Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Chinese Hacker. Show all posts
Zero-day Flaw
Chinese Hacker Cyber Attacks French Infrastructure UNC5174 Zero-day Flaw

Chinese Attackers Target France Infrastructure in Ivanti Zero-Day Exploit Campaign

 

The French cybersecurity agency stated in a study released Tuesday that three zero-day flaws impacting Ivanti Cloud Services Appliance devices triggered an attack spree in France last year that affected several critical infrastructure sectors.

The French National Agency for the Security of Information Systems reports that from early September to late November 2024, widespread zero-day exploits of CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380 affected government agencies and organisations in the media, finance, transportation, and telecommunications sectors.

According to Mandiant, the attacks were carried out by UNC5174, a former member of Chinese hacktivist collectives who was probably working as a contractor for China's Ministry of State Security. The attacker, known as "Uteus," has previously targeted edge device flaws in ConnectWise ScreenConnect, F5 BIG-IP, Atlassian Confluence, the Linux kernel, and the Zyxel firewall. 

Authorities in France discovered that UNC5174 employed a unique intrusion set known as "Houken," which included zero-day vulnerabilities, a sophisticated rootkit, numerous open-source tools, commercial VPNs, and dedicated servers. Officials believe Houken and UNC5174 are operated by the same threat actor, an initial access broker who steals credentials and implements methods to gain persistent access to target networks. 

“Though already documented for its opportunistic exploitation of vulnerabilities on edge devices, the use of zero-days by a threat actor linked to UNC5174 is new,” France’s cybersecurity agency noted in the report. “The operators behind the UNC5174 and Houken intrusion sets are likely primarily looking for valuable initial accesses to sell to a state-linked actor seeking insightful intelligence.”

Earlier this year in January, the Cybersecurity and Infrastructure Security Agency said that threat actors used the three Ivanti zero-days in a chain to get credentials, execute remote code, establish initial access, and install webshells on victim networks. In April, Sysdig researchers said that they had observed the China state-sponsored hacker organisation UNC5174 use open-source offensive security techniques like WebSockets and VShell to blend in with more common cybercriminal activities. 

Numerous attackers have frequently taken advantage of long-standing flaws in Ivanti products, including espionage outfits with ties to China. Since 2021, Ivanti has shipped software with a high number of vulnerabilities across at least ten different product lines, more than any other vendor in this market since the start of last year. According to cyber authorities, cybercriminals have exploited seven flaws in Ivanti products so far this year, and 30 Ivanti faults have been discovered over the past four years in CISA's known exploited vulnerabilities catalogue. 

“We support information sharing to aid defenders. This report covers threat actor activity from last fall that affected an end-of-life version of Cloud Services Appliance. Customers on fully patched or upgraded versions were not affected,” a spokesperson for Ivanti noted in a statement. “Ivanti released a patch in 2024 and strongly urged all customers to upgrade to CSA version 5.0, which was not affected by this vulnerability. The security and protection of our customers remain our top priority, and we are committed to supporting them.”
Read more »
US Tariffs
Chinese Hacker Cyber Security Threat Landscape Trade War US Tariffs

US Tariffs May Lead to Chinese Cyberattacks in Retaliation, Experts Warn

 

As the trade battle between the United States and China heats up, some cybersecurity and policy experts fear Beijing could retaliate in cyberspace. Shortly after the US raised its tax on imported Chinese goods to 104 percent on Wednesday last week, China raised its duty on American imports to 84 percent.

"China urges the US to immediately correct its wrong practices, cancel all unilateral tariff measures against China, and properly resolve differences with China through equal dialogue on the basis of mutual respect," the Office of the Tariff Commission of the State Council noted in a statement. 

Citing a "lack of respect" from Beijing, US President Trump raised the China tariff yet again, this time by 125 percent. The government later "paused" punitive tariffs on numerous other countries, but maintained the 125 percent tax on China. White House press secretary Karoline Leavitt told reporters, "President Trump will strike back harder when you strike at the United States of America.” 

There is growing concern that President Xi Jinping may use his army of cyber-spies to support the People's Republic, even though this back and forth has the potential to ruin trade between the two countries, drive up consumer costs, or cut off supply completely. 

"China will retaliate with systemic cyber attacks as tensions simmer over," cybersecurity advisor Tom Kellermann stated. "The typhoon campaigns have given them a robust foothold within critical infrastructure that will be used to launch destructive attacks. Trade wars were a historical instrument of soft power. Cyber is and will be the modern instrument of choice.” 

The "typhoon campaigns" refer to a sequence of digital incursions supported by the Chinese government that were revealed last year. Among them are Volt Typhoon, which has been infiltrating America's vital infrastructure since at least 2023 and plotting destructive cyberattacks against those targets, and Salt Typhoon, an espionage team that gained access to at least nine US government and telecom networks. 

"To the extent that China is holding back on conducting certain types of cyberattacks, it may feel less restrained now," noted Annie Fixler, director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies.

"The intelligence community has assessed that China has conducted operational preparation of the battlefield to disrupt US critical infrastructure and cause societal panic, impede US government decision making, and degrade our ability to mobilize forces," Fixler added. 

In addition to spying, which is always going on, it is unclear what, if anything, Beijing-backed goons intend to do online to protest Trump's tariffs. However, financially motivated cybercriminals have already discovered ways to take advantage of people's misunderstanding of the constantly changing trade regulations.
Read more »
US Organisations
Chinese Hacker Cyber Attacks FamousSparrow SparrowDoor US Organisations

China’s FamousSparrow APT Hits United States Via SparrowDoor Malware

 

A China-linked cyberespionage gang known as 'FamousSparrow' was caught utilising a new modular version of its signature backdoor 'SparrowDoor' against a US-based trade organisation. Security experts at ESET spotted the activities and new malware version, uncovering evidence that the attacker has been more active than previously anticipated since its last operations were reported in 2022. 

Apart from the financial organisation, ESET identified and linked further recent attacks to FamousSparrow, including a Mexican research facility and a Honduran government entity. In all of these incidents, initial access was acquired by exploiting obsolete Microsoft Exchange and Windows Server endpoints and infecting them with webshells. 

New modular SparrowDoor

ESET's investigation revealed two new variants of the SparrowDoor backdoor. The first is identical to a backdoor credited to 'Earth Estries,' with enhanced code quality, architecture, encrypted configuration, persistence methods, and stealthy command-and-control (C2) switching. A critical new feature that applies to both new versions is parallel command execution, which allows the backdoor to continue listening for and processing incoming commands while executing prior ones. 

"Both versions of SparrowDoor used in this campaign constitute considerable advances in code quality and architecture compared to older ones," reads the ESET report. "The most significant change is the parallelization of time-consuming commands, such as file I/O and the interactive shell. This allows the backdoor to continue handling new commands while those tasks are performed.” 

The latest version, which is a modular backdoor with a plugin-based architecture, includes the most significant modifications. Its operating capabilities can be expanded while staying covert and undetectable by receiving additional plugins from the C2 at runtime, which are fully loaded in memory. 

ShadowPad link 

Another notable finding in ESET's analysis is FamousSparrow's use of ShadowPad, a sophisticated modular remote access trojan (RAT) linked to various Chinese APTs.

In the attacks seen by the researchers, ShadowPad was loaded via DLL side-loading from a renamed Microsoft Office IME executable, injected into the Windows media player (wmplayer.exe) process, and linked to a known C2 server associated with the RAT. This suggests that FamousSparrow, like other state-sponsored entities, may now have access to advanced Chinese cyber tools.

According to ESET, Microsoft classifies Earth Estries, GhostEmperor, and FamousSparrow under a single threat cluster they refer to as Salt Typhoon. ESET tracks them as separate categories because there isn't any technical evidence to support this. It acknowledges, meanwhile, that their tools share code, exploitation strategies, and some infrastructure reuse. 

These overlaps, according to ESET, are indicators of a common third-party supplier, sometimes known as a "digital quartermaster," who supports and lurks behind all of these Chinese attack groups.
Read more »
Volt Typhoon
Chinese Hacker Cyber Attacks Dragos Massachusetts Volt Typhoon

Chinese APT Volt Typhoon Target U.S. Power Utility in Prolonged Cyberattack

 

Chinese hackers involved in the Volt Typhoon attack spent over a year inside the networks of a major utility company in Littleton, Massachusetts. 

In a report published last week, Dragos, an operational technology (OT) cybersecurity firm, described their work assisting the Littleton Electric Light & Water Department in dealing with what was determined to be part of a larger effort by China's government to preposition their attackers within U.S. critical infrastructure, with the ultimate goal believed to be destructive action taken in the event of a conflict. 

US law enforcement claims the gang has infiltrated a number of vital infrastructure organisations in the United States, as well as Guam. According to Dragos, the Massachusetts utility found its systems had been compromised soon before Thanksgiving in 2023. 

David Ketchen, the utility's assistant general manager, received a phone call from the FBI on a Friday afternoon informing him of a possible compromise. On the following Monday, FBI agents and representatives from the Cybersecurity and Infrastructure Security Agency (CISA) arrived at the company's premises. 

The utility has provided power and water to the towns of Littleton and Boxborough, roughly 30 miles northwest of Boston, for over a century, but has battled in recent years to keep up with the growing amount of cyber threats. They approached Dragos after learning about the Volt Typhoon compromise. A review revealed that the Volt Typhoon had been in the utility's networks since February 2023. 

Dragos discovered evidence of the hackers' lateral movement and data exfiltration, but an investigation indicated that the "compromised information did not include any customer-sensitive data, and the utility was able to change their network architecture to remove any advantages for the adversary.” 

CISA and the FBI have repeatedly warned that the hackers are "looking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States," despite China's denials of any involvement in the Volt Typhoon compromises.
Read more »
Vulnerabilities and Exploits
Chinese Hacker CISA FBI Ransomware Gang Vulnerabilities and Exploits

FBI And CISA Issues Warning of Ongoing ‘Ghost’ Ransomware Attack

 

Ghost, a ransomware outfit, has been exploiting software and firmware flaws since January, according to an FBI and Cybersecurity and Infrastructure Security Agency (CISA) advisory issued last week.

The outfit, also known as Cring and based in China, focusses on internet-facing services with unpatched vulnerabilities that users might have fixed years ago, according to the agencies. Cybersecurity researchers initially raised concerns about the group in 2021. 

"This indiscriminate targeting of networks containing vulnerabilities has resulted in the compromise of organisations in more than 70 countries, including China," according to the notice issued by the Multi-State Information Sharing and Analysis Centre (MS-ISAC).

The notice lists the following vulnerabilities: Microsoft Exchange servers that are still vulnerable to the ProxyShell attack chain; servers running Adobe's ColdFusion for web applications; and issues in unpatched Fortinet security appliances. 
 
Critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses are among the listed victims since 2021, according to the notice. The goal is financial gain, with ransom demands occasionally amounting to hundreds of thousands of dollars.

“Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks,” the agencies further added. “In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day.” 

The notice claims that the ransomware outfit employs common hacking tools like Cobalt Strike and Mimikatz, and that the malware they deploy frequently has file names like Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. 

“The impact of Ghost ransomware activity varies widely on a victim-to-victim basis,” the agencies concluded. “Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.” 

Prevention tips 

To combat against Ghost ransomware attacks, network defenders should take the following steps:

  • Create regular, off-site system backups that cannot be encrypted by ransomware. 
  • Patch the operating system, software, and firmware vulnerabilities as quickly as feasible.
  • Focus on the security holes targeted by Ghost ransomware (i.e., CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). 
  • Segment networks to restrict lateral movement from compromised devices. 
  • Implement phishing-resistant multi-factor authentication (MFA) for all privileged accounts and email service accounts.
Read more »
SamCERT
APT40 Chinese Hacker Cyber Attacks Malicious Campaign SamCERT

China-backed APT40 Hacking Outfit Implicated for Samoa Cyberattacks

 

Samoa's national cybersecurity office issued an urgent advisory after the Chinese state-sponsored cyber outfit APT40 escalated its attacks on government and critical infrastructure networks across the Pacific. 

Samoa's Computer Emergency Response Team, or SamCERT, has warned that APT40 is using fileless malware and modified commodity malware to attack and persist within networks without being detected. 

The majority of Chinese nation-state activity has focused on Southeast Asia and Western nations, but the advisory, based on SamCERT investigations and intelligence from partner nations, warned of digital spying threats posed by the outfit's prolonged presence within targeted networks in the Blue Pacific region, which includes thousands of islands in the vast central Pacific Ocean. 

"It is essential to note that throughout our investigations we have observed the threat actor pre-positioning themselves in the networks for long periods of time and remaining undetected before conducting exfiltration activity," SamCERT noted. "This activity is sophisticated.” 

In August 2023, China-aligned APT40, also known as IslandDreams on Google, launched a phishing attack aimed at victims in Papua New Guinea. The emails had multiple attachments, including an exploit, a password-protected fake PDF that could not be read, and an.lnk file. The.lnk file was created to execute a malicious.dll payload from either a hard-coded IP address or a file-sharing website. 

The final stage of the assault attempts to install BoxRat, an in-memory backdoor for.NET that connects to the attackers' botnet command-and-control network via the Dropbox API. 

APT40, which was previously linked to operations in the United States and Australia, has moved its attention to Pacific island nations, where it employs advanced tactics such as DLL side-loading, registry alterations, and memory-based malware execution. The group's methods also include using modified reverse proxies to gather sensitive data while concealing command-and-control communications. 

SamCERT's findings indicate that APT40 gains long-term access to networks, executing reconnaissance and data theft operations over extended periods. The outfit relies on lateral movement across networks, often using legitimate administrative tools to bypass security measures and maintain control. 

The agency recommends organisations to use methodical threat hunting, enable complete logging, and assess incident response procedures. It further recommends that endpoints and firewalls be patched immediately to close the vulnerabilities exploited by APT40.
Read more »
Zero-day Flaw
Chinese Hacker FortiClient Vulnerabilities and Exploits Windows VPN Zero-day Flaw

Chinese Hackers Exploit Unpatched Fortinet Zero-Day Vulnerability

 

A Chinese state-sponsored actor abused an unpatched, unreported Fortinet vulnerability, despite the fact that the flaw was reported to the security firm in July. 

Volexity, a threat intelligence vendor, published research earlier this week referencing a new zero-day flaw -- one without a current CVE designation -- that allowed a Chinese state-sponsored actor known as "BrazenBamboo" to steal credentials in instances of Fortinet's Windows VPN client, FortiClient.

Perhaps most notably, Volexity stated that it disclosed the issue to Fortinet on July 18, with the latter acknowledging the report on July 24. "At the time of writing, this issue remains unresolved, and Volexity is not aware of an assigned CVE number," Volexity researchers Callum Roxan, Charlie Gardner, and Paul Rascagneres said in the blog post. 

Volexity's report lacks a description of the flaw itself. The researchers of the study identified a "zero-day credential disclosure flaw in Fortinet's Windows VPN client that allowed credentials to be stolen from the memory of the client's process." The blog also provides YARA rules, indicators of compromise, and an in-depth look at BrazenBamboo's "Deepdata" post-exploitation tool, which was employed in threat activity targeting the vulnerability. 

Roxan, Gardner, and Rascagneres said that their investigation began with the identification of an archive file associated with BrazenBamboo, which could be linked to a known Chinese advanced persistent threat (APT) group. The researchers uncovered files in the package related to Windows malware families known as "Deepdata" and "Deeppost," as well as a Windows form of LightSpy malware.

Deepdata, according to Volexity researchers, is a modular utility for Windows that "facilitates the collection of private data from a compromised system," and requires the perpetrator to have command-line access to the target device. It features both a loader and a virtual file system. Deeppost is a post-exploitation data exfiltration program that transfers files to a remote system. The researchers discovered the Fortinet zero day after uncovering a FortiClient plugin in Deepdata. 

"DEEPDATA supports a wide range of functionality to extract data from victims' systems. The observed functionality of several plugins is commonly seen and includes items typically stolen from victim systems," researchers explained. "However, Volexity noted the FortiClient plugin was uncommon and investigated it further. Volexity found the FortiClient plugin was included through a library with the filename msenvico.dll. This plugin was found to exploit a zero-day vulnerability in the Fortinet VPN client on Windows that allows it to extract the credentials for the user from memory of the client's process.”

The researchers further stated that "the FortiClient plugin looks for the username, password, remote gateway, and port from two different JSON objects in memory." Meanwhile, LightSpy is a command-and-control spyware that has previously been linked to campaigns targeting Hong Kong citizens. The malware is generally employed in attacks on Android, iOS, and macOS devices, so it's noteworthy that Volexity received files of a Windows edition.
Read more »
Threat Landscape
Chinese Hacker cyber espionage malware RAT Threat Landscape

Chinese Threat Actors Leveraging 'Noodle RAT' Backdoor

 

A backdoor in Executable and Linkable Format (ELF) files used by Chinese hackers has been misidentified as a version of existing malware for years, Trend Micro claimed in a recent analysis. 

In Noodle RAT: Reviewing the New Backdoor utilised by Chinese-Speaking Groups, a blog post based on a Botconf 2024 presentation, Trend Micro Research revealed Noodle RAT, a remote access Trojan employed by Chinese-speaking groups involved in espionage or criminal activity.

Noodle RAT, aka ANGRYREBEL or Nood RAT, has been active since at least 2018. However, it was always regarded as a variant of an existing malware strain, such as Gh0st RAT or Rekoobe.

“For instance, NCC Group released a report on a variant of Gh0st RAT used by Iron Tiger in 2018. Talos released a report on an ELF backdoor used by Rocke (aka Iron Cybercrime Group) in 2018. Sophos released a report on a Linux version of the Gh0st RAT variant used in the Cloud Snooper Campaign in 2018. Positive Technology Security released a report on Calypso RAT used by Calypso APT in 2019,” noted Trend Micro. 

The cybersecurity provider's threat intelligence team revealed that the ELF backdoor mentioned in these reports was actually a new malware strain known as Noodle RAT. 

Noodle RAT: New Malware Strain

Since 2020, the researchers claim to have discovered espionage campaigns employing Noodle RAT that targeted Thailand, India, Japan, Malaysia, and Taiwan. 

The Windows version of Noodle RAT contains several links to Gh0st RAT, a malware strain developed by the C. Rufus Security Team in China and exposed in 2008. For example, Win.NOODLERAT and Gh0st RAT share plugins, and the former employs a slightly similar packet encryption method to that employed by various Gh0st RAT variants, including Gh0stCringe, HiddenGh0st, and Gh0stTimes. 

However, the rest of Win.NOODLERAT and Gh0st RAT's code does not appear to be comparable, prompting Trend Micro to infer that the plugins were simply reused, despite the fact that the backdoor is completely different. 

Additionally, some Linux.NOODLERAT's code is identical to Rekoobe v2018, a backdoor built on Tiny SHell (or tsh) whose source code is freely available on GitHub. Specifically, both use the same reverse shell and process name spoofing techniques. 

“Still, since the rest of the code of Linux.NOODLERAT is totally different from any version of Rekoobe or Tiny SHell, we can conclude that Linux.NOODLERAT should be classified as another malware family,” Trend Micro concluded.
Read more »
Subscribe to: Posts (Atom)