• 尚無留言

Recently, the cybersecurity firm Trend Micro disclosed an attack campaign carried out by the Chinese hacker group APT41, specifically Earth Longzhi, which primarily targets countries and enterprises in the Asian region. The targeted countries include Taiwan, Thailand, the Philippines, and Fiji. The group is known for abusing Microsoft Defender’s executable to perform DLL sideloading and utilizing a technique called Bring Your Own Vulnerable Driver (BYOVD). They exploit vulnerabilities in the driver zamguard64.sys to disable antivirus software and carry out their attacks. This campaign highlights the need for increased vigilance and enhanced security measures to protect against such sophisticated cyber threats in the affected regions.

It’s worth noting that the group also utilized the Stack Rumbling attack technique, injecting it into the Image File Execution Options (IFEO) mechanism. The objective was to trigger a memory overflow in antivirus software, causing it to experience a Denial of Service (DoS) and rendering it non-functional.

This attack technique poses significant challenges to the cybersecurity posture of businesses and organizations, especially those that heavily rely on antivirus software such as Microsoft Defender. In response to such attacks, cybersecurity experts recommend implementing multi-layered security measures, including timely software patching, strengthening network security monitoring, and implementing encryption measures, to reduce the risk of being targeted by these attacks.

The attacks carried out by APT41 organization pose a significant threat to countries and businesses in the Asian region, and the Stack Rumbling attack technique targeting antivirus software further exacerbates the cybersecurity challenges faced by enterprises and organizations. Strengthening their own cybersecurity measures, including regular updates of antivirus software and drivers, encrypting sensitive information, restricting network access, and implementing multi-factor authentication, is essential for businesses and organizations to counter such attacks. Additionally, enhancing international cybersecurity cooperation and intelligence sharing is also crucial in dealing with APT41 and similar hacker organizations. Only through collaborative efforts can we effectively safeguard the security and stability of the internet world.