Search This Blog

Showing posts with label Chinese Actors. Show all posts

Chinese APT Utilizes Ransomware to Cover Cyberespionage

 

A China-based advanced persistent threat (APT) group called Bronze Starlight has been active since the start of 2021. It appears to be using double-extortion attacks and ransomware as cover for routine, state-sponsored cyberespionage and intellectual property theft. 

The distribution of post-intrusion ransomware, including LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0, is a feature of Bronze Starlight. Microsoft also labeled it as part of the DEV-0401 emerging threat cluster, highlighting its involvement in all phases of the ransomware attack cycle, from initial access to the payload dissemination.

China's Correlation

The threat actor has always loaded Cobalt Strike Beacon and then released ransomware on compromised computers using a malware loader known as the HUI Loader, which is solely utilized by  Chinese-based organizations. This method has not been noticed by other threat actors, according to Secureworks researchers.

Researchers from Secureworks believe that Bronze Starlight is more likely motivated by cyberespionage and intellectual property (IP) theft than financial gain due to the short lifespan of each ransomware family, victimology, and access to tools used by Chinese state hacktivists (including known vulnerabilities and the HUI Loader). HUI Loader has been used to distribute malware such as Cobalt Strike, QuasarRAT, PlugX, and SodaMaster as well as remote access trojans (RATs) at least since 2015.

Attacks carried out by the actor are distinguished by the use of vulnerabilities influencing Exchange Server, Zoho ManageEngine ADSelfService Plus, Atlassian Confluence, and Apache Log4j. This contrasts with other RaaS groups that obtain access from initial access brokers (IABs) to enter a network. 

The similarity between Ransomware 

Additionally, a familiar actor is apparent from the similarities found between LockFile, Atom Silo, Rook, Night Sky, and Pandora, the latter three of which were developed from the Babuk ransomware, the source code of which was leaked in September 2021. 

The researchers write that the use of HUI Loader to load Cobalt Strike Beacon, the configuration data for Cobalt Strike Beacon, the C2 network, and the code overlap "indicate that the same threat group is linked with these 5 ransomware families."

The use of the HUI Loader to launch next-stage encrypted payloads like PlugX and Cobalt Strike Beacons, which are used to disseminate the ransomware, is another instance of detected tradecraft. However, this technique requires first getting privileged Domain Administrator credentials. 

The main victims are American and Brazilian pharmaceutical firms, a U.S. media outlet with branches in China and Hong Kong, Lithuanian and Japanese electronic component designers and manufacturers, a U.S. legal company, and the aerospace & defense unit of an Indian conglomerate. 

To achieve this, ransomware operations not only give the threat actor a way to phish data as a result of the double extortion, but they also give them a chance to erase forensic proof of its destructive actions and distract them from data theft.

Sophos Firewall Zero-Day Flaw Exploited by Hackers

 

Chinese hackers leveraged a zero-day exploit for a vital vulnerability in Sophos Firewall to infiltrate a corporation and gain access to the victim's cloud-hosted web servers. Although the security flaw has been patched, many threat actors have continued to use it to escape authentication and execute arbitrary code remotely on businesses. 

Sophos Firewall's User Portal and Webadmin parts were found to have an authentication bypass vulnerability, which was tagged as CVE-2022-1040 on March 25. 

Researchers from Volexity revealed that Chinese threat actors used the zero-day vulnerability in Sophos Firewall (CVE-2022-1040) to hack a corporation and its cloud-hosted web servers. The threat actor was still operational when Volexity started the study, and the researchers were able to track the attacker's movements, showing a clever adversary who tried to go undiscovered.

According to the researchers, "the attacker was using access to the firewall to conduct man-in-the-middle (MitM) assaults." "Data obtained from these MitM assaults was used by the attacker to target further systems outside of the network where the firewall was located." Following the firewall breach, the infection sequence included backdooring a legitimate component of the security software with the Behinder web shell, which could be accessed remotely from any URL chosen by the threat actor.

Securing web server access 

Apart from the web shell, Volexity discovered further malicious behavior that maintained the threat actor's survival and allowed them to carry on the attack: 
  • The initial phase in the assault is gaining access to the Sophos Firewall, which permits a Man-in-the-Middle (MitM) attack by altering DNS replies for specified websites of the victim companies. 
  • Using stolen session cookies, the attacker gains access to the CMS admin page and then installs a File Manager plugin to manipulate files on the website. 
For a simpler investigation of intrusions, the firm advises using the auditd framework on Unix-based servers. Vendors' devices should also include tools for analyzing potential security flaws. Volexity also made a set of YARA rules accessible that may be used to detect unusual behavior from this form of threat.

Chinese Attackers Abused Sophos Firewall Zero-Day Bug to Target South Asian Organizations

 

Chinese hackers exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate multiple organizations in the South Asia region. 

The security bug has been patched in the meantime but multiple hackers continued to exploit it to bypass authentication and run arbitrary code remotely on several organizations. 

On March 25, Sophos issued a security patch about CVE-2022-1040, an authentication bypass flaw that affects the User Portal and Webadmin of Sophos Firewall and could be weaponized to implement arbitrary code remotely. 

Earlier this week, Volexity researchers detailed an assault from a Chinese APT group they track as DriftingCloud, which exploited CVE-2022-1040 since early March, a little over three weeks before Sophos issued a patch. The hackers employed a zero-day exploit to drop a webshell backdoor and target the customer’s staff. 

“This particular attack leveraged a zero-day exploit to compromise the customer’s firewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer’s staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization’s public-facing websites.” reads a blog post published by Volexity researchers. “This type of attack is rare and difficult to detect. This blog post serves to share what highly targeted organizations are up against and ways to defend against attacks of this nature.” 

The adversary used the zero-day exploit to compromise the firewall to install webshell backdoors and malware that would enable compromising external systems outside the network protected by Sophos Firewall. Volexity spotted the breach while investigating suspicious traffic generated from the Sophos Firewall to key systems in its customer’s networks. The examination of the logs revealed significant and repeated suspicious access aimed at a valid JSP file (login.jsp). 

Further investigation disclosed that the hackers were using the Behinder framework, which was employed by other Chinese APT groups in assaults abusing the recently disclosed CVE-2022-26134 vulnerability in Confluence servers. 

The exploitation of the Sophos Firewall was the first stage of the attack chain, APT group later launched man-in-the-middle (MitM) assaults to steal data and use them to exploit additional systems outside of the network where the firewall resided. Once secured access to the target webservers, the hackers installed multiple open-source malware, including PupyRAT, Pantegana, and Sliver.

Zimbra Memcached Injection Bug Patched

According to SonarSource, an open-source alternative to email servers and collaboration platforms such as Microsoft Exchange. Since May 10, 2022, a patch has been released in Zimbra versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1. Zimbra is utilized by organizations, governments, and financial institutions throughout the world. 

Unauthenticated attackers might contaminate an unwary victim's cache, according to Simon Scannell, a vulnerability researcher at Swiss security firm Sonar. The vulnerability has been assigned the number CVE-2022-27924 (CVSS: 7.5), and it has been described as a case of "Memcached poisoning with unauthorized access," which might allow an attacker to inject malicious commands and steal sensitive data. 

Since newline characters (\r\n) in untrusted user input were not escaped, attackers were able to inject arbitrary Memcached instructions into a targeted instance, causing cached entries to be overwritten. Memcached servers keep track of key/value pairs that may be created and retrieved using a simple text-based protocol and analyze data line by line. A malicious actor might alter the IMAP route entries for a known username by sending a specially crafted HTTP request to the susceptible Zimbra server, according to the researchers. When the genuine user logs in, the Nginx Proxy in Zimbra will send all IMAP communication, including the credentials in plain text, to the attacker. 

Knowing the victim's email address, and utilizing an IMAP client makes it easier for the attacker to abuse the vulnerability. A second attack technique allows users to circumvent the aforesaid constraints and steal credentials for any user with no involvement or knowledge of the Zimbra instance. This is accomplished through "Response Smuggling," a different approach that makes use of a web-based Zimbra client. Cross-site scripting (XSS) and SQL injection issues caused by a lack of input escaping "are well known and documented for decades," as per Scannell, but "other injection vulnerabilities can occur that are less well known and can have a catastrophic consequence." 

As a result Scannell, advises programmers to "be cautious of special characters that should be escaped when coping with technology where there is less documentation and research regarding potential vulnerabilities." The bug was discovered four months after Zimbra provided a hotfix for an XSS flaw that was exploited in a series of sophisticated spear-phishing efforts attributed to an undisclosed Chinese threat group.

 New Linux Malware Syslogk has a Clever Approach of Staying Undetected

 

Syslogk, a newfound clever form of Linux malware, installs a backdoor that remains hidden on the target device until its controller sends so-called 'magic packets' from anywhere on the internet. It is mostly based on Adore-Ng, a Chinese open-source kernel rootkit for Linux. 

Adore-Ng which has been around since 2004, is a free open-source rootkit, that gives an attacker complete control over an infected system. Syslogk can force-load its packages into the Linux kernel (versions 3. x are supported), hide folders or spoof files and network traffic, and ultimately load a backdoor named 'Rekoobe.' 

How does the malware work?

Syslogk was originally discovered in early 2022, with the sample constructed for a specific kernel version – meaning it could be loaded without being forced – and the payload named PgSD93ql, which disguised it as a PostgreSQL file. 

"Rekoobe is a piece of code that has been placed in genuine servers," according to Avast security researchers. "In this case, it's embedded in a phony SMTP server that, when given a specially designed command, spawns a shell." 

The rootkit was created to hide harmful files, malicious software, and its malicious payload from showing on the list of operating services, to deliver the malicious payload when it received a specially constructed TCP packet, and to halt the payload if the attacker directed it to. 

Rekoobe appears to be a harmless SMTP server, but it is built on an open-source project called Tiny SHell, so it contains a backdoor command for generating a shell that allows it to run arbitrary instructions for data mining. Despite the restricted support for Linux kernel versions, Avast claims that using Syslogk and Rebooke on a bogus SMTP server gives an attacker a strong toolkit. 

The Syslogk rootkit is yet one piece of highly evasive malware for Linux systems, joining the likes of Symbiote and BPFDoor, which both exploit the BPF system to monitor and dynamically change network traffic. Ransomware campaigns, crypto attacks, and other data theft illicit behavior are increasingly being launched against Linux systems and cloud infrastructure making it a vulnerable target. 
 
As in the case of Syslogk, the initiative is in its early stages of development, so it's unclear whether it'll become a wide-scale threat. However, given its secrecy, it will almost certainly continue to release new and improved versions.

China's Attacks on Telecom Providers Were Exposed by US

 

Since 2020, US cybersecurity and intelligence agencies have cautioned about state-sponsored cyber attackers located in China using network vulnerabilities to target public and private sector enterprises.

Chinese hacking gangs have used publicly known vulnerabilities to infiltrate everything from unpatched small office/home office (SOHO) routers to moderate and even big enterprise networks, according to a joint cybersecurity alert released on Tuesday by the NSA, CISA, and the FBI. 

Several servers are used by China-linked APTs to create new email accounts, host command and control (C&C) domains, and connect with target networks, using hop points as an obfuscation strategy to mask its true location."Once within a telecommunications organization or network service provider, PRC state-sponsored cyber actors identified essential users and infrastructure, including systems critical to ensuring the stability of authentication, authorization, and accounting," as per the report. 

These threat actors are continually altering their techniques to avoid detection, according to US authorities, including watching network defenders' actions and adjusting current attacks to remain undiscovered. 

They were also seen changing the infrastructure and tools when the campaigns were made public. After stealing credentials to access underlying SQL databases, the attackers utilized SQL commands to discard user and admin credentials from key Remote Authentication Dial-In User Service (RADIUS) servers. The three US agencies have revealed that Chinese threat actors primarily exploit vulnerabilities in: 
  • Cisco (CVE-2018-0171, CVE-2019-15271, and CVE-2019-1652)
  • Citrix (CVE-2019-19781) 
  • DrayTek (CVE-2020-8515) 
  • D-Link (CVE-2019-16920) 
  • Fortinet (CVE-2018-13382) 
  • MikroTik (CVE-2018-14847) 
  • Netgear (CVE-2017-6862) 
  • Pulse ( (CVE-2020-29583) 

Open-source tools such as RouterSploit and RouterScan (vulnerability scanning framework) are used by threat actors to scan for vulnerabilities and conduct reconnaissance, allowing them to identify brands, models, and known problems that can be attacked. 

"Once within a network service provider, PRC state-sponsored cyber actors identified essential users and infrastructure, particularly systems critical to maintaining the security of authentication, authorization, and accounting," as per the joint advisory.

Lastly, the attackers altered or deleted local log files to eliminate proof of its presence and avoid discovery. Security updates should be applied as quickly as feasible, unneeded ports and protocols should be disabled to reduce the attack surface, and end-of-life network infrastructure which no longer receives security patches should be replaced, according to federal agencies.

Segmenting networks to prevent lateral movement and enabling robust monitoring on internet-exposed services to discover attack attempts as soon as possible are also recommended.

European Organizations Targeted by 'Mustang Panda’ Hacking Group

 

Cybersecurity researchers have unearthed a new campaign by advanced persistent threat (APT) group Mustang Panda targeting European and Russian organizations using topical spear-phishing lures linked to the war in Ukraine. 

Mustang Panda, also known as RedDelta, Bronze President, or TA416 has been active since at least 2012 and over the years has targeted entities in EU member states, the United States and Asian countries where China has interests. The targets have included diplomatic organizations, non-governmental organizations (NGOs), religious organizations, telecommunication firms, and political activists.

"Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves," Cisco Talos said in a new report published this week. 

The hacking group is known for designing its phishing lures based on current scenarios that might be of interest to its targets. These have included the COVID-19 pandemic, international summits, and political topics. The attacks observed this year by researchers from Cisco Talos and several other security firms used reports from EU institutions regarding the security situation in Europe both before and after Russia's invasion of Ukraine. 

Mustang Panda modus operandi 

The PlugX RAT, also known as KorPlug, continues to remain the Mustang Panda's preferred spying tool. is Mustang Panda’s malware of choice. The threat actor has used multiple variants of it for several years, together with other threat actors originating from China. 

Recent attack campaigns spotted this year have primarily phishing messages containing malicious lures masquerading as official European Union reports on the ongoing conflict in Ukraine or Ukrainian government reports, both of which download malware onto infected devices. 

A similar technique is also used to target various entities in the U.S. and several Asian countries like Myanmar, Hong Kong, Japan, and Taiwan. 

The researchers also spotted Mustang Panda distributing a malicious file containing PlugX with a Russian name referencing the Blagoveshchensk Border Guard Detachment. But similar attacks identified towards the end of March 2022 show that the actors are upgrading their tactics by minimizing the remote URLs used to obtain different components of the infection chain. 

Other than PlugX, infection chains utilized by the APT group have involved the deployment of custom stagers, reverse shells, Meterpreter-based shellcode, and Cobalt Strike, all of which are used to establish remote access to their targets with the intention of conducting espionage and information theft. 

"By using summit- and conference-themed lures in Asia and Europe, this attacker aims to gain as much long-term access as possible to conduct espionage and information theft," Talos researchers added.