By NewsBlogger The U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on individuals and entities associated with the Intellexa Alliance for their involvement in the development of commercial spyware, leading to the inclusion of Cytrox and Intellexa on the Entity List, amidst revelations of cyber threats targeting misconfigured servers with Golang-based malware.
At a glance
- OFAC imposed sanctions on individuals and entities linked to Intellexa Alliance for involvement in commercial spyware development.
- The U.S. government placed Cytrox and Intellexa, along with their corporate entities, on the Entity List.
- Specific spyware program Predator infiltrated Android and iOS devices through zero-click attacks.
- New policy allows visa restrictions on foreign individuals involved in misuse of commercial spyware.
- A new wave of cyber threats targets misconfigured servers with Golang-based malware, exploiting vulnerabilities in server configurations.
The details
The U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) has recently imposed sanctions on two individuals and five entities associated with the Intellexa Alliance for their involvement in the development of commercial spyware.
This decision was made in response to the global impact of the Intellexa Consortium, which has facilitated the proliferation of commercial spyware and surveillance technologies on a worldwide scale.
Consequently, the U.S. government has placed Cytrox and Intellexa, as well as their corporate entities in Hungary, Greece, and Ireland, on the Entity List.
Specific Spyware Program
One specific spyware program, known as Predator, has attracted attention for its capability to infiltrate Android and iOS devices through zero-click attacks.
OFAC revealed that foreign actors had utilized Predator against U.S. government officials, journalists, and policy experts, allowing them to extract sensitive information from compromised devices.
Last year, Intellexa S.A., Intellexa Limited, Cytrox AD, and Cytrox Holdings ZRT were included in an economic blocklist.
New Policy and Cyber Threats
Revelations concerning Predator’s delivery infrastructure prompted the operators to close down their servers.
In light of these developments, the U.S. government has introduced a new policy permitting visa restrictions on foreign individuals implicated in the misuse of commercial spyware.
Prominent figures such as Citizen Lab security researcher John Scott-Railton and Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson have emphasized the importance of these measures in establishing clear boundaries for the responsible development and utilization of spyware technologies.
Concurrently, a new wave of cyber threats has surfaced, targeting misconfigured servers running Apache Hadoop YARN, Docker, Confluence, or Redis with Golang-based malware.
These malicious tools exploit vulnerabilities in server configurations and an outdated flaw in Atlassian Confluence.
Researchers at Cado Security have uncovered this campaign, which bears similarities to previous cloud attacks attributed to threat actors like TeamTNT, WatchDog, and Kiss-a-Dog.
The hackers deploy various Golang payloads to compromise services associated with Hadoop YARN, Docker, Confluence, and Redis, scanning for open ports to exploit.
Notably, the payload “w.sh” utilizes CVE-2022-26134 to execute code on Confluence servers, while another payload named “fkoths” erases traces of initial access by deleting Docker images.
Furthermore, a larger shell script called “ar.sh” further compromises systems and fetches additional payloads to perpetuate the attack.
While most payloads in the campaign are flagged as malicious by antivirus engines, the four Golang binaries remain undetected by a significant number of antivirus programs.
Cado Security has conducted an in-depth technical analysis of all payloads and identified indicators of compromise, shedding light on the sophisticated tactics employed by the threat actor behind this cyber campaign.
Article X-ray
Sources
Here are all the sources used to create this article:
Fact attribution
This section links each of the article’s facts back to its original source.
If you suspect false information in the article, you can use this section to investigate where it came from.
| securityweek.com |
|---|
| – The U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) sanctioned two individuals and five entities associated with the Intellexa Alliance for their role in developing commercial spyware – The Intellexa Consortium has a global customer base and has enabled the proliferation of commercial spyware and surveillance technologies around the world – |
| The U.S. government added Cytrox and Intellexa, as well as their corporate holdings in Hungary, Greece, and Ireland, to the Entity List – Predator spyware, similar to NSO Group’s Pegasus, can infiltrate Android and iOS devices using zero-click attacks – OFAC said unspecified foreign actors had deployed Predator against U.S. government officials, journalists, and policy experts – The spyware’s operators can access and retrieve sensitive information from infected devices – Intellexa S.A., Intellexa Limited, Cytrox AD, and Cytrox Holdings ZRT were added to an economic blocklist last year – New revelations about Predator’s delivery infrastructure prompted the operators to shut down their servers – The U.S. government unveiled a new policy allowing visa restrictions on foreign individuals involved in the misuse of commercial spyware – Citizen Lab security researcher John Scott-Railton described the OFAC designations as significant – Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson emphasized the importance of establishing clear guardrails for the responsible development and use of spyware technologies |
| thehackernews.com |
|---|
| – Hackers are targeting misconfigured servers running Apache Hadoop YARN, Docker, Confluence, or Redis with new Golang-based malware – The malicious tools exploit configuration weaknesses and an old vulnerability in Atlassian Confluence – Researchers at Cado Security discovered the campaign and analyzed the payloads used in attacks – |
| The intrusion set is similar to previously reported cloud attacks by threat actors like TeamTNT, WatchDog, and Kiss-a-Dog – The attack was initially detected on a Docker Engine API honeypot – The threat actor uses shell scripts and Linux attack techniques to install a cryptocurrency miner and establish persistence – |
| The hackers deploy four Golang payloads to target services for Hadoop YARN, Docker, Confluence, and Redis – The Golang tools scan for open ports 2375, 8088, 8090, or 6379 – The payload “w.sh” exploits CVE-2022-26134 to execute code on Confluence servers – Another payload called “fkoths” removes traces of initial access by deleting Docker images – A larger shell script called “ar.sh” further compromises the system and fetches additional payloads – Most payloads in the campaign are flagged as malicious by antivirus engines, except for the four Golang binaries – Two of the payloads are detected by less than 10 antivirus engines on Virus Total – Cado Security shared a technical analysis of all the payloads and indicators of compromise |
