leaving endpoints unprotected, you’re living dangerously—like balancing a circuit board on a chopstick.
Let’s pivot. Cisco Talos flagged a sophisticated PlugX malware variant intertwined with RainyDay and Turian, mostly targeting telecom and manufacturing sectors in Asia. Interesting piece—the loader shares code base and config patterns with Naikon and BackdoorDiplomacy, both old-school espionage actors tied to the Chinese threat umbrella. The malware sideloads via DLL hijacking, then decrypts payloads with an XOR-RC4 routine. What’s unique for listeners: these malwares show that shared infrastructure and developer toolchains are now commodities in the threat landscape.
Elsewhere in the US, the Secret Service just finished raiding five SIM farms in New York—over 100,000 SIM cards were seized. Forensics hint at cellular comms between a nation-state threat actor and people flagged by federal law enforcement. If you’re in telecom, start pivoting your defense posture now, especially on SIM-served operations and endpoints.
Last, emergency patches: If you haven’t picked up the latest advisories from Ivanti and CitrixBleed 2, CISA says move quick—active exploits are underway. And all you GitHub admins, watch for fresh malware repos pretending to be free macOS and Chrome tools: don’t download unless you like surprise command shells for breakfast.
Wrap-up time: Patch fast, automate checks, and never skip your EDR reviews. Thanks for tuning in, make sure you subscribe for tomorrow’s play-by-play. This has been a quiet please production, for more check out quiet please dot ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI
Hey listeners, I’m Ting, here with your China Hack Report: Daily US Tech Defense, and if you missed the last 24 hours, trust me—this is not the day to leave your firewall down.
Let’s start with the headline: US CISA just dropped a bombshell analysis about a federal agency breach linked to a GeoServer vulnerability, that juicy CVE-2024-36401. If you’ve slept on patching, think twice before you hit snooze again. Attackers scored remote code execution with a CVSS of 9.8—basically, the cyber equivalent of a bullseye. What makes this spicy is the technique: attackers leveraged proof-of-concept exploits, did a bit of Burp Suite scanning, and then chained this unpatched flaw to pop two separate GeoServer instances. Once in, they got comfy, lateral-moving to web and SQL servers and dropping web shells—including the infamous China Chopper, which should have its own VIP pass as the APT41 house special. Then they cooked up persistence with cron jobs, user accounts, and scripts to escalate privileges. Dirty Cow, anyone?
Here’s the kicker: these cyber threat actors stuck around for three weeks, pulling off living-off-the-land shenanigans for stealth, using Stowaway for multi-level proxy traffic and blending in via xp_cmdshell and BITS jobs. Only after an EDR alert went off did security teams catch a whiff, and CISA’s post-mortem says most organizations would miss this too if their patching or alert reviews lag. Also, brute force attacks took center stage for creds, while PowerShell downloads and network discovery rounded out the tool lineup.
CISA’s official stance: Don’t just patch—automate enforcement. If a CVE is in KEV, get it closed or yank the machine from the network. They also called out failures in incident response, slow EDR deployment, and weak alert reviews. If you’re not exercising your incident response plan regularly or leaving endpoints unprotected, you’re living dangerously—like balancing a circuit board on a chopstick.
Let’s pivot. Cisco Talos flagged a sophisticated PlugX malware variant intertwined with RainyDay and Turian, mostly targeting telecom and manufacturing sectors in Asia. Interesting piece—the loader shares code base and config patterns with Naikon and BackdoorDiplomacy, both old-school espionage actors tied to the Chinese threat umbrella. The malware sideloads via DLL hijacking, then decrypts payloads with an XOR-RC4 routine. What’s unique for listeners: these malwares show that shared infrastructure and developer toolchains are now commodities in the threat landscape.
Elsewhere in the US, the Secret Service just finished raiding five SIM farms in New York—over 100,000 SIM cards were seized. Forensics hint at cellular comms between a nation-state threat actor and people flagged by federal law enforcement. If you’re in telecom, start pivoting your defense posture now, especially on SIM-served operations and endpoints.
Last, emergency patches: If you haven’t picked up the latest advisories from Ivanti and CitrixBleed 2, CISA says move quick—active exploits are underway. And all you GitHub admins, watch for fresh malware repos pretending to be free macOS and Chrome tools: don’t download unless you like surprise command shells for breakfast.
Wrap-up time: Patch fast, automate checks, and never skip your EDR reviews. Thanks for tuning in, make sure you subscribe for tomorrow’s play-by-play. This has been a quiet please production, for more check out quiet please dot ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI
View all episodes
By Inception Point AiThis is your China Hack Report: Daily US Tech Defense podcast.
Hey listeners, I’m Ting, here with your China Hack Report: Daily US Tech Defense, and if you missed the last 24 hours, trust me—this is not the day to leave your firewall down.
Let’s start with the headline: US CISA just dropped a bombshell analysis about a federal agency breach linked to a GeoServer vulnerability, that juicy CVE-2024-36401. If you’ve slept on patching, think twice before you hit snooze again. Attackers scored remote code execution with a CVSS of 9.8—basically, the cyber equivalent of a bullseye. What makes this spicy is the technique: attackers leveraged proof-of-concept exploits, did a bit of Burp Suite scanning, and then chained this unpatched flaw to pop two separate GeoServer instances. Once in, they got comfy, lateral-moving to web and SQL servers and dropping web shells—including the infamous China Chopper, which should have its own VIP pass as the APT41 house special. Then they cooked up persistence with cron jobs, user accounts, and scripts to escalate privileges. Dirty Cow, anyone?
Here’s the kicker: these cyber threat actors stuck around for three weeks, pulling off living-off-the-land shenanigans for stealth, using Stowaway for multi-level proxy traffic and blending in via xp_cmdshell and BITS jobs. Only after an EDR alert went off did security teams catch a whiff, and CISA’s post-mortem says most organizations would miss this too if their patching or alert reviews lag. Also, brute force attacks took center stage for creds, while PowerShell downloads and network discovery rounded out the tool lineup.
CISA’s official stance: Don’t just patch—automate enforcement. If a CVE is in KEV, get it closed or yank the machine from the network. They also called out failures in incident response, slow EDR deployment, and weak alert reviews. If you’re not exercising your incident response plan regularly or leaving endpoints unprotected, you’re living dangerously—like balancing a circuit board on a chopstick.
Let’s pivot. Cisco Talos flagged a sophisticated PlugX malware variant intertwined with RainyDay and Turian, mostly targeting telecom and manufacturing sectors in Asia. Interesting piece—the loader shares code base and config patterns with Naikon and BackdoorDiplomacy, both old-school espionage actors tied to the Chinese threat umbrella. The malware sideloads via DLL hijacking, then decrypts payloads with an XOR-RC4 routine. What’s unique for listeners: these malwares show that shared infrastructure and developer toolchains are now commodities in the threat landscape.
Elsewhere in the US, the Secret Service just finished raiding five SIM farms in New York—over 100,000 SIM cards were seized. Forensics hint at cellular comms between a nation-state threat actor and people flagged by federal law enforcement. If you’re in telecom, start pivoting your defense posture now, especially on SIM-served operations and endpoints.
Last, emergency patches: If you haven’t picked up the latest advisories from Ivanti and CitrixBleed 2, CISA says move quick—active exploits are underway. And all you GitHub admins, watch for fresh malware repos pretending to be free macOS and Chrome tools: don’t download unless you like surprise command shells for breakfast.
Wrap-up time: Patch fast, automate checks, and never skip your EDR reviews. Thanks for tuning in, make sure you subscribe for tomorrow’s play-by-play. This has been a quiet please production, for more check out quiet please dot ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI
Hey listeners, I’m Ting, here with your China Hack Report: Daily US Tech Defense, and if you missed the last 24 hours, trust me—this is not the day to leave your firewall down.
Let’s start with the headline: US CISA just dropped a bombshell analysis about a federal agency breach linked to a GeoServer vulnerability, that juicy CVE-2024-36401. If you’ve slept on patching, think twice before you hit snooze again. Attackers scored remote code execution with a CVSS of 9.8—basically, the cyber equivalent of a bullseye. What makes this spicy is the technique: attackers leveraged proof-of-concept exploits, did a bit of Burp Suite scanning, and then chained this unpatched flaw to pop two separate GeoServer instances. Once in, they got comfy, lateral-moving to web and SQL servers and dropping web shells—including the infamous China Chopper, which should have its own VIP pass as the APT41 house special. Then they cooked up persistence with cron jobs, user accounts, and scripts to escalate privileges. Dirty Cow, anyone?
Here’s the kicker: these cyber threat actors stuck around for three weeks, pulling off living-off-the-land shenanigans for stealth, using Stowaway for multi-level proxy traffic and blending in via xp_cmdshell and BITS jobs. Only after an EDR alert went off did security teams catch a whiff, and CISA’s post-mortem says most organizations would miss this too if their patching or alert reviews lag. Also, brute force attacks took center stage for creds, while PowerShell downloads and network discovery rounded out the tool lineup.
CISA’s official stance: Don’t just patch—automate enforcement. If a CVE is in KEV, get it closed or yank the machine from the network. They also called out failures in incident response, slow EDR deployment, and weak alert reviews. If you’re not exercising your incident response plan regularly or leaving endpoints unprotected, you’re living dangerously—like balancing a circuit board on a chopstick.
Let’s pivot. Cisco Talos flagged a sophisticated PlugX malware variant intertwined with RainyDay and Turian, mostly targeting telecom and manufacturing sectors in Asia. Interesting piece—the loader shares code base and config patterns with Naikon and BackdoorDiplomacy, both old-school espionage actors tied to the Chinese threat umbrella. The malware sideloads via DLL hijacking, then decrypts payloads with an XOR-RC4 routine. What’s unique for listeners: these malwares show that shared infrastructure and developer toolchains are now commodities in the threat landscape.
Elsewhere in the US, the Secret Service just finished raiding five SIM farms in New York—over 100,000 SIM cards were seized. Forensics hint at cellular comms between a nation-state threat actor and people flagged by federal law enforcement. If you’re in telecom, start pivoting your defense posture now, especially on SIM-served operations and endpoints.
Last, emergency patches: If you haven’t picked up the latest advisories from Ivanti and CitrixBleed 2, CISA says move quick—active exploits are underway. And all you GitHub admins, watch for fresh malware repos pretending to be free macOS and Chrome tools: don’t download unless you like surprise command shells for breakfast.
Wrap-up time: Patch fast, automate checks, and never skip your EDR reviews. Thanks for tuning in, make sure you subscribe for tomorrow’s play-by-play. This has been a quiet please production, for more check out quiet please dot ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI