Threat Actors Use a VPN’s Code Signing Certificate to Deploy Cobalt Strike Malware

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

A new discovery by security researchers revealed an espionage campaign targeting the Southeast Asian gambling industry. The campaign linked to China-aligned Bronze Starlight ransomware group was seen abusing software vulnerable to DLL hijacking like Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan.

According to SentinelLabs researchers, the group used these tools to deploy Cobalt Strike malware on targeted machines.

The attacks use malware loaders (agentupdate_plugins.exe and AdventureQuest.exe) to deploy .NET executables on targeted machines, which download data stored in password-protected zip archives from Alibaba buckets. The malicious DLLs are stored in the zip archives.

It was observed that the malware loaders employ a geofencing feature meant to stop execution if they find machines with IPs in the US, Germany, France, Russia, India, the UK, and Canada. However, due to errors in implementation, the feature does not work.

The actors also known as DEV-0401 or SLIME34 even use stolen code signing certificate given to Ivacy VPN provider, Singapore-based PMG PTE Ltd. A common technique employed by Chinese APT groups as VNs help the hackers gain access to sensitive user information and communication.

The campaign is believed to be a part of the ChattyGoblin-related attack mentioned by ESET in its quarterly report. Way back in March 2023, this series of attacks were identified by ESET in which Chinese APT groups were seen using trojanized chat applications to target Southeast Asian gambling companies.

‘’We observed malware and infrastructure likely related to China-aligned activities targeting this sector. The malware and infrastructure we analyze are related to indicators observed in Operation ChattyGoblin and are likely part of the same activity cluster,’’ the report observed.

However, SentinelLabs states that despite seeing the techniques and tactics specific to Bronze Starlight, it’s difficult to attribute the campaign to this group. The report notes that there is widespread sharing of malware and infrastructure management processes between Chinese APT groups, thus making ‘’high confidence clustering difficult based on current visibility’’.

LinkedIn Users Worldwide Targeted in a Massive Hacking Campaign

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

In recent weeks, LinkedIn account holders across the world found themselves being targeted by unknown threat actors. Their LinkedIn accounts were either locked out as a part of security measure or were completely taken over by the hackers.

Security researchers at Cyberint have reported that they have seen an uptick in user complaints across various social media platforms. Desperate users have vented their anger against LinkedIn’s lack of support to resolve this issue.

Moreover, the research team claims to have seen an increase in searches related to LinkedIn support and advice for solutions regarding hacked accounts. For instance, the term ‘’breakout’’ alone has witnessed an increase of over 5000% in searches.

‘’Our analysis using Google Trends reveals a significant surge in the past 90 days in the volume of Google searches related to the hacked account campaign. Search queries such as “LinkedIn account hacked” or “LinkedIn account recovery” have experienced a substantial upward trend, reported Cyberint researchers.

In this instance, the attackers seem to have employed two different modes of attack. The Temporary Account Lock tactic, in which the attacker has tried to breach accounts by exploiting two-factor authentication or brute force attacks on passwords. These attempts caused LinkedIn to temporarily lock legitimate users’ accounts and for security reasons they need to verify their emails and update passwords.

If successful, under the second mode of attack (Full Account Compromise), a victim’s account can be completely taken over by the attacker. The account associated email and password is changed, thus rendering it impossible for the legitimate owner to recover the account.

According to the researchers, some account holders have also received ransom messages asking for a few tens of dollars, to regain access. While others have seen their accounts deleted entirely.

This incident can lead to a significant increase in threat attacks like blackmail, social engineering of profiles, data gathering via impersonation, and spread of malicious content, warned Cyberint .

Although the specific intent of the attackers remains unknown, few potential methods employed by them to gain access to LinkedIn accounts have been identified. Users are advised to reset their LinkedIn passwords and also enable 2FA for improved security.