The Pakistan Institute of Legislative Development and Transparency (PILDAT) has issued a report detailing its assessment of the recently-concluded general election, expressing deep concerns over a decline in fairness scores compared to previous election cycles.
According to the advisory issued by the cabinet division, Advanced Persistent Threat (APT) groups are targeting global government entities and critical infrastructure through the ‘Dead Glyph Backdoor’.
According to the advisory, the Dead Glyph is an ‘x64 native binary’ and ‘.Net assembly exploit code’, it is used by hackers as an entry method to exploit Windows-based operating systems.
According to the advisory, the Dead Glyph backdoor targets Windows-based online systems through impersonated’ files having malicious scripts attached.
It also attacks the online system through backdoor exploit code and then saves fake DLL files in Windows C Drive. The fake DLL file then executes second-stage malware by unauthorized issuance of PowerShell scripts. It extracts the user’s critical data and shares it with the attacker using a random network communication timing pattern to avoid detection.
The cabinet division has asked the ministries and departments to ensure proper system hardening and whitelisting at all levels including OS, BIOS, hardware, software, etc.
Install reputed and licensed anti-virus, anti-malware, firewalls, SIEM, SOAR, IPS/IDS, NMS solutions, etc, and regularly manually inspect the C Drive System32 folder to check for any suspicious file creation activity.
The advisory has asked the government departments to regularly monitor domain controllers for signs of malware infection and to examine the endpoints and network logs on a regular basis to detect anomalous network traffic.
Also block outbound network connections from powershell.exe, winword.exe, notepad.exe, explorer.exe, bitsadmin.exe, mshta.exe, excel.exe, and eqnedt32.exe.
The advisory has suggested blacklisting the windows commands and utilities that are not required by the end-users and block execution of all scripts having .vbs, .vbe, .hta, .js, .wsh, .wsf, .com, .pif, .ps1 extensions.
It has asked the departments to establish a Sender Policy Framework (SPF) for domains, which is an email validation system designed to prevent spam attachments by detecting email spoofing.
It has also suggested ensuring application whitelisting and strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths.
It has asked the departments to regularly update Microsoft Windows vulnerabilities and other installed software. Disable the RDP of all endpoints (when not required) and patch it against all the latest vulnerabilities.
Establish site-to-site VPN for remote access zero trust architecture for accessing services.
The advisory has also asked government departments to regularly update antimalware solutions running on endpoints in enterprise environments as well as standalone systems and perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process.
Comments
Post a Comment