Search This Blog

Showing posts with label Chinese Hackers. Show all posts

Cheerscrypt Spyware Attributed to Chinese APT Entity

The Emperor Dragonfly Chinese hacker group, notorious for frequently switching between several ransomware families to avoid detection, has been connected to the Cheerscrypt virus. 

The attacks were linked by the cybersecurity company Sygnia to a threat actor also dubbed Bronze Starlight and DEV-0401. The hacking gang seems to be a ransomware operation, but past research suggests that the Chinese government is interested in many of its victims.

Cheerscrypt is the most recent addition to a long range of ransomware families that the gang has previously used, including LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0 in a little over a year.

Recently, Sygnia researched a Cheerscrypt ransomware operation that utilized Night Sky ransomware TTPs. The attackers then dropped a Cobalt Strike beacon linked to a C2 address formerly tied to Night Sky operations. 

The code for the Babuk ransomware, which was exposed online in June 2021, was used to develop the Cheerscrypt ransomware family, which Trend Micro first analyzed in May 2022. Cheerscrypt is one of several ransomware families used by the APT organization. The DEV-0401 group, unlike other ransomware gangs, oversees every stage of the assault chain directly, from the first access to the data theft. It does not rely on a system of affiliates.

A significant Log4Shell vulnerability in Apache Log4j was utilized by hackers in January 2022 assaults to acquire initial access to VMware Horizon servers. They subsequently dropped a PowerShell payload that was used to send an encrypted Cobalt Strike beacon. Apart from the beacon, the hackers also sent three Go-based tools: a keylogger that sent keystrokes to Alibaba Cloud, a customized version of the internet proxy tool iox, and the tunneling program NPS.

Trend Micro initially identified Cheerscrypt in May 2022, highlighting its capacity to target VMware ESXi servers as a component of a tried-and-true strategy known as double extortion to force its victims into paying the ransom or risk having their data exposed.

The hackers break into networks, take information, and encrypt devices just like other ransomware groups that target businesses. The victim is then coerced into paying a ransom through double-extortion methods using the data. The stolen data is posted on a data leak website when a ransom is not paid.

A PowerShell payload that can deliver an encrypted Cobalt Strike beacon has been dropped on VMware Horizon servers by infection chains that have exploited the major Log4Shell vulnerability in the Apache Log4j library.

Cheerscrypt and Emperor Dragonfly share initial access vectors, and lateral movement strategies, including the use of DLL side-loading to distribute the encrypted Cobalt Strike beacon. Notably, the ransomware gang is acting as a 'lone wolf' separated from the rest of the cybercrime community rather than as a RaaS (Ransomware-as-a-Service) platform for affiliates.

Middle East Targeted via Steganography

A hacktivist gang that has previously attacked an African country's stock exchange with malware and seized vast amounts of data is now focusing on the governments of several Middle Eastern countries.

ESET, a cybersecurity company, discovered Witchetty also known as LookingFrog for the first time in April 2022. It is thought to be closely associated with the state-sponsored Chinese threat actor APT10 formerly known as Cicada. The gang is also regarded as TA410 personnel, who have previously been connected to strikes against American energy suppliers.

A threat actor identified as Witchetty was seen by Broadcom's Symantec Threat Hunter Team utilizing steganography to conceal an unknown backdoor in a Windows logo.

The new malware uses steganography, a method for hiding a message in an openly available document, to extract dangerous code from a bitmap image of a previous version of the Microsoft Windows logo.

In the campaign that Symantec found, Witchetty is utilizing steganography to conceal backdoor software that is XOR-encrypted in an outdated Windows logo bitmap picture.

"By disguising the payload in this way, the attackers were able to host it on a reliable, cost-free service. Downloads from reputable servers like GitHub are much less likely to cause concern than downloads from a command-and-control (C&C) server that is under the control of an attacker" the researchers stated.

Backdoor employment

The employment of another backdoor known as Stegmap is highlighted in Symantec's most recent investigation of attacks between February and September 2022, when the organization attacked the governments of two Middle Eastern countries as well as the stock exchange of an African nation. 

Like many backdoors, Stegmap includes a wide range of features that enable it to do file manipulation operations, download and run executables, stop processes, and alter the Windows Registry. The hackers updated their toolset for this effort to target the vulnerabilities, and they used steganography to shield their harmful payload from antivirus software.

By taking advantage of the Microsoft Exchange ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) attack chains to drop web shells on susceptible servers, the threat actors acquire initial access to a network and launch the attack. 

According to the chronology of an attack on a Middle Eastern government organization, Witchetty maintained remote access for as long as six months and carried out a variety of post-exploitation activities, such as network enumeration and the installation of custom malware, up to September 1, 2022.

Governments and state institutions around the world, including those in Asia and Africa, continue to face active threats from TA410 and Witchetty. The best defense against such attacks is to implement security upgrades as soon as they are available. In the campaign that Symantec has identified, the hackers depend on last year's flaws to infiltrate the target network and take advantage of the subpar management of publicly accessible servers.

Chinese Hackers Deploy Shadowpad Backdoor to Target Industrial Control Systems in Asia


ShadowPad, a sophisticated and modular backdoor is back in action. Russian cybersecurity firm Kaspersky has unearthed a series of assaults that targeted unpatched Microsoft Exchange servers in multiple Asian nations. 

Researchers initially spotted the ShadowPad backdoor on industrial control systems (ICS) at a telecoms firm in Pakistan, where the hackers targeted engineering computers in building automation systems. Further investigation uncovered wide activity on the network, along with multiple organizations targeted in Pakistan, Afghanistan, and Malaysia. 

"During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems of one of the victims," Kaspersky ICS CERT researcher Kirill Kruglov stated. "By taking control over those systems, the attacker can reach other, even more sensitive systems of the attacked organization." 

"Building automation systems are rare targets for advanced threat actors. However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures." 

Kaspersky, which first detected the activity in mid-October 2021, attributed it to a previously unknown Chinese-speaking threat actor. However, traces of the attacks on compromised devices indicates that the malicious campaign began in March 2021, right around the time the ProxyLogon vulnerabilities in Exchange Servers became public knowledge. 

Besides deploying ShadowPad as "mscoree.dll," an authentic Microsoft .NET Framework component, the attacks also involved the use of Cobalt Strike, a PlugX variant called THOR, and web shells for remote access. Although the ultimate goal of the campaign remains unknown, the hackers are believed to be interested in long-term intelligence gathering. 

ShadowPad, which emerged in 2015 as the successor to PlugX, is a privately sold modular malware platform that has been leveraged by multiple Chinese espionage actors over the years. While its design allows users to remotely deploy additional plugins that can extend its functionality beyond covert data collection, what makes ShadowPad dangerous is the anti-forensic and anti-analysis techniques incorporated into the malware. 

ShadowPad gained popularity in 2017 when it was employed in software supply chain assaults involving CCleaner, NetSarang, and the ASUS Live Update utility. The BRONZE ATLAS threat group was blamed for these campaigns. A Microsoft complaint from 2017 and DOJ indictments published in 2020 provide more insights on ShadowPad's relationship to BRONZE ATLAS.

 GALLIUM APT Deployed a New PingPull RAT

According to Palo Alto Networks researchers, the PingPull RAT is a "difficult-to-detect" backdoor that uses the Internet Control Message Protocol (ICMP) for C2 connections. Experts also discovered PingPull variations that communicate with each other using HTTPS and TCP rather than ICMP.

Gallium, a Chinese advanced Trojan horse (APT), has an ancient legacy of cyberespionage on telecommunications companies, dating back to 2012. In 2017, the state-sponsored entity, also called Soft Cell by Cybereason, has been linked to a broader range of attacks aimed at five major Southeast Asian telecom businesses. However, during the last year, the group's victimology has expanded to include financial institutions and government agencies in Afghanistan, Austria, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. 

A threat actor can use PingPull, a Visual C++-based virus, to gain access to a reverse shell and run unauthorized commands on a compromised computer. File operations, detailing storage volumes, and timestamping files are all part of it now. 

The researchers explained that "PingPull samples which use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server." "The C2 server will send commands to the system by responding to these Echo queries with an Echo-Reply packet." 

PingPull variants that use HTTPS and TCP rather than ICMP to interact with its C2 server have been discovered, along with over 170 IP addresses associated with the company since late 2020. Although the threat actor is recognized to exploit internet-exposed programs to acquire an initial foothold and deploy a customized form of the China Chopper web shell to create persistence, it's not obvious how the targeted networks are hacked. 

Throughout Southeast Asia, Europe, and Africa, the GALLIUM trojan continues to pose a serious danger to telecommunications, finance, and government organizations. It is recommended all businesses use the results of researchers to inform the implementation of protective measures to guard against this threat group, which has deployed a new capability called PingPull in favor of its espionage efforts.

Chinese Hackers are Targeting Russian Aerospace Industry


Space Pirates, a Chinese cyberespionage group is targeting businesses in the Russian aerospace industry with phishing emails to deploy a novel strain of malware. 

The APT group started operating in 2017, and researchers believe it is associated with other China-linked APT groups, including APT41 (Winnti), Mustang Panda, and APT27. Russian security researchers at Positive Technologies named the group "Space Pirates" due to their espionage operations focusing on stealing confidential information from companies in the aerospace field. 

Malicious actors targeted government agencies, IT departments, and aerospace and power enterprises in Russia, Georgia as well as Mongolia. However, the majority of victims were spotted to be in Russia. Out of those, several victims operated specifically within the partially state-owned aerospace industry of the Russian Federation. 

The researchers first uncovered signs of Space Pirates' activity last summer during incident response and quickly confirmed that the malicious actors employed the same malware and infrastructure against at least four more domestic organizations since 2019. 

According to researchers, at least two attacks on Russian organizations were successful. In one instance, Space Pirates accessed at least 20 servers on the corporate network and stayed there for ten months; 1,500 internal documents were stolen, together with information about all employee accounts in one of the network domains. 

In the second assault, the Chinese attackers stayed in the network of the compromised firms for over a year, exfiltrating confidential information and deploying their malware to 12 corporate network nodes in three distinct regions. 

The Space Pirates’ unique toolkit contains a wide range of malware, including unique loaders and multiple previously undetected backdoors tracked as MyKLoadClient, BH_A006, and Deed RAT. The arsenal also includes the Zupdax backdoor along with well-known malware such as PlugX RAT, ShadowPad backdoor, Poison Ivy RAT, a modified version of PcShare, and the public ReVBShell shell. The APT group also leverages the dog-tunnel utility to tunnel traffic. 

The threat analysts believe that the overlaps between various Chinese APTs are due to tool exchanges, a common phenomenon for hackers in the region. 

“APT groups with Asian roots continue to attack Russian companies, which is confirmed by the activity of the Space Pirates group. Attackers both develop new malware that implements non-standard techniques (such as Deed RAT) and uses modifications of existing backdoors. Sometimes such modifications can have many layers of obfuscation added to counteract protections and complicate the analysis procedure – as in the case of BH_A006, built on the code of the popular Gh0st backdoor,” researchers explained. 

“A separate difficulty in the case of APT groups in the Asian region is the exact attribution of the observed activity: the frequent exchange of tools used, as well as the joint activity of various groups in some cases, significantly complicate this task.”

This New Malware Uses Windows Bugs to Conceal Scheduled Tasks


Microsoft has found a new malware employed by the Chinese-backed Hafnium hacking group to create and hide scheduled activities on compromised Windows PCs in order to sustain persistence. 

Cyberespionage attacks by the Hafnium threat group have previously targeted US defence businesses, think tanks, and researchers. It's also one of the state-sponsored groups Microsoft has tied to the global exploitation of the ProxyLogon zero-day vulnerability, which affected all supported Microsoft Exchange versions last year. 

The Microsoft Detection and Response Team (DART) stated, "As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defence evasion malware called Tarrask that creates 'hidden' scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification." 

Tarrask, a hacking tool, hides them from "schtasks /query" and Task Scheduler by removing the related Security Descriptor registry value, which is a previously undiscovered Windows flaw. 

By re-establishing dropped connections to command-and-control (C2) infrastructure, the threat group was able to keep access to the infected devices even after reboots. While the Hafnium operators could have deleted all on-disk artefacts, including all registry keys and the XML file uploaded to the system folder, this would have destroyed persistence between restarts. 

The "hidden" tasks can only be discovered by performing a manual search of the Windows Registry for scheduled tasks that do not have an SD (security descriptor) Value in their Task Key. 

Admins can additionally check for important events associated to tasks "hidden" by Tarrask malware by enabling the Security.evtx and Microsoft-Windows-TaskScheduler/Operational.evtx logs. Microsoft also suggests setting logging for 'TaskOperational' in the Microsoft-Windows-TaskScheduler/Operational Task Scheduler log and keeping an eye on outbound connections from crucial Tier 0 and Tier 1 assets. 

DART added, "The threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishing outbound communications with C&C infrastructure. We recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique."

Hackers from China's 'Mustang Panda' were Utilizing New 'Hodur' Malware


Mustang Panda (a.k.a. Temp.Hex, HoneyMyte, TA416 or RedDelta), a China-based advanced persistent threat (APT), has been traced to an ongoing cyberattack campaign using a formerly undocumented variation of the PlugX remote access trojan on affected workstations mostly in and around Southeast Asia. For its similarities to another PlugX (aka Korplug) variation called THOR which surfaced in July 2021, slovak cybersecurity firm ESET termed the current version Hodur. 

Korplug is a proprietary virus used widely, it was initially uncovered in a 2020 investigation that looked into Chinese hackers' activities against Australian targets. Mustang Panda employs phishing lures with counterfeit papers to target European embassies, ISPs (Internet Service Providers), and research institutes in the most recent known campaign, according to cybersecurity firm ESET. "Anti-analysis measures and control-flow obfuscation are used at every level of the deployment process," the firm told.

Hodur is based on PlugX, a remote access tool that "allows remote users to steal data or take control of impacted systems without authorization. It can copy, move, rename, execute, and delete files, as well as log keystrokes and fingerprint the infected system." The infections end with the implementation of the Hodur backdoor on the infected Windows host, irrespective of the phishing lure used. 

As formerly stated, the campaign begins simply, with the group phishing its targets using current events. Proofpoint identified it using a NATO diplomat's email address to send out.ZIP and.EXE files labeled "Situation at the EU Borders with Ukraine" last month. If a victim accepts the bait, a legitimate, properly signed executable prone to DLL search-order hijacking will be delivered. Russia, Greece, Cyprus, South Africa, Vietnam, Mongolia, Myanmar, and South Sudan are the countries targeted in this campaign. 

ESET claims to have sampled sophisticated custom loaders as well as new Korplug (Hodur) versions still using DLL side-loading but has considerably more robust obfuscation and anti-analysis techniques across the infection chain. The side-loading custom DLL loader uses a digitally-signed genuine executable, in this case, a SmadAV file, and leverages a known flaw. Except for one, which loads the new Korplug variation, the loader's many functions are all fake. 

As it is a Chinese actor with a history of pursuing higher political espionage purposes, the scope of its targeting should be rather consistent.

Chinese Hackers Target Betting Firms in South East Asia


An unknown Chinese-speaking advanced persistent threat (APT) has been associated to a new campaign targeting betting firms in South East Asia, specifically Taiwan, the Philippines, and Hong Kong. 

The campaign, which Avast dubs Operation Dragon Castling (ODC), is exploiting a security loophole (CVE-2022-24934) in WPS Office to deploy a backdoor on the targeted systems. The vulnerability has since been addressed by Kingsoft Office, the developers of the office software. However, with 1.2 billion WPS Office downloads around the globe, there are likely a high number of systems open to compromise. 

According to Avast researchers, the bug was exploited to deploy a malicious binary from a fake update server with the domain update.wps[.]cn that triggers a multi-stage infection chain that leads to the deployment of intermediate payloads and allows for privilege escalation before finally deploying the Proto8 module. 

"The core module is a single DLL that is responsible for setting up the malware's working directory, loading configuration files, updating its code, loading plugins, beaconing to [command-and-control] servers, and waiting for commands," Avast researchers Luigino Camastra, Igor Morgenstern, Jan Holman explained. 

Proto8’s plugin-based technique applied to prolong its functionality permits the malware to achieve persistence, bypass user account control (UAC) mechanisms, develop new backdoor accounts, and even execute arbitrary commands on the infected program. 

While researchers haven’t linked this malicious campaign to any known actors, they believe it is the work of a Chinese APT either looking to gather intelligence or achieve financial gains. Considering the nature of the targets, which is betting companies, the motive of the threat actors may have been to steal financial credentials or take over accounts and cash out escrow balances. 

The techniques and the powerful toolset employed in the campaign reflect a skillful adversary, so not being able to make attributions with high confidence is somewhat expected. However, this isn’t the first instance that China-sponsored hackers have targeted betting firms. 

Last year in January 2021, Chinese hackers targeted gambling firms that have been promoting their products to Chinese nationals without authorization. Attackers demanded at least $100 million be paid in Bitcoin to restore access to gambling operators’ servers, but companies remained adamant in the face of the threat and never paid a penny.

China-Sponsored Hacking Groups are Targeting Ukrainian government


Google's Threat Analysis Group (TAG) has unearthed a cyberespionage operation sponsored by the Chinese People's Liberation Army (PLA) and other Chinese intelligence agencies targeting Ukrainian government to gather information on the ongoing conflict.

Billy Leonard, a security engineer at Google TAG, said Google has informed that Ukrainian government agencies are targeted by China-sponsored hacking groups. 

"Over the last few weeks Google TAG has identified a govt backed actor from CN targeting Ukrainian govt orgs, and we provided notifications to impacted parties,"  Billy Leonard said. “While our priority is providing notifications to impacted parties, we've provided related IOCs to community partners, and we will publish more details for the security community in the near future." 

Group leader Shane Huntley also confirmed Leonard’s assessment, saying that “the Ukrainian war has not only attracted the attention of European threatening players, but China is working hard here too.”

Last week, the hacktivist collective group Intrusion Truth stated that the campaign was directly sponsored by the Chinese government. The group announced that it is sharing IOCs with community partners and plan to provide additional details on the ongoing attacks in the future. 

Google TAG’s report on China’s ongoing cyber activity in Ukraine follows another warning issued a week ago regarding a Chinese-sponsored hacking group tracked as APT31 targeting Gmail users linked with the U.S. government. A day ago, Google security researchers disclosed that Russia and Belarus targeted Ukrainian and European government and military organizations in extensive phishing and DDoS assaults. 

"In the last 12 months, TAG has issued hundreds of government-backed attack warnings to Ukrainian users alerting them that they have been the target of government-backed hacking, largely emanating from Russia," stated Shane Huntley.

Google also reported China-backed Mustang Panda cyberespionage group (also known as Temp.Hex and TA416) have also switched to phishing assaults on European entities using lures linked with the invasion of Ukraine. 

In some attacks identified by Google, hackers employed malicious attachments with file names such as ‘Situation at the EU borders with’. On the same day, Proofpoint revealed that Mustang Panda was found phishing “European diplomatic organizations, including refugees and individuals involved in migrant services.”

Gh0stCringe Malware Recently Attacked Insecure Microsoft SQL and MySQL Servers


Hackers are deploying the Gh0stCringe remote support trojans on vulnerable computers by inadequately targeting secured Microsoft SQL and MySQL database servers. 

Gh0stCringe, also known as CirenegRAT, is a Gh0st RAT malware variant that was most recently used in Chinese cyber-espionage activities in 2020, however, it has been around since 2018. The malware has several instructions and functionalities which can be activated after the malware connects to its command and control server, or through data stored in the virus's settings. 

Attackers can use Gh0stCringe to download payloads like crypto miners from C2 servers, access specified websites via the Internet Explorer web browser, and even wipe the start-up disk's Master Boot Record (MBR). The malware includes a keylogger, which records input data in the Default. key file in the Windows System directory if it is activated. 

Threat actors are infiltrating database servers and writing the malicious'mcsql.exe' executable to disc utilizing the mysqld.exe, mysqld-nt.exe, and sqlserver.exe processes. These assaults are comparable to the Microsoft SQL server attempts, which used the Microsoft SQL xp cmdshell command to drop Cobalt Strike beacons. In addition to Gh0stCringe, AhnLab's study notes the presence of numerous malware samples on the investigated servers, implying potentially competing threat actors are infiltrating the same servers to drop payloads with its own operations.

Gh0stCringe RAT is a strong virus that can connect to a C2 server to receive custom commands or exfiltrate stolen data to the enemies. For an endless loop, the keylogging component uses the Windows Polling method (GetAsyncKeyState API) to ask the state of each key. This otherwise dependable recording mechanism carries the risk of very high CPU utilization, however, this is unlikely to cause issues for threat actors on poorly maintained servers. The malware will also record keystrokes for the previous three minutes and send them to the infection's command and control servers along with basic system and network information. 

Threat actors will be able to steal login passwords and other sensitive information that logged-in users entered on the device using these logged keystrokes. CirenegRAT has four operational modes: 0, 1, 2, and a specific Windows 10 mode which the threat actor can choose from during deployment.

Update your server software to install the most recent security upgrades, which can help you avoid a variety of attacks to make use of known flaws. It's also critical to use a secure admin password that can't be brute-forced. The most important step is to put the database server behind a firewall to only allow authorized devices to connect to it.

'Tropic Trooper' Makes a Comeback to Target Transportation Organizations


Trend Micro reports that a Chinese state-sponsored threat actor known as 'Tropic Trooper' has been targeting transportation firms and government bodies associated with the transportation sector since the middle of 2020. The advanced persistent threat (APT), also known as Earth Centaur and KeyBoy, has been active since 2011, conducting espionage attacks targeting organizations in the government, healthcare, high-tech, and transportation sectors in Hong Kong, the Philippines, and Taiwan. 

Trend Micro warned that the group attempted to access flight schedules, financial plans, and other internal documents at the target organizations, as well as any personal information available on the compromised hosts, including search histories, as part of the attacks carried out over the last year and a half.

According to the report, the analysts were able to tie the new Earth Centaur activity to Tropic Trooper after discovering comparable code in configuration decoding. “Currently, we have not discovered substantial damage to these victims as caused by the threat group,” Trend Micro’s analysts explained. “However, we believe that it will continue collecting internal information from the compromised victims and that it is simply waiting for an opportunity to use this data.” 

The researchers noticed that one of the group's signature tactics, techniques, and procedures (TTPs) includes astute red teamwork. According to the research, Earth Centaur is skilled at evading security and remaining unnoticed. “Depending on the target, it uses backdoors with different protocols, and it can also use the reverse proxy to bypass the monitoring of network security systems. The usage of the open-source frameworks also allows the group to develop new backdoor variants efficiently, ” the report said. 

According to the research, the threat group typically penetrates target computers via a weak Exchange or Internet Information Services (IIS) server, then drops backdoors such as ChiserClient and SmileSvr. According to the researchers, a customized version of Gh0st RAT then sets out to collect data from active sessions on the host. The attackers then go across the infiltrated organization's network and exfiltrate valuable data. 

The rise in threat actor's interest in transportation and government coincides with the November passage of the Infrastructure Deal, which promises massive investments across the transportation sector, including $39 billion for transit modernization, $89.9 billion for public transit, $25 billion for airports, $66 billion in rail funding, and much more. The government is set to pour billions of dollars into the transportation sector, and Earth Centaur appears to be perfectly prepared to profit.

Taiwanese Government Suffers 5 Million Cyber Attacks Per Day


The Taiwanese government faces Five Million cyberattacks per day. Nearly half of them are believed to be originated from China. 

Cyber security department director Chien Hung-Wei told parliament representatives on Wednesday that government infrastructure faces “five million attacks and scans a day”. Security experts are working tirelessly to strengthen defensive measures and collect relevant data for examination in a bid to stop the assaults.

Taiwan’s defence ministry warns of an increase in the attacks carried by China-linked actors against its systems. The ministry accused China of ramping up since the 2016 election of President Tsai Ing-wen, who always claimed the independence of the island from Beijing. On the other end, Beijing considers the island as part of its own territory and does not exclude its military occupation in the future. 

According to the report shared by Taiwan’s defence ministry, the ministry of information security and protection centre handled around 1.4 billion “anomalies” from 2019 to August 2021 to prevent potential hacking. Last year in August 2020, Chinese attackers secured access to around 6,000 email accounts belonging to at least 10 Taiwan government agencies. 

Since 2018, the China-linked cyber espionage groups tracked as Blacktech and Taidoor have been targeting government agencies and information service providers. All these cyber assaults are part of a cyber espionage campaign, Taiwan Bureau Cyber Security Investigation Office reported. The Chinese government has increased diplomatic and economic pressure on Taiwan over the years, it also showed the muscles increasing military drills near the country in recent weeks. 

Many defence experts believe that the Chinese cyber warfare department is at least a decade ahead in terms of cyber capabilities and is aiming towards the goal of instantly disrupting or at least weakening the enemy’s computer networks so as to paralyze their decision-making capability at the very commencement of hostilities.

According to a paper titled China’s Cyber Warfare Capability and India’s Concerns, published in the Journal of Defence Studies, the author revealed that Chinese government is training its military personnel in Information Warfare. In 2013, a security firm Mandiant published a detailed report attributing a Chinese Military Unit to cyber espionage. This was perhaps the first time that such technical evidence and analysis linking activities to a government entity had been made public.

Chinese Researchers Hack iPhone 13 Pro in Record Time


Cyber security researchers from China won $1.88 million after hacking some of the world’s most popular software at the annual Tianfu Cup, the fourth edition of the international hacking contest held in the city of Chengdu, China. 

The Tianfu Cup is similar to Pwn2Own where participants get rewarded for exploiting vulnerabilities in widely used software and hardware. It was created in the wake of government regulation in the country that restricted researchers from participating in international hacking competitions. The first edition was held in autumn 2018 where security researchers successfully hacked Edge, Chrome, Safari, iOS, Xiaomi, Vivo, VirtualBox, and other devices.

This year’s edition took place over the weekend on October 16 and 17, where the Kunlun Lab team, whose CEO is a former CTO of Qihoo 360, hacked the iPhone 13 Pro operating on a fully patched version of iOS 15.0.2 in record time. The iPhone 13 Pro was hacked live on stage using a remote code execution exploit of the mobile Safari web browser. However, Kunlun Lab wasn't the only team to hack the iPhone 13 Pro. Team Pangu, which has a history of Apple device jailbreaking, also hacked a fully patched iPhone 13 Pro running iOS 15, but took a few extra minutes.

The other targets included Google Chrome operating on Windows 10 21H1, Adobe PDF Reader, Docker CE, Ubuntu 20/CentOS 8, Microsoft Exchange Server 2019, Windows 10, VMware Workstation, VMware ESXi, Parallels Desktop, Apple Safari running on Macbook Pro, iPhone 13 Pro running iOS 15, domestic mobile phones running Android, QEMU VM, Synology DS220j DiskStation, and ASUS RT-AX56U router. 

The hacking contest saw three independent and parallel competitions. The competitions included PC, mobile, and server, and eight categories: Virtualization Software, Operating System Software, Browser Software, Office Software, Mobile Intelligent Devices, Web Services, and Applications Software, DNS Services Software, and Common Management Services Software.

The hacking competition also included a separate trade show and cybersecurity conference, which this year was presented by Qi Xiangdong, chairman of security firm QiAnXin, and also included sections dedicated to smart vehicle security, IoT security, artificial intelligence security, and smart city security.

Mozi Botnet Creators Arrested by Chinese Law Enforcement Authorities


Cybersecurity researchers from the Chinese information security firm Netlab Qihoo 360 reported that at the beginning of this year the authors of the Mozi IoT botnet were detained by Chinese law enforcement authorities, nearly two years after the malware appeared on the threat landscape in late 2019.

“Mozi uses a P2P [peer-to-peer] network structure, and one of the 'advantages' of a P2P network is that it is robust, so even if some of the nodes go down, the whole network will carry on, and the remaining nodes will still infect other vulnerable devices, that is why we can still see Mozi spreading," said Netlab researchers.

The development takes place within two weeks after Microsoft Security Threat Intelligence Center disclosed the malware's new capabilities allows it to block the web traffic on compromised systems via techniques such as DNS spoofing and HTTP session hijacking aimed at redirecting users to malicious domains. 

At its peak, the malware infected up to 160,000 systems a day and in total managed to compromise more than 1,500,000 different devices, more than half of which (830,000) were located in China, according to a report from Netlab Qihoo 360. 

Mozi, which emerged from the source code of Mirai variants and the Gafgyt malware, has accumulated over 15,800 unique command and control nodes as of April 2020, up from 323 nodes in December 2019, according to a report from Lumen's Black Lotus Labs. By the time the malware was discovered by 360 Netlab researchers, it was actively targeting Netgear, D-Link, and Huawei routers by probing for weak Telnet passwords to compromise them.

Exploiting the use of weak and default remote access passwords as well as through unpatched vulnerabilities, the botnet propagates by infecting routers and digital video recorders to co-opt the devices into an IoT botnet, which could be abused for launching distributed denial-of-service (DDoS) attacks, data exfiltration, and payload execution. 

According to Netlab, the creators of Mozi also packed in additional upgrades, which includes a mining trojan that spreads in a worm-like fashion through weak FTP and SSH passwords, expanding on the botnet's features by following a plug-in like approach to designing custom tag commands for different functional nodes. "This convenience is one of the reasons for the rapid expansion of the Mozi botnet," the researchers said. 

"The Mozi botnet samples have stopped updating for quite some time, but this does not mean that the threat posed by Mozi has ended. Since the parts of the network that are already spread across the Internet have the ability to continue to be infected, new devices are infected every day,” the researchers warned. 

The malware also used the DHT protocol to design a peer-to-peer (P2P) system between all the compromised devices, allowing bots to send updates and operational instructions to each other directly, which also allowed Mozi to continue to perform even without a central command and control (C&C) server.

Microsoft Links SolarWinds Serv-U SSH 0-Day Attack to a Chinese Hacking Group


Microsoft Threat Intelligence Center has published technical facts regarding a now-patched, 0-day remote code execution exploit affecting SolarWinds Serv-U managed file transfer service software that it has attributed with "high confidence" to a hacking group functioning out of China.

In early July, Microsoft Offensive Research & Security Engineering team addressed a remote code execution flaw (CVE-2021-35211) that was present in Serv-U's implementation of the Secure Shell (SSH) protocol, which could be exploited by cyber criminals to execute arbitrary code on the compromised system, including the ability to install destructive programs and check out, modify, or delete delicate data. 

"The Serv-U SSH server is subject to a pre-auth remote code execution vulnerability that can be easily and reliably exploited in the default configuration," Microsoft Offensive Research and Security Engineering team explained in a detailed write-up describing the exploit.

"An attacker can exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. When successfully exploited, the vulnerability could then allow the attacker to install or run programs, such as in the case of the targeted attack we previously reported," the researchers added.

Though Microsoft attributed the attacks to DEV-0322, a China-based hacking group citing "observed victimology, tactics, and procedures," the firm has now disclosed the remote, pre-auth vulnerability originated from the manner the Serv-U process managed access violations without terminating the process, thereby making it straightforward to pull off stealthy, dependable exploitation tries. 

"The exploited vulnerability was caused by the way Serv-U initially created an OpenSSL AES128-CTR context. This, in turn, could allow the use of uninitialized data as a function pointer during the decryption of successive SSH messages,” the researchers said. 

"Therefore, an attacker could exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. We also discovered that the attackers were likely using DLLs compiled without address space layout randomization (ASLR) loaded by the Serv-U process to facilitate exploitation," the researchers further explained.

ASLR is a protection mechanism primarily used to protect against buffer overflow attack by randomly arranging the handle room positions where system executables are loaded into memory. 

After a thorough examination of the SolarWinds hack, Microsoft researchers advised the affected organizations to enable ASLR compatibility for all binaries loaded in the Serv-U procedure."ASLR is a critical security mitigation for services which are exposed to untrusted remote inputs, and requires that all binaries in the process are compatible in order to be effective at preventing attackers from using hardcoded addresses in their exploits, as was possible in Serv-U," the researchers concluded.

Last year in December, Microsoft revealed that a different espionage group may have been exploiting the IT infrastructure provider's Orion software to install a persistent backdoor called Supernova on contaminated devices. Cybersecurity firm SecureWorks attributed the intrusions to a China-linked hacking group called Spiral.

ShadowPad Malware is Being Sold Privately to Chinese Espionage


Since 2017, five separate Chinese threat groups have used ShadowPad, an infamous Windows backdoor that allows attackers to download additional harmful modules or steal data. In a detailed overview of the malware, SentinelOne researchers Yi-Jhen Hsieh and Joey Chen said that "adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors," adding that "some threat groups stopped developing their own backdoors after they gained access to ShadowPad." 

ShadowPad was released in 2015 as a replacement for PlugX. However, it wasn't until several well-known supply-chain incidents – CCleaner, NetSarang, and ShadowHammer – that it began to gain considerable public attention. Unlike the publicly available PlugX, ShadowPad is only available to a selected group of people. ShadowPad has been called a "masterpiece of privately sold malware in Chinese espionage" by an American cybersecurity firm. 

ShadowPad is a shellcode-based modular backdoor. A layer of an obfuscated shellcode loader is in charge of decrypting and loading a Root plugin during execution. While the Root plugin's chain of operations decrypts, it loads other shellcode-embedded plugins into memory. To date, at least 22 different plugins have been discovered. 

Additional plugins can be remotely uploaded from the C&C server in addition to the ones included, allowing users to dynamically add functionality that isn't present by default. A Delphi-based controller is in charge of the infected machines, which is used for backdoor communications, upgrading the C2 infrastructure, and controlling the plugins.

"While ShadowPad is well-designed and highly likely to be produced by an experienced malware developer, both its functionalities and its anti-forensics capabilities are under active development," the researchers said. 

ShadowPad-related attacks have lately targeted Hong Kong-based firms as well as key infrastructure in India, Pakistan, and other Central Asian countries. The implant is known to be shared by multiple Chinese espionage actors, including Tick, RedEcho, RedFoxtrot, and clusters dubbed Operation Redbonus, Redkanku, and Fishmonger, although being predominantly attributed to APT41. 

"The threat actor behind Fishmonger is now using it and another backdoor called Spyder as their primary backdoors for long-term monitoring, while they distribute other first-stage backdoors for initial infections including FunnySwitch, BIOPASS RAT, and Cobalt Strike," the researchers said. "The victims include universities, governments, media sector companies, technology companies and health organizations conducting COVID-19 research in Hong Kong, Taiwan, India and the U.S."

Chinese Webdav-O Virus Attacked Russian Federal Agencies


In 2020, a collection of Chinese state-sponsored threat groups may have been behind a series of targeted attacks on the Russian federal executive authority. The latest study, published by Singapore-based Group-IB, looks into a piece of computer virus known as "Webdav-O" that was discovered in the intrusions, with the cybersecurity firm noticing similarities between the tool and a popular Trojan known as "BlueTraveller," which is linked to a Chinese threat group known as TaskMasters and used in malicious activities with the aim of espionage and plundering confidential documents. 

The report builds on a series of public disclosures in May from Solar JSOC and SentinelOne, both of which revealed a malware called "Mail-O" that was also observed in attacks against Russian federal executive authorities to access the cloud service, with SentinelOne linking it to a variant of another well-known malicious software called "PhantomNet" or "SManager" used by a threat actor dubbed TA428. 

TA428 has been targeting government entities in East Asia since 2013, with a particular focus on those involved in domestic and foreign policy, government information technology, and economic development. Attackers used the Microsoft Equation Editor exploit CVE-2018-0798 to deploy a custom malware called Cotx RAT, according to Proofpoint researchers. This APT gang also employs Poison Ivy payloads, which share command and control (C&C) infrastructure with the newly discovered Cotx attacks.

"Chinese APTs are one of the most numerous and aggressive hacker communities," researchers Anastasia Tikhonova and Dmitry Kupin said. "Hackers mostly target state agencies, industrial facilities, military contractors, and research institutes. The main objective is espionage: attackers gain access to confidential data and attempt to hide their presence for as long as possible."

"The main goal of the hackers was to completely compromise the IT infrastructure and steal confidential information, including documents from closed segments and email correspondence of key federal executive authorities," Solar JSOC noted, adding the "cybercriminals ensured themselves a high level of secrecy through the use of legitimate utilities, undetectable malware, and a deep understanding of the specifics of the work of information protection tools installed in government bodies."

“It is noteworthy that Chinese hacker groups actively exchange tools and infrastructure, but perhaps it is just the case here,” Group-IB points out. The researchers also point out that evidence implies a big hacking force made up of People's Liberation Army intelligence units may be operating out of China, with the numerous Chinese APT groups tracked by threat intelligence agencies being little more than subgroups.

Chinese Hackers Exploit New SolarWinds Zero-Day in Targeted Attacks


Microsoft Threat Intelligence Centre (MSTIC) on Tuesday revealed a zero-day remote code execution exploit, being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. Microsoft revealed that the attacks are linked to a China-based threat group tracked as 'DEV-0322.' 

“MSTIC attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures," Microsoft said in an update on Wednesday.

To carry out the attack, threat actors deployed malware in the Orion software sold by the IT management company SolarWinds. According to the local media outlets, the hackers exploited at least 250 federal agencies and top organizations in the US. 

Tracked as CVE-2021-35211, the RCE vulnerability resides in Serv-U's implementation of the Secure Shell (SSH) protocol. While it was previously revealed that the attacks were limited in scope, SolarWinds said it's unaware of the identity of the potentially affected customers. 

“The vulnerability being exploited is CVE-2021-35211, which was recently patched by SolarWinds. We strongly urge all customers to update their instances of Serv-U to the latest available version," Microsoft advised. 

On Tuesday, SolarWinds published a security update for a zero-day vulnerability in Serv-U FTP servers that allow remote code execution when SSH is enabled. According to SolarWinds, this flaw was disclosed by Microsoft, who saw a hacker actively exploiting it to execute commands on vulnerable customer's devices.

"This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure," says a new blog post by the Microsoft Threat Intelligence Center. 

According to Microsoft, the ‘DEV-0322’ hacking group has previously targeted entities in the US Defense Industrial Base Sector and software companies. "The Defense Industrial Base (DIB) Sector is the worldwide industrial complex that enables research and development (R&D), as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements," explains a CISA document describing the DIB sector.

In December 2020, Microsoft revealed that a separate espionage group may have been exploiting the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on compromised systems. The intrusions have since been attributed to a China-linked threat actor called Spiral.

Chinese Hackers Target Taiwanese Telecom Firms


The Insikt Group, the intelligence research department of the US network security consulting firm Recorded Future, published a report on Thursday stating that a group suspected of being funded by the Chinese government is targeting Taiwan, Nepal, and the Philippines telecommunications organizations. 

The threat group, which researchers tracks as Threat Activity Group 22 (TAG-22), is targeting telecommunications, academic, research and development, and government organizations in the three countries. Some of the activity appears to be ongoing as of now, researchers said. 

The latest attack play into a larger backdrop of apparent Chinese hackers snooping on global competition in the telecommunications space, which has become an arena of political and economic conflict between China and the United States.

“In particular, the targeting of the ITRI is notable due to its role as a technology research and development institution that has set up and incubated multiple Taiwanese technology firms,” researchers wrote. The organization is focused on technology and sustainability projects that align with Chinese development interests. In recent years, Chinese groups have targeted multiple organizations across Taiwan’s semiconductor industry to obtain source code, software development kits, and chip designs.”

Last year, cybersecurity company CyCraft claimed that there was a two-year-long large-scale hacking operation focusing on Taiwan’s semiconductor industry, and this wave of operations is likely to be initiated by Chinese hackers. CrowdStrike, a US computer security technology company, also mentioned in a report last year that telecommunications is one of the areas most frequently targeted by Chinese hackers in the first half of 2020.

The researchers believe TAG-22 is using backdoors used by other Chinese state-sponsored groups, including Winnti Group and ShadowPad for initial access. It also employs open-source security tools like Cobalt Strike. Outside of the telecommunication industry, the threat group has targeted academia, research and development, and government organizations in Nepal, the Philippines, Taiwan, and Hongkong. 

While researchers primarily identified the group as operating in Asia, its scope of targets is generally broader, they said. That, as per researchers, puts it in line with other major Chinese hacking groups including APT17 and APT41.

Threat Actors Target Mongolian Certificate Authority with Cobalt Strike Binaries


Threat actors have breached a server belonging to MonPass, a major certification authority (CA) in Mongolia in East Asia, and have backdoored the company’s official website with Cobalt Strike binaries. The security incident came to light in late March when researchers at Avast identified an installer downloaded from the official website of MonPass. 

On 22 April 2021, Avast informed MonPass regarding the security breach and advised them to patch the compromised server and notify those who downloaded the backdoored client. “Our analysis beginning in April 2021 indicates that a public webserver hosted by MonPass was breached potentially eight separate times: we found eight different webshells and backdoors on this server. We also found that the MonPass client available for download from 8 February 2021 until 3 March 2021 was backdoored,” Avast stated.

However, researchers were unable to attribute the intrusion “with an appropriate level of confidence” to any specific threat actor. “But it’s clear that the attackers clearly intended to spread malware to users in Mongolia by compromising a trustworthy source, which in this case is a CA in Mongolia,” researchers added.

The malicious installer is an unsigned PE file. It starts by downloading the legitimate version of the installer from the MonPass official website. This legitimate version is dropped to the C:\Users\Public\ folder and executed under a new process. This guarantees that the installer behaves as expected, meaning that a regular user is unlikely to notice anything suspicious. 

Avast team also unearthed additional variants on VirusTotal in addition to those found on the compromised MonPass web server. During their analysis of the compromised client and variants, researchers showed that the malware was using steganography to decrypt Cobalt Strike beacon. 

In December 2020, China-based hackers targeted Able Desktop software, a security firm responsible for supplying software to multiple Mongolian government agencies. In the same month, Avast also published details about a Chinese cyber-espionage campaign that targeted government agencies using spear-phishing emails, during which attackers tried to install backdoors and keyloggers on employee workstations.

Just a few weeks after targeting Able Desktop software, Chinese attackers employed a technique similar to the MonPass breach on the website of the Vietnam Government Certification Authority (VGCA): The attackers modified two of the software installers available for download on this website and added a backdoor in order to compromise users of the legitimate application.