Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Chinese. Show all posts

Dutch Intelligence Warns of Extensive Chinese Cyber-Espionage Campaign


 

The Dutch Military Intelligence and Security Service (MIVD) has issued a warning about the far-reaching consequences of a Chinese cyber-espionage operation disclosed earlier this year. According to the MIVD, the scale of this campaign is "much larger than previously known," impacting numerous systems across multiple sectors. 

In a joint report with the General Intelligence and Security Service (AIVD) released in February, the MIVD described how Chinese hackers exploited a critical vulnerability in FortiOS/FortiProxy (CVE-2022-42475). This remote code execution flaw was used over several months between 2022 and 2023 to deploy malware on susceptible Fortigate network security devices. During this "zero-day" period, about 14,000 devices were compromised. Targets included various Western governments, international organizations, and many companies within the defense industry. 

The malware, identified as the Coathanger remote access trojan (RAT), was detected on a network used by the Dutch Ministry of Defence for research and development (R&D) of unclassified projects. However, network segmentation prevented the attackers from spreading to other systems. The MIVD highlighted that this previously unknown malware strain could persist through system reboots and firmware upgrades. It was used by a Chinese state-sponsored hacking group in a political espionage campaign targeting the Netherlands and its allies. 

This persistent access allowed the state actor to maintain control over compromised systems even after security updates were applied. "The exact number of victims with malware installed is unknown," stated the MIVD. "However, the Dutch intelligence services and the NCSC believe that the state actor could potentially expand its access to hundreds of victims worldwide and engage in further actions such as data theft." Since February, the Dutch military intelligence service discovered that the Chinese threat group had accessed at least 20,000 FortiGate systems globally over a span of a few months in 2022 and 2023, beginning at least two months before Fortinet disclosed the vulnerability. 

The Coathanger malware's ability to intercept system calls to avoid detection and its resilience against firmware upgrades make it particularly difficult to remove. Fortinet disclosed in January 2023 that the CVE-2022-42475 vulnerability was exploited as a zero-day to target government organizations and related entities. The MIVD's findings mirror the characteristics of another Chinese hacking campaign that targeted unpatched SonicWall Secure Mobile Access (SMA) devices with cyber-espionage malware designed to withstand firmware updates. 

The revelations from Dutch intelligence underscore the increasing sophistication and persistence of state-sponsored cyber-espionage campaigns. As cyber threats continue to evolve, the importance of robust cybersecurity measures and vigilant monitoring becomes ever more critical to protect sensitive information and infrastructure from these advanced persistent threats.

Smash and Grab: Meta Takes Down Disinformation Campaigns Run by China and Russia

 

Meta, Facebook’s parent company has confirmed that it has taken down two significant but unrelated ‘disinformation operations’ rolling out from China and Russia. 

The campaigns began at the beginning of May 2022, targeting media users in Germany, France, Italy, Ukraine, and the UK. The campaign attempted to influence public opinions by pushing fake narratives in the west, pertaining to US elections and the war in Ukraine. 

The campaign spoofed around 60 websites, impersonating legitimate news websites, such as The Guardian in the UK and Bild and Der Spiegel in Germany. The sites did not only imitate the format and design of the original news sites but also copied photos and bylines from the news reporters in some cases. 

“There, they would post original articles that criticized Ukraine and Ukrainian refugees, supported Russia, and argued that Western sanctions on Russia would backfire […] They would then promote these articles and also original memes and YouTube videos across many internet services, including Facebook, Instagram, Telegram, Twitter, petitions websites Change.org and Avaaz, and even LiveJournal” Meta stated in a blog post. 

In the wake of this security incident, Facebook and Instagram have reportedly removed nearly 2,000 accounts, more than 700 pages, and one group. Additionally, Meta detected around $105,000 in advertising. While Meta has been actively quashing fake websites, more spoofed websites continue to show up.  

However, “It presented an unusual combination of sophistication and brute force,” claims Meta’s Ben Nimmo and David Agranovich in a blog post announcing the takedowns. “The spoofed websites and the use of many languages demanded both technical and linguistic investment. The amplification on social media, on the other hand, relied primarily on crude ads and fake accounts.” 

“Together, these two approaches worked as an attempted ‘smash-and-grab’ against the information environment, rather than a serious effort to occupy it long term.” 

Both the operations are now taken down as the campaigns were a violation of Meta’s “coordinated inauthentic behaviour” rule, defined as “coordinated efforts to manipulate public debate for a strategic goal, in which fake accounts are central to the operation”. 

Addressing the situation of emerging fraud campaigns, Ben Nimmo further said, “We know that even small operations these days work across lots of different social media platforms. So the more we can share information about it, the more we can tell people how this is happening, the more we can all raise our defences.”

Information Commissioner Office Made a Regulatory Fine of $27 Million on Tiktok

 

The information commissioner's office of the United Kingdom recently fined Tiktok $29 million, having provisionally discovered that Tiktok had breached the laws of child data protection for two years. 
 
The privacy regulatory body of the United Kingdom reported the exploitation of protection laws of the country’s data. There was an investigation that concluded that TikTok may have breached the laws of data protection from May 2018 to July 2020. 
  
The fine is determined by the calculation of 4% of TikTok’s annual turnover globally. The ICO issued TikTok with a “notice of intent” with a fine of up to $27 million, which is considered the highest in ICO’s history as the largest amount paid till now is $20 million to British Airways. 
 
The Information Commissioner's office has pointed out in regard to Tiktok that it may breach privacy by processing data of minors under 13 years old without parental consent, failing to provide complete information to users "in a concise, transparent, and easily understandable manner" and processing unsuitable "special category" data without legal authority. 
 
The ICO defines “special category data” as any use of sensitive personal data including sexual orientation, religious beliefs, culture and nationality, political perspective, and biometric data. 
 
The information commissioner, John Edwards commented on TikTok’s failure in fulfilling its legal duties of protecting the privacy of data of its young users. He stated, "we all want children to be able to learn and experience the digital world, but with proper data privacy protection.” 
 
In John’s opinion, digital learning is essential for children, but the companies offering the digital services should be legally responsible for ensuring that reasonable protection measures are incorporated into these services, as during the investigation of TikTok it was found to be provisionally lacking in these measures.  
 
ICO added to its statement that the findings from the investigation are provisional and no final conclusions can be drawn at this time. A spokesperson from Tiktok in a conversation with TechCrunch shared that they do respect the concerns expressed by the ICO about security and protection laws, but that they disagree with the ICO's views regarding Tiktok's privacy policies.

'RedAlpha': This Chinese Cyberspy Group is Targeting Governments & Humanitarian Entities

 

RedAlpha, a Chinese state-sponsored cyberespionage group, has been observed targeting numerous government organisations, humanitarian organisations, and think tanks over the last three years. 

The advanced persistent threat (APT) actor, also known as Deepcliff and Red Dev 3, has been active since at least 2015, focusing on intelligence collection and surveillance of ethnic and religious minorities such as the Tibetan and Uyghur communities. 

According to cybersecurity firm Recorded Future, RedAlpha has registered hundreds of domains impersonating global government, think tank, and humanitarian organisations such as Amnesty International, the American Institute in Taiwan (AIT), the International Federation for Human Rights (FIDH), the Mercator Institute for China Studies (MERICS), and Radio Free Asia (RFA).

According to Recorded Future, the attacks are consistent with previous RedAlpha targeting of entities of interest to the Chinese Communist Party (CCP). Taiwanese organisations were also targeted, most likely for intelligence gathering. The campaign's goal has been to collect credentials from targeted individuals and organisations in order to gain access to their email and other communication accounts.

“RedAlpha’s humanitarian and human rights-linked targeting and spoofing of organizations such as Amnesty International and FIDH is particularly concerning given the CCP’s reported human rights abuses in relation to Uyghurs, Tibetans, and other ethnic and religious minority groups in China,” Recorded Future notes.

The cyberespionage group is known for using weaponized websites - which mimics well-known email service providers or specific organisations - as part of its credential-theft campaigns, but the APT registered more than 350 domains last year.

This activity was distinguished by the use of resellerclub[.]com nameservers, as well as the use of virtual private server (VPS) hosting provider Virtual Machine Solutions LLC (VirMach), overlapping WHOIS registrant information (including names, email addresses, and phone numbers), consistent domain naming conventions, and the use of specific server-side components.

About RedAlpha:

The group has recorded hundreds of domains typosquatting major email and storage service providers, including Yahoo (135 domains), Google (91 domains), and Microsoft (70), as well as domains typosquatting multiple countries' ministries of foreign affairs (MOFAs), Purdue University, Taiwan's Democratic Progressive Party, and the aforementioned and other global government, think tank, and humanitarian organisations.

The cyberespionage group registered at least 16 domains impersonating the Berlin-based non-profit organisation MERICS during the first half of 2021, which coincided with the Chinese MOFA sanctioning the think tank.

“In many cases, observed phishing pages mirrored legitimate email login portals for the specific organizations named above. We suspect that this means they were intended to target individuals directly affiliated with these organizations rather than simply imitating these organizations to target other third parties,” Recorded Future says.

RedAlpha has also shown a consistent focus on targeting Taiwanese entities over the last three years, including through multiple domains mimicking the American Institute in Taiwan (AIT), the de facto embassy of the United States of America. The hacking group was also noticed spreading its campaigns to target Brazilian, Portuguese, Taiwanese, and Vietnamese ministries of foreign affairs, as well as India's National Informatics Centre (NIC).

“We identified multiple overlaps with previous publicly reported RedAlpha campaigns that allowed us to assess this is very likely a continuation of the group’s activity. Of note, in at least 5 instances the group appeared to re-register previously owned domains after expiry,” Recorded Future notes.

The cybersecurity firm has discovered a connection between RedAlpha and a Chinese information security firm - email addresses used to register spoofing domains appear in job listings and other web pages associated with the organisation - and believes the threat actor is based in China.

“The group’s targeting closely aligns with the strategic interests of the Chinese government, such as the observed emphasis on China-focused think tanks, civil society organizations, and Taiwanese government and political entities. This targeting, coupled with the identification of likely China-based operators, indicates a likely Chinese state-nexus to RedAlpha activity,” Recorded Future concludes.

Chinese Hackers Targeted Dozens of Industrial Enterprises and Public Institutions

 

Since January 2022, over a dozen military-industrial complex firms and governmental organisations in Afghanistan and Europe have been targeted in order to acquire private data via six distinct backdoors. The assaults were attributed "with a high degree of confidence" to a China-linked threat actor identified by Proofpoint as TA428, noting commonalities in tactics, techniques, and processes (TTPs). 

TA428, also known as Bronze Dudley, Temp.Hex, and Vicious Panda, has previously struck entities in Ukraine, Russia, Belarus, and Mongolia. It is thought to be linked to another hacker organisation known as Mustang Panda (aka Bronze President). The current cyber espionage effort targeted industrial units, design bureaus and research institutions, as well as government entities, ministries, and departments .departments in several East European countries and Afghanistan. 

Penetration of company IT networks is accomplished through the use of carefully prepared phishing emails, including those that mention non-public information about the companies, to fool recipients into opening rogue Microsoft Word documents. These decoy files include exploits for a 2017 memory corruption vulnerability in the Equation Editor component (CVE-2017-11882), which might allow arbitrary code to be executed in affected computers, eventually leading to the deployment of a backdoor known as PortDoor. 

In April 2021, Chinese state-sponsored hackers used PortDoor in spear-phishing efforts to breach into the computers of a defence firm that manufactures submarines for the Russian Navy. The use of six distinct implants, according to Kaspersky, is most likely an attempt by threat actors to develop redundant channels for managing infected hosts in the event that one of them should get recognised and removed from the networks.

The attacks culminate with the attacker hijacking the domain controller and taking total control of all of the organization's workstations and servers, using the privileged access to exfiltrate files of interest in the form of compressed ZIP packages to a remote server in China.

Other backdoors used in the assaults include nccTrojan, Cotx, DNSep, Logtu, and CotSam, a previously unreported malware named because of its resemblance to Cotx. Each offers significant capabilities for taking control of the systems and stealing sensitive data.

Ladon, a hacking framework that enables the adversary to scan for devices in the network as well as exploit security vulnerabilities in them to execute malicious code, is also included in the assaults.

"Spear-phishing remains one of the most relevant threats to industrial enterprises and public institutions," Kaspersky said. "The attackers used primarily known backdoor malware, as well as standard techniques for lateral movement and antivirus solution evasion."

"At the same time, they were able to penetrate dozens of enterprises and even take control of the entire IT infrastructure, and IT security solutions of some of the organizations attacked."

APT: China-Based Threat Group Attacks Pulse Secure VPNs

 

Several hacker groups that are supposed to support Chinese long-term economic goals continue in the defense, high-tech, public, transportation, and financial services industry networks in the US and Europe. 

Many breaches have taken place wherein attacks by Chinese threat actors penetrated Pulse Secure VPN devices to break into an organization's network and steal confidential material. 

Whereas in several other incidents the attackers took full advantage of the Pulse Connect Secure (PCS) (CVE-2021-22893) authentication bypass vulnerability to enter into the victim's network. The intruders also gained control of the combination of previously known vulnerabilities. Meanwhile, last month, a failure in the bypass authentication was detected and rectified. 

Mandiant issued a warning this week – on China's advanced persistent threat (APT) activity for U.S. and European organizations. In the alert, Mandiant had focused on a battery of malware tools used to address vulnerabilities in Pulse Secure VPN devices on two Chinese-based organizations: UNC2630 and UNC2717. Mandiant said that UNC2630 had targeted US military industry groups and UNC2717 had attacked an EU entity. 

"The exploitation activity we have observed is a mix of targeting unpatched systems with CVEs from 2019 and 2020, as well as a previously unpatched 2021 CVE (CVE-2021-22893)," says Stephen Eckels, a reverse engineer at Mandiant. "Since our original report, Pulse Secure and Mandiant have worked together, and the zero-day has since been patched." 

"At this time, Pulse Secure has patched all known vulnerabilities," Eckels added. 

In certain cases, the attackers had set up their local admin accounts on critical Windows servers to operate freely on the target network. Instead of depending on internal endpoints of the security vulnerabilities, they used exclusivity of Pulse Secure web-shells and malware. 

The UNC2630 and UNC2717, according to Mandiant, are just two of the various groups which threaten Pulse Secure VPNs that seem to work for the interest of the Chinese administration. Many of the groups use the same number of instruments, but their strategies and tactics are different. 

There has been no confirmation so far that the threat actors had acquired American data that would provide economic advantages for Chinese enterprises. In particular, a 2012 agreement between President Barack Obama and a Chinese counterpart Xi prohibits cyber espionage of such data. 

"Right now we're not able to say that they haven't, just that we don't have direct evidence that they have violated [the agreement]," Mandiant says. "Some of the affected entities are private companies that would have commercial intellectual property, the theft of which would violate the agreement. We just have not seen direct evidence of that type of data being staged or exfiltrated." 

Mandiant's assessment of the Chinese ferocious ATP activities is coinciding with this week's alert from Microsoft for Nobellum, the Russian menace actor behind the SolarWinds attack and an extensive e-mail campaign. In both cases, cyber espionage seems to be the major motif in support of national strategic objectives.

Czech Republic's Intelligence Agency Reveal on Russian And Chinese Spies Posing an Imminent Threat to The EU Member's Security

 


The Czech Republic's intelligence agency recently revealed that Russian and Chinese spies posed an up and coming threat to the EU member's security and other key interests the previous year. 

The annual report of the Security Data Administration (BIS) said the intelligence services of Russia and China took up a rather significant role in further advancing their interests and options abroad.

All Russian intelligence services were rather active on Czech territory in 2019. Spies with a strategic and diplomatic cover zeroed in on further advancing Russia's interests and the Kremlin's views, just as boosting Russia's reputation in the Czech Republic. 

"The key difference is that Russia seeks to destabilise and disintegrate its opponents, while China is trying to build a Sinocentric global community wherein other nations acknowledge the legitimacy of China's interests," BIS said. 

The Chinese spies’ agents utilized covers as diplomats, journalists, or scientists and "utilized the receptiveness of the Czech environment to the offer of Chinese investment," BIS said. 

They focused on the tech area, the military, security, infrastructure, the health sector, the economy, and environmental protection and searched for ways to paint a positive portrait of China. 

BIS added that the foreign spies additionally focused on Czech cyberspace with attacks focused on the foreign ministry and diplomatic missions abroad, yet additionally the infrastructure of Czech anti-virus software maker Avast.

It said Russian and Chinese services were behind these attacks, adding that phishing and spear-phishing emails were the most frequently utilized tactic.