ISLAMABAD:
The government has issued a cybersecurity advisory warning against the ‘Dead Glyph Backdoor’ – a “x64 native binary” and “.Net assembly exploit code” used as an entry method to exploit Windows based operating systems.
The Cyber Security Department has shared technical details with all ministries, divisions, and departments, informing them about all precautionary measures to ward off the attacks of hackers.
The system and network administrators of all ministries, divisions and institutions are instructed to ensure proper system hardening and whitelisting at all levels, including OS, BIOS, hardware, software etc (defence in depth).
The advisory outlined the backdoor’s tactics, indicating that it targets online systems through malicious scripts attached to impersonated files. The backdoor exploit code then infiltrates the online system, saving fake DLL files in the Windows C Drive.
Subsequently, the fake DLL file executes second-stage malware through unauthorised PowerShell script issuance, extracting critical user data. To evade detection, the malware shares this information with the attacker using a random network communication timing pattern.
In response to this threat, the advisory urged ministries and departments to implement robust cybersecurity measures.
The advisory emphasised the installation of reputable and licensed cybersecurity solutions such as antivirus, anti-malware, firewalls, SIEM, SOAR, IPS/IDS, and NMS. Regular manual inspections of the C Drive System32 folder are also advised to detect any suspicious file creation activity.
To bolster defence against the Dead Glyph Backdoor, the government advisory suggested ongoing monitoring of domain controllers for signs of malware infection.
Read also: Cybersecurity breach halts port operations
Additionally, departments were encouraged to examine endpoints and network logs regularly to identify anomalous network traffic.
Outbound network connections from specific executables, such as powershell.exe, winword.exe, notepad.exe, and others, were recommended to be blocked.
Further preventive measures included blacklisting unnecessary Windows commands and utilities and restricting the execution of scripts with specific extensions.
The advisory called for the establishment of a Sender Policy Framework (SPF) for domains to prevent email spoofing and recommends application whitelisting. Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths was also advised.
In the interest of maintaining cybersecurity resilience, the government advisory advocated regular updates for Microsoft Windows vulnerabilities and other installed software.
Endpoints were advised to disable Remote Desktop Protocol (RDP) when not required and patch against the latest vulnerabilities.
Establishing a site-to-site VPN for remote access and adopting a zero-trust architecture for service access were additional cybersecurity measures.
The advisory also underscored the importance of regular updates to anti-malware solutions and performing backups of critical information to mitigate the impact of data or system loss and expedite the recovery process.
