Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Chinese Hackers. Show all posts
Hckers
Chinese Hackers Cyber Security Cyberattacks CyberCrime FBI Hckers

Cybersecurity Crisis Looms: FBI Chief Unveils Chinese Hackers' Plan to Target US Infrastructure

 


As the head of the FBI pointed out Wednesday, Beijing was positioning itself to disrupt the daily lives of Americans if there was ever a war between the United States and China if it were to plant malware to damage civilian infrastructure. U.S. officials said Wednesday they disrupted a state-backed Chinese effort to plant malware. 

As FBI Director Chris Wray addressed House legislators just before the operation was announced, a botnet comprising hundreds of U.S.-based small office and home routers owned by individuals and companies was disrupted as part of the operation. Chinese hackers hijacked these routers to hide their presence as they sow malware. 

To achieve their ultimate objectives, they sought to attack water treatment plants, electrical grids, and transportation systems throughout the country. During a hearing scheduled for the House Select Committee on the Chinese Communist Party this afternoon, a copy of a prepared speech that Mr Wray intends to make in front of the House Select Committee on the Chinese Communist Party, it is stated that "far too little attention" has been paid to a cyber threat that is of concern to “every American.” 

During the US House hearing on Wednesday, Christopher Wray, the director of the Federal Bureau of Investigation, said that China’s hackers are targeting infrastructure to create havoc and harm American citizens and communities. In a report released by Wray hours after the FBI, with the support of the US Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), identified and disabled hundreds of routers hacked by a group known as Volt Typhoon, which US intelligence agencies suspect may be financed by the Chinese government. 

As a result of the group's work, Chinese critical infrastructure, such as communications, energy, transport, and water, was exploited by China using malware developed and distributed by the group. There is a consensus among outside cybersecurity firms, such as Microsoft, that Chinese state-backed hackers have been targeting U.S. critical infrastructure, and these comments align with statements made by outside cybersecurity firms in May. 

In the event of future crises between the U.S. and Asia, these technological advancements could lay the technical groundwork for the disruption of critical communications. In the month following, Mandiant reported that it was suspected state-backed Chinese hackers had hacked the networks of hundreds of public and private organizations across the globe using a security hole in a popular email security appliance. 

Among the many senior U.S. officials who have been raising the alarm for years about not only Chinese hacking prowess but also Beijing's determination to steal American scientific and industrial research have been raising the alarm for years. Multiple criminal indictments have laid out detailed evidence supporting China's claims that those accusations are unfounded. 

During these last few years, officials in the United States have been concerned about the possibility of such hackers hiding in U.S. infrastructure. For example, when the Volt Typhoon exploited older Cisco and NetGear routers no longer supported by their manufacturers with security updates, they became easy prey. 

To meet the urgency, law enforcement officials said, investigators worked with U.S. cyber operators who removed the malware from the routers without informing their owners directly - and added code to prevent the routers from being infected again. 

In a statement given to reporters under the condition of anonymity by government ground rules, a Justice Department official said officials were determined to interrupt Volt Typhoon's operation as soon as possible since the hackers were using it as a stepping stone to hide in U.S. internet traffic. 

The hackers burrow their way into critical infrastructure networks, ready to take advantage of that access whenever they please, ready to exploit it at any time of the day or night. According to Chinese government officials, the US government's allegations are unfounded and unfounded. 

A spokesman for the Chinese foreign ministry, Wang Wenbin, made a statement last year, according to which the Chinese government believes that China is the biggest victim of cyberattacks in the world due to almost daily and huge amounts of intrusions into its systems. 

The commander of US Cyber Command, Gen. Paul Nakasone, who is leaving the post, has maintained that responsible cyber actors do not attack civilian infrastructure as part of their activities. When Leon Panetta testified on Tuesday before the same committee, he said that he believed that Chinese agents had implanted malware within our computer networks and that the Chinese government would spread disinformation using artificial intelligence as a method of spreading disinformation. 

Panetta was the director of the Central Intelligence Agency and the secretary of defence in the Obama administration. There was an onset of a prime-time hearing last month, kicked off by Republican Representative Mike Gallagher of Wisconsin, who has been calling for establishing a committee devoted to countering China. Chinese officials have used their influence to lash out at the committee, accusing its members of ideological bias and the mindset of a zero-sum game typical of the Cold War.
Read more »
Vulnerability and Exploits
Chinese Hackers Cyber Hackers CyberCrime Cybersecurity Exploitation VMware Vulnerability and Exploits

Undetected Threat: Chinese Hackers' Long-Term VMware Exploitation

 


CVE-2023-34048 is a pathogen that can be exploited remotely by an attacker who has network access to execute arbitrary code remotely due to an out-of-bounds write flaw found in VMware’s DCERPC implementation, which can be tracked as CVE-2023-34048 (CVSS 9.8). 

As a result of the severity of the problem and the lack of workaround, VMware released patches for this vulnerability in October, noting that the patch was also available for versions of its products that had reached the end-of-life period (EOL). 

There has been some reported exploitation of CVE-2023-34048 in the wild since last week, according to the virtualization technology company's advisory, but it does not provide any specific details on the attacks observed. 

A zero-day vulnerability in VMware and Fortinet devices has been exploited by Chinese state-sponsored hackers named UNC3886 for years, experts have revealed, indicating that they have long exploited this vulnerability. 

Earlier this week, Mandiant issued a report alleging that a group was exploiting the vulnerability to deploy malware, steal credentials, and ultimately exfiltrate sensitive information. The security patch was released in late October of 2023, and it carries a severity rating of 9.8/10 (critical). 

The flaw is described as an out-of-bounds write flaw that can allow attackers who have access to the VirtualCenter Server to execute code remotely. Cyberspies took advantage of this to gain access to their targets' vCenter servers and to use the compromised credentials to install maliciously crafted vSphere Installation Bundles (VIBs) on ESXi hosts with VirtualPita and VirtualPie backdoors via maliciously crafted backdoors. 

Next, the attackers exploited a VMware Tools authentication bypass flaw in CVE-2023-20867 to gain access to guest virtual machines, harvest files, and exfiltrate them. Although Mandiant was not yet certain how the attackers acquired privileged access to victims' VMware servers, a VMware service crash minutes before the backdoors were deployed made it evident that the link was established by a VMware service crash, which closely coincided with the exploit of CVE-2023-34048 in late 2023.

It has been revealed by Mandiant that the zero-day attacker targeting VMware has been exploiting CVE-2023-34048 as a zero-day weaponized by them, allowing them to gain privileged access to the vCenter system, enumerate all VMware ESXi hosts and their virtual machines which they are connected to, and gain access to the vCenter server. 

Next, the adversary will be able to connect directly to the hosts by retrieving the cleartext "vpxuser" credentials for the hosts and connecting to them directly to install the malware VIRTUALPITA and VIRTUALPIE, allowing them to interact with them directly. 

As Mandiant revealed in June 2023, this paves the way for exploiting another VMware flaw, (CVE-2023-20867, CVSS score: 3.9). As a consequence, arbitrary commands can be executed on guest VMs and files can be transferred between the guest virtual machines from a compromised ESXi host using this flaw. 

As Mandiant pointed out in their analysis, the same crashes were observed in several UNC3886 intrusions that began in late 2021, suggesting the attacker had access to the vulnerability for approximately one and a half years. As well as removing the 'vmdird' core dumps from the compromised environments, the cybersecurity firm observed that they had also preserved the log entries to cover their tracks. 

With the release of the 8.0U2 update from VMware, the vulnerability found in vCenter version 8.0U2 has been patched. The patches are available for vCenter Server versions 8.0U1, 7.0U3, 6.7U3, 6.5U3, VCF 3.x, as well as Async vCenter Server Versions 5.x and 4.x.
Read more »
Network Breach
Chinese Hackers Cyber Security Generative AI National Security Network Breach

China Backed Actors are Employing Generative AI to Breach US infrastructure

 

Cybercriminals of all skill levels are utilising AI to hone their skills, but security experts warn that AI is also helping to track them down. 

At a workshop at Fordham University, National Security Agency head of cybersecurity Rob Joyce stated that AI is assisting Chinese hacker groups in bypassing firewalls when infiltrating networks. 

Joyce warned that hackers are using generative AI to enhance their use of English in phishing scams, as well as to provide technical help when penetrating a network or carrying out an attack. 

Two sides of the same coin

2024 is expected to be a pivotal year for state-sponsored hacking groups, particularly those operating on behalf of China and Russia. Taiwan's presidential election begins in a few days, and China will want to influence the result in its pursuit of reunification. However, attention will be centred around the upcoming US elections in November, as well as the UK's general election in the second half of 2024. 

China-backed groups have begun developing highly effective methods for infiltrating organisations, including the use of artificial intelligence. "They're all subscribed to the big name companies that you would expect - all the generative AI models out there," adds Joyce. "We're seeing intelligence operators [and] criminals on those platforms.” 

In 2023, the US saw a surge in attacks on major energy and water infrastructure facilities, which US officials attributed to groups linked to China and Iran. One of the attack techniques employed by the China-backed 'Volt Typhoon' group is to get clandestine access to a network before launching attacks using built-in network administration tools. 

While no specific examples of recent AI attacks were provided, Joyce states, "They're in places like electric, transportation pipelines, and courts, trying to hack in so that they can cause societal disruption and panic at the time and place of their choosing." 

China-backed groups have gained access to networks by exploiting implementation flaws - vulnerabilities caused by poorly managed software updates - and posing as legitimate users of the system. However, their activities and traffic inside the network are frequently odd. 

Joyce goes on to say that, "Machine learning, AI and big data helps us surface those activities [and] brings them to the fore because those accounts don't behave like the normal business operators on their critical infrastructure, so that gives us an advantage." 

Just as generative AI is expected to help narrow the cybersecurity skills gap by offering insights, definitions, and advice to industry professionals, it may also be reverse engineered or abused by cybercriminals to guide their hacking activities.
Read more »
SentinelOne
C++ Chinese Hackers Cyber Security Hackers IT Environment Keypluggs Microsoft Threat PwC Sandmam APT SentinelOne

Sandman APT Gains Traction: Chinese Hackers Amplify Cybersecurity Risks

 


It has been discovered that there is a strong coincidence in the targeting and tactics of Sandman, a mysterious advanced persistent threat (APT) that has been identified to use backdoors referred to as "Keypluggs," and KEYPLUG, a China-based threat cluster. 

Following this assessment, SentinelOne, PwC, and Microsoft Threat Intelligence have been working together on this since they have determined that the adversary's Lua-based malware, LuaDream, and the KEYPLUG have both been found to cohabit in the victim network alongside each other. 

Microsoft, SentinelLabs and PwC have collectively alerted consumers and businesses to the fact that threat actors who were allegedly linked to Chinese cybercriminals have deployed an advanced persistent threat (APT) referred to as Sandman to infiltrate IT environments with malware. 

An expert at SentinelOne, Aleksandar Milenkoski, said that Sandman has now been linked to STORM-0866/Red Dev 40, a threat actor aligned with the Chinese government's national interests, meaning that STORM-0866/Red Dev 40 targets Chinese companies. 

Following a series of cyberattacks carried out on telcos across the Middle East, Western Europe, and South Asia, Sandman was first identified in August. These attacks utilized a backdoor referred to as "LuaDream," which is a programming language that is based on Lua, as well as a backdoor titled "Keyplug," which is a programming language that is based on C++. 

SentinelOne revealed the existence of Sandman for the first time in September 2023, covering attacks on telecommunications providers in Europe, the Middle East, and South Asia by using an implant codenamed LuaDream that was used in its attacks. 

In August 2023, a record of intrusions was made. On the other hand, Storm-0866/Red Dev 40 refers to a cluster of APTs primarily targeting entities located in the Middle East and South Asia, such as telecommunication providers and government agencies, that represent an emerging APT network. 

Storm-0866 has several powerful tools at his disposal, one of which is KEYPLUG. This backdoor was first exposed by Google-owned Mandiant in the context of attacks conducted by the Chinese-based APT41 (also known as Brass Typhoon or Barium) actor between May 2021 and February 2022 in which he infiltrated six state government systems. 

The Recorded Future company reported earlier this month that the use of KEYPLUG was being used by a Chinese state-sponsored threat activity group it is tracking under the name RedGolf, which they claimed was "closely aligned with the threat activity produced by APT41/Barium. As part of its report, Mandiant informed the public that they first discovered the Keyplug backdoor in March 2022, which was used by a known Chinese group, APT41. 

Additionally, Microsoft and PwC teams discovered that the Keyplug backdoor was passed around to multiple other Chinese-based threat groups, according to the report. Researchers believe that the new obfuscation tools provided by Keyplug malware give the group a new advantage compared to previous versions. 

According to the report, the STORM-0866/Red Dev 40 cluster differs from the others because of specific malware characteristics, such as the unique encryption keys used to communicate with KEYPLUG command and control servers, as well as an increased sense of operational security, which can be attributed to the use of cloud-based reverse proxy infrastructure to hide the real locations where their C2 servers are hosted," says the report. 

According to the researchers, when they analyzed both the C2 configuration and the LuaDream and Keyplug malware strains, the overlaps were overwhelming, which can be interpreted as suggesting that their operators were seeking similar functional requirements. To grow, and effectively collaborate between the increasing number of Chinese APT groups, the report concluded, cyber security community members must share similar knowledge. 

There is a great deal of certainty that the constituent threat actors will continue to cooperate and coordinate, exploring new ways to enhance the functionality, flexibility, and stealthiness of their malware to further enhance the threat actors' threat. 

An influential example of how this can be applied is the adoption by developers of the Lua development paradigm. Overcoming the threat landscape requires a constant flow of information sharing between members of the threat intelligence research community. 

A few instances of espionage-motivated APTs historically considered Western or Western-aligned have been associated with Lua-based modular backdoors, such as LuaDream. This has proven to be a very rare occurrence and is often associated with APTs that are espionage-motivated. In our research on Sandman, we found that a broader set of cyberespionage threat actors are utilizing the Lua development paradigm because of its modularity, portability, and simplicity.
Read more »
NXP
Chinese Hackers Chip Maker Cyber Attacks Dutch Firm NXP

Chinese Hackers Lurked for Over Two Years to Steal NXP's Chipmaking IP

 

Chinese-affiliated hacker group Chimaera secured access to the network of the massive Dutch semiconductor company NXP for more than two years, from late 2017 to the start of 2020, NRC reported.During this time, the notorious hackers allegedly stole intellectual property, including chip designs; however, the full extent of the theft has yet to be revealed. NXP is Europe's largest chipmaker, and the scale and scope of the disclosed attack is alarming. 

The report claims that the hackers lurked in the company's network for almost 2.5 years before the breach was discovered; the Dutch airline Transavia, a subsidiary of KLM, was the target of a similar attack. In September 2019, hackers gained access to Transavia's reservation systems. The NXP hack was discovered as a result of communications with NXP IPs found during an investigation into the Transavia hack. The attack uses the ChimeRAR hacker tool, which is one of the defining characteristics of the Chimaera hacking group. 

To gain access to NXP, the hackers first used credentials extracted from previous data leaks on platforms such as LinkedIn or Facebook, and then used brute force attacks to guess passwords. They also got around double authentication by changing phone numbers. The attackers were patient, only checking for new data to steal every few weeks, and then snuck the data out by uploading encrypted files to online cloud storage services such as Microsoft's OneDrive, Dropbox, and Google Drive. 

Being a significant player in the global semiconductor market, NXP gained even more clout in 2015 when it purchased the American company Freescale. NXP is well-known for creating secure Mifare chips for Dutch public transport in addition to secure components for the iPhone, specifically Apple Pay.

NXP claims that the breach did not cause material damage, despite acknowledging that its intellectual property had been stolen. The company cites the complexity of the stolen data as a barrier to easy design replication. According to the NRC, the company felt no need to notify the public as a result. 

NXP apparently strengthened its network security after the breach. The business tightened its internal data accessibility and transfer policies and upgraded its monitoring systems. These preventative measures were meant to avert future incidents of the same kind, preserve the network's integrity, and protect the company's valuable intellectual property.
Read more »
User Privacy
Chinese Hackers Data Breach Hacking Group Malicious actor Phishing Attacks Red Cross Unauthorized access User Privacy

AtlasCross Hackers Target Organizations with Red Cross Phishing Lures

A new hacking group called AtlasCross is targeting organizations with phishing lures impersonating the American Red Cross. The group uses macro-enabled Word documents to deliver backdoor malware to victims' devices.

The phishing emails typically contain a link to a malicious website or an attachment containing a macro-enabled Word document. If the victim opens the attachment and enables macros, the malware will be installed on their device.

The malware used by AtlasCross is called DangerAds and AtlasAgent. DangerAds is a system profiler and malware loader, while AtlasAgent is a backdoor that allows attackers to remotely control the victim's device.

Once the attackers have control of the victim's device, they can steal sensitive data, such as login credentials, financial information, and trade secrets. They can also use the device to launch further attacks against other organizations.

Bill Toulas, CEO of NSS Labs, aptly notes, "The AtlasCross phishing campaign is a reminder that even the most sophisticated organizations can be targeted by cybercriminals. It is important to be vigilant and take steps to protect yourself from these attacks."

How to protect your organization from AtlasCross phishing attacks:

  • Exercise Caution with Unsolicited Emails: Especially those bearing attachments or links.
  • Scrutinize Known Senders: Verify email addresses to confirm legitimacy.
  • Exercise Restraint with Unknown Emails: Refrain from opening attachments or clicking links if authenticity is in doubt.
  • Disable Macros in Microsoft Office: Unless they are absolutely essential, it's prudent to keep macros disabled to thwart potential malware delivery.
  • Maintain Updated Software: Ensure your operating system, web browser, and antivirus software are up-to-date, as these updates frequently contain vital security patches.

Organizations can take the following steps to augment their defense against AtlasCross phishing campaigns:
  • Employee Education: Provide thorough training on recognizing and evading phishing attempts, as employees are the first line of defense.
  • Utilize a Robust Security Solution: Employ a solution adept at detecting and thwarting phishing emails based on various indicators.
  • Segment Your Network: Isolate devices to prevent easy lateral movement in case of a compromise.
  • Enforce Stringent Password Policies: Implement multi-factor authentication to bolster device and account security.
Global organizations and individuals are seriously threatened by the AtlasCross hacking group. The aforementioned advice can help you safeguard yourself from phishing attempts. It is significant to remember that there is a possibility that you could fall victim to a phishing assault even if you take all necessary safeguards. Cybercriminals are continually creating new phishing attack methods as they get more proficient.

.



Read more »
US-China
Chinese Hackers Cyber Data Cyber Safety Data Safety malware Ransonware Secure Security US-China

Report: Possible Chinese Malware in US Systems a 'Ticking Time Bomb'

 

According to a report by The New York Times on Saturday, the Biden administration has raised concerns about China's alleged implantation of malware into crucial US power and communications networks. The officials fear this could act as a "ticking time bomb" capable of disrupting US military operations in the event of a conflict.

The malware, as reported by the Times, could potentially grant China's People's Liberation Army the capability to disrupt not only US military bases' water, power, and communications but also those of homes and businesses across the country. 

The main concern is that if China were to take action against Taiwan, they might utilize this malware to hamper US military operations.

This discovery of the malware has led to a series of high-level meetings in the White House Situation Room, involving top military, intelligence, and national security officials, to track down and eliminate the malicious code.

Two months prior to this report, Microsoft had already warned about state-sponsored Chinese hackers infiltrating critical US infrastructure networks, with Guam being singled out as one target. 

The stealthy attack, ongoing since mid-2021, is suspected to be aimed at hindering the United States in case of a regional conflict. Australia, Canada, New Zealand, and Britain have also expressed concerns that Chinese hacking could be affecting infrastructure globally.

The White House, in response, issued a statement that did not specifically mention China or military bases. The statement emphasized the administration's commitment to defend the US critical infrastructure and implement rigorous cybersecurity practices.

These revelations come at a tense moment in US-China relations, with China asserting its claim over Taiwan and the US considering restrictions on sophisticated semiconductor sales to Beijing.
Read more »
US Firms
Chinese Hackers cyber espionage Cyber Security Cyber Warfare US Firms

Chinese-Sponsored Hacking Group Targeting Critical U.S. Infrastructure, Microsoft Claims

 

The employment of hackers to gather intelligence data is prevalent in practically every nation on earth. Intelligence organisations like the Fancy Bear and Equation Group are used by both the US and Russia. 

Microsoft Corp. stated last week that Volt Typhon was "pursuing the development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises." Concern over the relationship between China and the US on Taiwan immediately arose after this statement. Pacific-wide cyberattacks may result from disputes between the US and China.

What precisely is a Volt Typhoon? 

A suspected hacker organisation goes by the name of "Volt Typhoon." The gang is thought to have China's support. The Volt Typhoon is reported to be capable of both digital sabotage and intelligence gathering. 

Is the Volt Typhoon a genuine threat to the infrastructure of the United States, or is it merely a new network of digital spies? 

Potential threats 

The American infrastructure is thought to be seriously threatened by the Volt Typhoon. The following are potential risks to the group: 

Espionage concerns: Spying is a concern for experts. In the midst of tensions over Taiwan, experts believe Volt Typhoon is a group of hackers ready to attack the American infrastructure. 

The assessment of Microsoft is given a "moderate confidence" rating, which denotes that the idea is plausible and backed by reliable sources but is not yet fully supported. Few experts believe there is any proof of sabotage planning, despite the fact that many researchers have discovered and evaluated the group's many elements.

According to Marc Burnard and Secureworks, the Volt Typhoon currently appears to be designed to steal data from organisations that hold information about the U.S. government or military.

Volt Typhoon is known as the "Bronze Silhouette" by Secureworks, and according to Marc Burnard, its primary function is espionage. 

Sneaky storm: Almost all cyber spies try to hide their tracks; Microsoft and other analysts believe Volt Typhoon was a quiet operator who camouflaged its activity by passing it through hijacked network equipment such as residential routers. These are well-planned wiped proof of intrusion from the victim's logs. 

China, on the other hand, has consistently denied any involvement in the Volt Typhoon cyberattack. However, Beijing has been preparing documentation of cyberespionage efforts for more than two decades. Spying has become a major emphasis in the recent decade, since Western experts have linked breaches to specific units of the People's Liberation Army. US law enforcement has indicted a slew of Chinese operatives with eavesdropping on US secrets. 

According to Secureworks in a blog post, the Volt Typhoon's interest in operational security may stem from the US claims, as well as increased pressure from Chinese leaders to refrain from scrutinising cyberespionage acts. 

Mitigation tips

In line with Microsoft's research on Volt Typhoon, spotting an activity that exploits standard sign-in channels and system binaries necessitates behavioural monitoring, and remediation necessitates shutting or resetting credentials for compromised accounts. In these circumstances, Microsoft recommends that security operations teams investigate the activities of compromised accounts for any dangerous actions or exposed data.
Read more »
Unauthorized access
ByteDance Chinese Apps Chinese Hackers Data Breach Data Privacy Laws Personal Data TikTok Unauthorized access

China's Access to TikTok User Data Raises Privacy Concerns

A former executive of ByteDance, the parent company of the popular social media platform TikTok, has made shocking claims that China has access to user data from TikTok even in the United States. These allegations have raised concerns about the privacy and security of TikTok users' personal information.

The ex-employees claims come at a time when TikTok is already under scrutiny due to its ties to China and concerns over data privacy. The United States and other countries have expressed concerns that user data collected by TikTok could be accessed and potentially misused by the Chinese government.

According to the former executive, Chinese Communist Party (CCP) officials have direct access to TikTok's backend systems, which allows them to obtain user data from anywhere in the world, including the US. This access allegedly enables the Chinese government to monitor and potentially exploit user data for various purposes.

These claims have significant implications for the millions of TikTok users worldwide. It raises questions about how their personal information is secure and protected from unauthorized access or potential misuse. Furthermore, it adds to the ongoing debate surrounding the relationship between Chinese tech companies and the Chinese government, and the potential risks associated with data sharing and surveillance.

ByteDance has previously denied allegations that TikTok shares user data with the Chinese government. The company has implemented measures to address privacy concerns, such as establishing data centers outside of China and hiring independent auditors to assess its data security practices.

However, these latest claims by a former executive fuel the skepticism and reinforce the need for transparency and independent verification of TikTok's data handling practices. It also underscores the importance of robust data protection regulations and international cooperation in addressing the challenges posed by global technology platforms.

Regulators and policymakers in various countries have examined TikTok's data privacy practices and explored potential restrictions or bans. These claims may add further impetus to those efforts, potentially leading to stricter regulations and increased scrutiny of TikTok's operations.

The allegations made by the ex-ByteDance executive regarding China's access to TikTok user data in the US have sparked fresh concerns about data privacy and security. As the popularity of TikTok continues to grow, it is crucial for the company to address these claims transparently and take additional steps to reassure users that their data is protected. Meanwhile, governments and regulatory bodies must continue to evaluate and enforce robust privacy regulations to safeguard user information in the era of global technology platforms.
Read more »
URL
APT Backdoor Botnet Chinese Hackers Data Breach Sensitive Information Software URL

Chinese APT Group Hijacks Software Updates for Malware Delivery

An advanced persistent threat (APT) group from China, known as Evasive Panda, has been discovered to be hijacking legitimate software update channels of Chinese-developed applications to deliver custom malware to individuals in China and Nigeria for cyber-espionage purposes. Researchers from Eset discovered that when performing automated updates, a legitimate application software component downloaded MgBot backdoor installers from legitimate URLs and IP addresses. The modular malware allows Evasive Panda to spy on victims and enhance its capabilities on the go.

The APT group's activity was fairly easy to attribute to Evasive Panda as researchers have never observed any other threat actors using the MgBot backdoor. The attacks have been ongoing for two years, and the primary goal is to steal credentials and data for espionage purposes. This is another example of state-sponsored actors' increasing sophistication and persistence in cyberspace.

Using legitimate software update channels is a clever technique employed by the group to avoid detection by traditional security measures. Once the malware is delivered through the update, it can operate in the background undetected, and the APT group can exfiltrate sensitive information from the victim's device.

This discovery highlights the importance of maintaining a secure software supply chain and the need for constant vigilance in monitoring the activity of state-sponsored threat actors. Organizations and individuals should always keep their software up to date, maintain robust security measures, and be wary of any suspicious activity or unexpected system changes.

The Eset researchers noted that the MgBot malware has been specifically customized for each victim, suggesting a high degree of sophistication and customization by the APT group. This type of advanced malware is difficult to detect and defend against, making it imperative for individuals and organizations to be proactive in their cybersecurity measures.
Read more »
malware
Chinese Apps Chinese Hackers Google Playstore Malicious actor malware

Pinduoduo App Malware: A Security Warning

Pinduoduo, a popular Chinese e-commerce app, has come under scrutiny from cybersecurity experts after multiple reports of malware surfaced. According to CNN, a recent analysis found that the app contained a 'sophisticated and complex' malware strain that allowed attackers to steal personal data and spy on users' activities.

In a report by Bloomberg, cybersecurity researchers noted that the malware was able to "hijack user accounts, steal payment information, and even take control of users' phones." The report also highlighted that the app had been downloaded over one billion times, making it a significant threat to users' security and privacy.

In response to these reports, Google Play has suspended the app from its platform. The South China Morning Post notes that this is not the first time that Pinduoduo has come under fire for suspected malware. In 2021, the app was accused of selling counterfeit goods and allowing the sale of illegal and fake products.

Brian Krebs, a cybersecurity expert, notes that the Pinduoduo case highlights the risks of using apps from untrusted sources. He emphasizes that "users should always be wary of downloading apps from unfamiliar sources, as they may contain malicious code that can compromise their security and privacy."

The Pinduoduo case also underscores the importance of regularly updating software and using trusted security solutions to protect against malware and other cyber threats. As the threat landscape continues to evolve, it is essential that individuals and organizations remain vigilant and proactive in protecting their digital assets.

The Pinduoduo incident serves as a sobering reminder of the dangers presented by unreliable apps and the significance of cybersecurity in the current digital era. Users must take the necessary precautions to protect themselves and their data as cyber threats continue to grow in sophistication and complexity. Individuals and organizations can reduce the dangers of cyber assaults and secure their online safety by remaining educated, upgrading software on a regular basis, and employing reputable security solutions.

Read more »
Cyber Attacks
APT41 Chinese Hackers Covi-19 Cyber Attacks

Chinese Hackers Steal U.S Covid-19 Relief Funds, Experts suspect APT41


Chinese Hackers steal US Covid funds

The US Secret Service alleged that a Chinese hacking group stole tens of millions of dollars from US Covid-19 relief funds. The incident has increased the threat that the US and its citizens are facing from threat actors.

State-sponsored cyber criminal group APT41 scammed and stole $20 million that was used as a pandemic relief during Covid-19. 

Experts say this is the first theft of APT41, it is known for cyber espionage and financial cyberattacks. But this time, it is confirmed that APT41 has targeted US government funds. The money consists of small business administration plans and unemployment insurance funds.  

It also shows APT41's capability to defraud the US on a bigger scale, given the depth of details it has retrieved about American citizens.

"Fintech companies contracted by the federal government to process pandemic payouts rushed through processing applications in pursuit of higher fees, which contributed to the fraud that occurred, according to a report by the US House Select Subcommittee on the Coronavirus Crisis published on December 1. The key issue at hand is the state-sponsored group’s ability to scale future fraud attempts via automated technology and troves of taxpayer data China is believed to have obtained after security breaches at credit bureau Equifax and the US Office of Personnel Management, Hamilton said. OPM houses all federal employee data.ls it has retrieved about the American citizens," reports Bloomberg 

APT41 believed behind the theft

It is not clear if agencies believe APT41 compromised government systems or citizens' personal accounts to get the Covid-19 relief funds, or if they hacked into already stolen information to engage in an identity scam. 

Investigating agencies didn't disclose any more details about how the theft took place, saying  “with respect to a potentially ongoing investigation, we have no further publicly available information.” 

For individual US citizens, it may be hard to imagine themselves as victims of a states sponsored attack like China, however, the threat is rising.

“When you look at how many records they have, talk about massive fraud. If the Chinese-based hackers wanted to use that information for fraud, they would have a very easy time with that because they have it all," said Linn Freedman, cybersecurity partner of Robinson Cole LLP. 

The threat scale has increased

Currently, not much information is available to determine the security loopholes that resulted in fraudulent activity related to the relief funds, it is believed that the money theft is not an isolated incident. 

Mike Hamilton, the chief information security officer at cybersecurity agency Critical Insight, believes that the cyberattack was a "beta test" of APT41's capabilities to defraud the American government and also that APT41 attacked the funds because it was easy to steal. 

Bloomberg reports, "APT41 recently compromised at least six state government websites and exfiltrated personally identifiable information as part of a deliberate hacking campaign targeting states, according to a report published by cybersecurity firm Mandiant in March 2022."






Read more »
RaaS
APT actors Chinese Hackers Command and Control(C2) Data Breach Encryption Log4Shell PowerShell RaaS

Cheerscrypt Spyware Attributed to Chinese APT Entity

The Emperor Dragonfly Chinese hacker group, notorious for frequently switching between several ransomware families to avoid detection, has been connected to the Cheerscrypt virus. 

The attacks were linked by the cybersecurity company Sygnia to a threat actor also dubbed Bronze Starlight and DEV-0401. The hacking gang seems to be a ransomware operation, but past research suggests that the Chinese government is interested in many of its victims.

Cheerscrypt is the most recent addition to a long range of ransomware families that the gang has previously used, including LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0 in a little over a year.

Recently, Sygnia researched a Cheerscrypt ransomware operation that utilized Night Sky ransomware TTPs. The attackers then dropped a Cobalt Strike beacon linked to a C2 address formerly tied to Night Sky operations. 

The code for the Babuk ransomware, which was exposed online in June 2021, was used to develop the Cheerscrypt ransomware family, which Trend Micro first analyzed in May 2022. Cheerscrypt is one of several ransomware families used by the APT organization. The DEV-0401 group, unlike other ransomware gangs, oversees every stage of the assault chain directly, from the first access to the data theft. It does not rely on a system of affiliates.

A significant Log4Shell vulnerability in Apache Log4j was utilized by hackers in January 2022 assaults to acquire initial access to VMware Horizon servers. They subsequently dropped a PowerShell payload that was used to send an encrypted Cobalt Strike beacon. Apart from the beacon, the hackers also sent three Go-based tools: a keylogger that sent keystrokes to Alibaba Cloud, a customized version of the internet proxy tool iox, and the tunneling program NPS.

Trend Micro initially identified Cheerscrypt in May 2022, highlighting its capacity to target VMware ESXi servers as a component of a tried-and-true strategy known as double extortion to force its victims into paying the ransom or risk having their data exposed.

The hackers break into networks, take information, and encrypt devices just like other ransomware groups that target businesses. The victim is then coerced into paying a ransom through double-extortion methods using the data. The stolen data is posted on a data leak website when a ransom is not paid.

A PowerShell payload that can deliver an encrypted Cobalt Strike beacon has been dropped on VMware Horizon servers by infection chains that have exploited the major Log4Shell vulnerability in the Apache Log4j library.

Cheerscrypt and Emperor Dragonfly share initial access vectors, and lateral movement strategies, including the use of DLL side-loading to distribute the encrypted Cobalt Strike beacon. Notably, the ransomware gang is acting as a 'lone wolf' separated from the rest of the cybercrime community rather than as a RaaS (Ransomware-as-a-Service) platform for affiliates.






Read more »
Encryption
Antivirus APT actors Backdoor Chinese Hackers Command and Control(C2) CVE Cyber Crime Encryption

Middle East Targeted via Steganography

A hacktivist gang that has previously attacked an African country's stock exchange with malware and seized vast amounts of data is now focusing on the governments of several Middle Eastern countries.

ESET, a cybersecurity company, discovered Witchetty also known as LookingFrog for the first time in April 2022. It is thought to be closely associated with the state-sponsored Chinese threat actor APT10 formerly known as Cicada. The gang is also regarded as TA410 personnel, who have previously been connected to strikes against American energy suppliers.

A threat actor identified as Witchetty was seen by Broadcom's Symantec Threat Hunter Team utilizing steganography to conceal an unknown backdoor in a Windows logo.

The new malware uses steganography, a method for hiding a message in an openly available document, to extract dangerous code from a bitmap image of a previous version of the Microsoft Windows logo.

In the campaign that Symantec found, Witchetty is utilizing steganography to conceal backdoor software that is XOR-encrypted in an outdated Windows logo bitmap picture.

"By disguising the payload in this way, the attackers were able to host it on a reliable, cost-free service. Downloads from reputable servers like GitHub are much less likely to cause concern than downloads from a command-and-control (C&C) server that is under the control of an attacker" the researchers stated.

Backdoor employment

The employment of another backdoor known as Stegmap is highlighted in Symantec's most recent investigation of attacks between February and September 2022, when the organization attacked the governments of two Middle Eastern countries as well as the stock exchange of an African nation. 

Like many backdoors, Stegmap includes a wide range of features that enable it to do file manipulation operations, download and run executables, stop processes, and alter the Windows Registry. The hackers updated their toolset for this effort to target the vulnerabilities, and they used steganography to shield their harmful payload from antivirus software.

By taking advantage of the Microsoft Exchange ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) attack chains to drop web shells on susceptible servers, the threat actors acquire initial access to a network and launch the attack. 

According to the chronology of an attack on a Middle Eastern government organization, Witchetty maintained remote access for as long as six months and carried out a variety of post-exploitation activities, such as network enumeration and the installation of custom malware, up to September 1, 2022.

Governments and state institutions around the world, including those in Asia and Africa, continue to face active threats from TA410 and Witchetty. The best defense against such attacks is to implement security upgrades as soon as they are available. In the campaign that Symantec has identified, the hackers depend on last year's flaws to infiltrate the target network and take advantage of the subpar management of publicly accessible servers.



Read more »
malware
Asia Backdoor Chinese Hackers Exchange Severs ICS malware

Chinese Hackers Deploy Shadowpad Backdoor to Target Industrial Control Systems in Asia

 

ShadowPad, a sophisticated and modular backdoor is back in action. Russian cybersecurity firm Kaspersky has unearthed a series of assaults that targeted unpatched Microsoft Exchange servers in multiple Asian nations. 

Researchers initially spotted the ShadowPad backdoor on industrial control systems (ICS) at a telecoms firm in Pakistan, where the hackers targeted engineering computers in building automation systems. Further investigation uncovered wide activity on the network, along with multiple organizations targeted in Pakistan, Afghanistan, and Malaysia. 

"During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems of one of the victims," Kaspersky ICS CERT researcher Kirill Kruglov stated. "By taking control over those systems, the attacker can reach other, even more sensitive systems of the attacked organization." 

"Building automation systems are rare targets for advanced threat actors. However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures." 

Kaspersky, which first detected the activity in mid-October 2021, attributed it to a previously unknown Chinese-speaking threat actor. However, traces of the attacks on compromised devices indicates that the malicious campaign began in March 2021, right around the time the ProxyLogon vulnerabilities in Exchange Servers became public knowledge. 

Besides deploying ShadowPad as "mscoree.dll," an authentic Microsoft .NET Framework component, the attacks also involved the use of Cobalt Strike, a PlugX variant called THOR, and web shells for remote access. Although the ultimate goal of the campaign remains unknown, the hackers are believed to be interested in long-term intelligence gathering. 

ShadowPad, which emerged in 2015 as the successor to PlugX, is a privately sold modular malware platform that has been leveraged by multiple Chinese espionage actors over the years. While its design allows users to remotely deploy additional plugins that can extend its functionality beyond covert data collection, what makes ShadowPad dangerous is the anti-forensic and anti-analysis techniques incorporated into the malware. 

ShadowPad gained popularity in 2017 when it was employed in software supply chain assaults involving CCleaner, NetSarang, and the ASUS Live Update utility. The BRONZE ATLAS threat group was blamed for these campaigns. A Microsoft complaint from 2017 and DOJ indictments published in 2020 provide more insights on ShadowPad's relationship to BRONZE ATLAS.
Read more »
User Privacy
APT attacks Chinese Hackers Cyber Attacks Palo Alto Networks' Unit 42 telecommunications Trojan Attacks Unauthorized Websites User Privacy

 GALLIUM APT Deployed a New PingPull RAT

According to Palo Alto Networks researchers, the PingPull RAT is a "difficult-to-detect" backdoor that uses the Internet Control Message Protocol (ICMP) for C2 connections. Experts also discovered PingPull variations that communicate with each other using HTTPS and TCP rather than ICMP.

Gallium, a Chinese advanced Trojan horse (APT), has an ancient legacy of cyberespionage on telecommunications companies, dating back to 2012. In 2017, the state-sponsored entity, also called Soft Cell by Cybereason, has been linked to a broader range of attacks aimed at five major Southeast Asian telecom businesses. However, during the last year, the group's victimology has expanded to include financial institutions and government agencies in Afghanistan, Austria, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. 

A threat actor can use PingPull, a Visual C++-based virus, to gain access to a reverse shell and run unauthorized commands on a compromised computer. File operations, detailing storage volumes, and timestamping files are all part of it now. 

The researchers explained that "PingPull samples which use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server." "The C2 server will send commands to the system by responding to these Echo queries with an Echo-Reply packet." 

PingPull variants that use HTTPS and TCP rather than ICMP to interact with its C2 server have been discovered, along with over 170 IP addresses associated with the company since late 2020. Although the threat actor is recognized to exploit internet-exposed programs to acquire an initial foothold and deploy a customized form of the China Chopper web shell to create persistence, it's not obvious how the targeted networks are hacked. 

Throughout Southeast Asia, Europe, and Africa, the GALLIUM trojan continues to pose a serious danger to telecommunications, finance, and government organizations. It is recommended all businesses use the results of researchers to inform the implementation of protective measures to guard against this threat group, which has deployed a new capability called PingPull in favor of its espionage efforts.
Read more »
Russian Aerospace
APT China Chinese Hackers Cyber Attacks Russia Russian Aerospace

Chinese Hackers are Targeting Russian Aerospace Industry

 

Space Pirates, a Chinese cyberespionage group is targeting businesses in the Russian aerospace industry with phishing emails to deploy a novel strain of malware. 

The APT group started operating in 2017, and researchers believe it is associated with other China-linked APT groups, including APT41 (Winnti), Mustang Panda, and APT27. Russian security researchers at Positive Technologies named the group "Space Pirates" due to their espionage operations focusing on stealing confidential information from companies in the aerospace field. 

Malicious actors targeted government agencies, IT departments, and aerospace and power enterprises in Russia, Georgia as well as Mongolia. However, the majority of victims were spotted to be in Russia. Out of those, several victims operated specifically within the partially state-owned aerospace industry of the Russian Federation. 

The researchers first uncovered signs of Space Pirates' activity last summer during incident response and quickly confirmed that the malicious actors employed the same malware and infrastructure against at least four more domestic organizations since 2019. 

According to researchers, at least two attacks on Russian organizations were successful. In one instance, Space Pirates accessed at least 20 servers on the corporate network and stayed there for ten months; 1,500 internal documents were stolen, together with information about all employee accounts in one of the network domains. 

In the second assault, the Chinese attackers stayed in the network of the compromised firms for over a year, exfiltrating confidential information and deploying their malware to 12 corporate network nodes in three distinct regions. 

The Space Pirates’ unique toolkit contains a wide range of malware, including unique loaders and multiple previously undetected backdoors tracked as MyKLoadClient, BH_A006, and Deed RAT. The arsenal also includes the Zupdax backdoor along with well-known malware such as PlugX RAT, ShadowPad backdoor, Poison Ivy RAT, a modified version of PcShare, and the public ReVBShell shell. The APT group also leverages the dog-tunnel utility to tunnel traffic. 

The threat analysts believe that the overlaps between various Chinese APTs are due to tool exchanges, a common phenomenon for hackers in the region. 

“APT groups with Asian roots continue to attack Russian companies, which is confirmed by the activity of the Space Pirates group. Attackers both develop new malware that implements non-standard techniques (such as Deed RAT) and uses modifications of existing backdoors. Sometimes such modifications can have many layers of obfuscation added to counteract protections and complicate the analysis procedure – as in the case of BH_A006, built on the code of the popular Gh0st backdoor,” researchers explained. 

“A separate difficulty in the case of APT groups in the Asian region is the exact attribution of the observed activity: the frequent exchange of tools used, as well as the joint activity of various groups in some cases, significantly complicate this task.”
Read more »
Windows
Chinese Hackers Hacking Hafnium malware Microsoft Spam Windows

This New Malware Uses Windows Bugs to Conceal Scheduled Tasks

 

Microsoft has found a new malware employed by the Chinese-backed Hafnium hacking group to create and hide scheduled activities on compromised Windows PCs in order to sustain persistence. 

Cyberespionage attacks by the Hafnium threat group have previously targeted US defence businesses, think tanks, and researchers. It's also one of the state-sponsored groups Microsoft has tied to the global exploitation of the ProxyLogon zero-day vulnerability, which affected all supported Microsoft Exchange versions last year. 

The Microsoft Detection and Response Team (DART) stated, "As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defence evasion malware called Tarrask that creates 'hidden' scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification." 

Tarrask, a hacking tool, hides them from "schtasks /query" and Task Scheduler by removing the related Security Descriptor registry value, which is a previously undiscovered Windows flaw. 

By re-establishing dropped connections to command-and-control (C2) infrastructure, the threat group was able to keep access to the infected devices even after reboots. While the Hafnium operators could have deleted all on-disk artefacts, including all registry keys and the XML file uploaded to the system folder, this would have destroyed persistence between restarts. 

The "hidden" tasks can only be discovered by performing a manual search of the Windows Registry for scheduled tasks that do not have an SD (security descriptor) Value in their Task Key. 

Admins can additionally check for important events associated to tasks "hidden" by Tarrask malware by enabling the Security.evtx and Microsoft-Windows-TaskScheduler/Operational.evtx logs. Microsoft also suggests setting logging for 'TaskOperational' in the Microsoft-Windows-TaskScheduler/Operational Task Scheduler log and keeping an eye on outbound connections from crucial Tier 0 and Tier 1 assets. 

DART added, "The threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishing outbound communications with C&C infrastructure. We recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique."
Read more »
Trojan
Chinese Hackers DLL load hijacking ESET ISP malware NATO THORChain Trojan

Hackers from China's 'Mustang Panda' were Utilizing New 'Hodur' Malware

 

Mustang Panda (a.k.a. Temp.Hex, HoneyMyte, TA416 or RedDelta), a China-based advanced persistent threat (APT), has been traced to an ongoing cyberattack campaign using a formerly undocumented variation of the PlugX remote access trojan on affected workstations mostly in and around Southeast Asia. For its similarities to another PlugX (aka Korplug) variation called THOR which surfaced in July 2021, slovak cybersecurity firm ESET termed the current version Hodur. 

Korplug is a proprietary virus used widely, it was initially uncovered in a 2020 investigation that looked into Chinese hackers' activities against Australian targets. Mustang Panda employs phishing lures with counterfeit papers to target European embassies, ISPs (Internet Service Providers), and research institutes in the most recent known campaign, according to cybersecurity firm ESET. "Anti-analysis measures and control-flow obfuscation are used at every level of the deployment process," the firm told.

Hodur is based on PlugX, a remote access tool that "allows remote users to steal data or take control of impacted systems without authorization. It can copy, move, rename, execute, and delete files, as well as log keystrokes and fingerprint the infected system." The infections end with the implementation of the Hodur backdoor on the infected Windows host, irrespective of the phishing lure used. 

As formerly stated, the campaign begins simply, with the group phishing its targets using current events. Proofpoint identified it using a NATO diplomat's email address to send out.ZIP and.EXE files labeled "Situation at the EU Borders with Ukraine" last month. If a victim accepts the bait, a legitimate, properly signed executable prone to DLL search-order hijacking will be delivered. Russia, Greece, Cyprus, South Africa, Vietnam, Mongolia, Myanmar, and South Sudan are the countries targeted in this campaign. 

ESET claims to have sampled sophisticated custom loaders as well as new Korplug (Hodur) versions still using DLL side-loading but has considerably more robust obfuscation and anti-analysis techniques across the infection chain. The side-loading custom DLL loader uses a digitally-signed genuine executable, in this case, a SmadAV file, and leverages a known flaw. Except for one, which loads the new Korplug variation, the loader's many functions are all fake. 

As it is a Chinese actor with a history of pursuing higher political espionage purposes, the scope of its targeting should be rather consistent.
Read more »
Cyber Attacks
APT Group Betting Firm Chinese Hackers Cyber Attacks

Chinese Hackers Target Betting Firms in South East Asia

 

An unknown Chinese-speaking advanced persistent threat (APT) has been associated to a new campaign targeting betting firms in South East Asia, specifically Taiwan, the Philippines, and Hong Kong. 

The campaign, which Avast dubs Operation Dragon Castling (ODC), is exploiting a security loophole (CVE-2022-24934) in WPS Office to deploy a backdoor on the targeted systems. The vulnerability has since been addressed by Kingsoft Office, the developers of the office software. However, with 1.2 billion WPS Office downloads around the globe, there are likely a high number of systems open to compromise. 

According to Avast researchers, the bug was exploited to deploy a malicious binary from a fake update server with the domain update.wps[.]cn that triggers a multi-stage infection chain that leads to the deployment of intermediate payloads and allows for privilege escalation before finally deploying the Proto8 module. 

"The core module is a single DLL that is responsible for setting up the malware's working directory, loading configuration files, updating its code, loading plugins, beaconing to [command-and-control] servers, and waiting for commands," Avast researchers Luigino Camastra, Igor Morgenstern, Jan Holman explained. 

Proto8’s plugin-based technique applied to prolong its functionality permits the malware to achieve persistence, bypass user account control (UAC) mechanisms, develop new backdoor accounts, and even execute arbitrary commands on the infected program. 

While researchers haven’t linked this malicious campaign to any known actors, they believe it is the work of a Chinese APT either looking to gather intelligence or achieve financial gains. Considering the nature of the targets, which is betting companies, the motive of the threat actors may have been to steal financial credentials or take over accounts and cash out escrow balances. 

The techniques and the powerful toolset employed in the campaign reflect a skillful adversary, so not being able to make attributions with high confidence is somewhat expected. However, this isn’t the first instance that China-sponsored hackers have targeted betting firms. 

Last year in January 2021, Chinese hackers targeted gambling firms that have been promoting their products to Chinese nationals without authorization. Attackers demanded at least $100 million be paid in Bitcoin to restore access to gambling operators’ servers, but companies remained adamant in the face of the threat and never paid a penny.
Read more »
Subscribe to: Posts (Atom)