Fast Feed

CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia

1 min read

Summary

  • Palo Alto Networks’ Unit 42 has identified a new cluster of activity which has been named CL-STA-0048, focused on payloads and techniques, targeting known vulnerabilities in public-facing servers.
  • The group exploited three services, Internet Information Services (IIS), Apache Tomcat, and MSSQL, but were prevented from doing so by cybersecurity providers.
  • The actor used a combination of known and novel techniques to avoid detection, including PowerShell, Cobalt Strike, SQLcmd, and uncommon execution and staging techniques.
  • The majority of the malware used in the attack had been used by the DragonRank threat group, leading to suggestions that the CL-STA-0048 is a rebrand of this group.
  • The article concludes by offering advice on how the attack could have been prevented, and how its progress could have been limited, suggesting remedies for the vulnerabilities exploited.

Original Article