Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label APT41. Show all posts
Symantec
APT41 Atharvan RAT Blackfly Clasiopa Cyber Security Cyberespionage Cyberespionage Operation Lilith RAT Remote Access Tool Symantec

APT41: Cyberespionage Group Targets Asian Materials Industry


The Chinese-sponsored APT41 cyberespionage group, also known as Blackfly, Barium Bronze Atlas, Double Dragon, Wicked Panda, and Wicked Spider has emerged as one of the most active threat groups since at least 2007. 

The cyber-threat group has recently been targeting two subsidiaries of a major Asian conglomerate, which apparently specializes in materials and composites. The attack follows right after another distinct campaign against the Asian material sector. 

The APT attack was seen utilizing the Winnkit backdoor, Mimikatz, and several tools for credential dumping, screen capture, process hollowing, SQL querying, memory dumping (ForkPlayground), and proxy configuration. 

In one of the instances, Symantec discovered a material research organization in Asia that was being targeted by a previously unidentified threat group named ‘Clasiopa,’ which does not seem to be linked to the APTs. 

It is believed that Clasiopa acquired access to the targeted organization by brute forcing public facing servers and using a variety of post-exploitation tools like Atharvan remote access trojan (RAT), which is a modified version of the Lilith RAT, the Thumbsender hacking tool, and a custom proxy tool. The threat actor, according to Symantec, utilized the backdoors to compile lists of files and exfiltrate them, deleted logs, set a scheduled task to list file names, and verified the IP addresses of the compromised machines in an effort to disable endpoint protections. 

Moreover, it appears that Clasiopa used authorised software from Agile and Domino throughout the attack, but it is still unclear whether the attackers actually deployed the tools or simply abused the existing installations. Apparently Atharvan backdoor is able to download arbitrary files from the server, execute files, and configure communications through the C&C server, all based on the commands received from its operators. 

Adding to this, the Atharvan RAT can terminate or restart programs, send remote commands and PowerShell scripts, as well as terminate and uninstall itself. Further analysis on Atharvan revealed a Hindi mutex and a password, suggesting that Clasiopa could be based in India, although Symantec says that these could be some of the false flags planted by the threat group to muddle with the investigation.  

Read more »
Cyber Attacks
APT41 Chinese Hackers Covi-19 Cyber Attacks

Chinese Hackers Steal U.S Covid-19 Relief Funds, Experts suspect APT41


Chinese Hackers steal US Covid funds

The US Secret Service alleged that a Chinese hacking group stole tens of millions of dollars from US Covid-19 relief funds. The incident has increased the threat that the US and its citizens are facing from threat actors.

State-sponsored cyber criminal group APT41 scammed and stole $20 million that was used as a pandemic relief during Covid-19. 

Experts say this is the first theft of APT41, it is known for cyber espionage and financial cyberattacks. But this time, it is confirmed that APT41 has targeted US government funds. The money consists of small business administration plans and unemployment insurance funds.  

It also shows APT41's capability to defraud the US on a bigger scale, given the depth of details it has retrieved about American citizens.

"Fintech companies contracted by the federal government to process pandemic payouts rushed through processing applications in pursuit of higher fees, which contributed to the fraud that occurred, according to a report by the US House Select Subcommittee on the Coronavirus Crisis published on December 1. The key issue at hand is the state-sponsored group’s ability to scale future fraud attempts via automated technology and troves of taxpayer data China is believed to have obtained after security breaches at credit bureau Equifax and the US Office of Personnel Management, Hamilton said. OPM houses all federal employee data.ls it has retrieved about the American citizens," reports Bloomberg 

APT41 believed behind the theft

It is not clear if agencies believe APT41 compromised government systems or citizens' personal accounts to get the Covid-19 relief funds, or if they hacked into already stolen information to engage in an identity scam. 

Investigating agencies didn't disclose any more details about how the theft took place, saying  “with respect to a potentially ongoing investigation, we have no further publicly available information.” 

For individual US citizens, it may be hard to imagine themselves as victims of a states sponsored attack like China, however, the threat is rising.

“When you look at how many records they have, talk about massive fraud. If the Chinese-based hackers wanted to use that information for fraud, they would have a very easy time with that because they have it all," said Linn Freedman, cybersecurity partner of Robinson Cole LLP. 

The threat scale has increased

Currently, not much information is available to determine the security loopholes that resulted in fraudulent activity related to the relief funds, it is believed that the money theft is not an isolated incident. 

Mike Hamilton, the chief information security officer at cybersecurity agency Critical Insight, believes that the cyberattack was a "beta test" of APT41's capabilities to defraud the American government and also that APT41 attacked the funds because it was easy to steal. 

Bloomberg reports, "APT41 recently compromised at least six state government websites and exfiltrated personally identifiable information as part of a deliberate hacking campaign targeting states, according to a report published by cybersecurity firm Mandiant in March 2022."






Read more »
Subscribe to: Posts (Atom)