Cisco Talos: APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike
Cisco attributes a cyberespionage campaign targeting a Taiwanese government-affiliated research institute since at least July 2023, to the Chinese state-sponsored APT41 (aka Winnti, Wicked Panda, Brass Typhoon). APT41 is publicly attributed to several Chinese nationals working at Chengdu 404 Technology by the U.S. government. The ShadowPad malware used in the current campaign exploited an outdated vulnerable version of Microsoft Office IME binary as a loader to load the customized second-stage loader for launching the payload. Cisco also discovered that APT41 created a tailored loader to inject a proof-of-concept for CVE-2018-0824 (7.5 high, disclosed 08 May 2018 by Microsoft, Microsoft COM for Windows Remote Code Execution Vulnerability) directly into memory, utilizing a remote code execution vulnerability to achieve local privilege escalation. Short summary of the victim, attribution, TTP changes and malware analysis. IOC provided.

#threatintel #china #apt41 #cyberespionage #IOC #WickedPanda #BrassTyphoon #Winnti #shadowpad #CVE_2018_0824 #eitw #activeexploitation #vulnerability #CVE

@screaminggoat
CVE-2018-0824
The thing that had a fix released for it OVER SIX YEARS AGO.

@wdormann freebie for the CISA Vulnerability Management Team to add it to the Known Exploited Vulnerabilities (KEV) Catalog.

CISA: CISA Adds One Known Exploited Vulnerability to Catalog
Hot off the press! CISA adds CVE-2018-0824 (7.5 high, disclosed 08 May 2018 by Microsoft) Microsoft COM for Windows Remote Code Execution Vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog! See parent toot above for evidence of exploitation.

#CVE_2018_0824 #eitw #activeexploitation #vulnerability #CVE #Microsoft #KEV #KnownExploitedVulnerabilitiesCatalog

@screaminggoat Are these ancient CVE's added retroactively or some companies have fallen behind this badly?

@buherator Previously, CISA must not have had any evidence of exploitation before now. Cisco's reporting on Thursday demonstrated that APT41 uses the "UnmarshalPwn" malware to exploit CVE-2018-0824 for local privilege escalation.