The Week in Cybersecurity: Meet Manjusaka, 'the Chinese sibling of Sliver and Cobalt Strike'

Welcome to the latest edition of The Week in Cybersecurity, which brings you the newest headlines from both the world and our team about the most pressing topics in cybersecurity. This week: a new Chinese offensive framework may be abused by threat actors, hackers steal $190 million from Nomad Token Bridge, and more.

This Week’s Top Story

Meet Manjusaka, the “Chinese sibling of Silver and Cobalt Strike”

Threat actors abusing legitimate adversary emulation frameworks is nothing new, thanks to the popular use of Cobalt Strike and Sliver to carry out cyber attacks. However, new tools of a similar nature are emerging, giving threat actors a wider range of attack options. The Hacker News reports that researchers at Cisco Talos have disclosed a new offensive framework known as Manjusaka, which they say is available for free, and has the ability to “generate new implants with custom configurations with ease.” The researchers also raised concern that there is an increasing likelihood that threat actors will widely adopt this new framework.

Meaning “cow flower” in Chinese, Manjusaka is branded as an equivalent to Cobalt Strike, and can target both Linux and Windows operating systems. It also has “a multitude of remote access trojan (RAT) capabilities” with features that include executing arbitrary commands and harvesting browser credentials from a number of platforms. Sensitive information such as Wi-Fi passwords, screenshots and system information are all at risk of being gathered by threat actors if they utilize Manjusaka.

The Talos team is concerned that the availability of Manjusaka is “an indication of the popularity of widely available technologies with both crimeware and APT operators.” Equally concerning is the modern advancement of such technologies, considering that Manjusaka uses the most modern and portable programming languages, and is easily integratable to newly targeted platforms like MacOSX, according to researchers.

News roundup

Here are the stories we’re paying attention to this week…

Hackers steal $190M from Nomad Token Bridge in 6th largest crypto theft to date (Tech Monitor)

The hackers stole from Nomad Token Bridge, a platform that allows users to exchange tokens between blockchains. The heist, described by a researcher as “one of the most chaotic hacks web3 has ever seen,” is the sixth-largest crypto theft to date, and a further sign of the security flaws of the crypto ecosystem.

Taiwan's presidential office is hit with a cyberattack (Politico)

The website of Taiwan’s presidential office went dark Tuesday due to an alleged distributed denial-of-service attack, with other government websites also impacted.

LockBit ransomware abuses Windows Defender to deploy Cobalt Strike payload (The Hacker News)

A threat actor associated with the LockBit 3.0 ransomware-as-a-service (RaaS) operation has been observed abusing the Windows Defender command-line tool to decrypt and load Cobalt Strike payloads.

Multiple vulnerabilities in Google Android OS could allow for remote code execution (Center for Internet Security)

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights.

$10M reward offered for information on foreign government-linked malicious hackers (Graham Cluley)

A $10 million reward is being offered for information leading to the identification or location of malicious hackers working with North Korea to launch cyber attacks on US critical infrastructure.