Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label IPv6. Show all posts
Software
Chinese Actors Chinese Hackers Cyber Attacks IPv4 vs IPv6 IPv6 Software

Chinese Hackers Exploit IPv6 Network Features to Hack Software Updates

Chinese Hackers Exploit IPv6 Network Features to Hack Software Updates

China-linked group attacks

ESET discovered both SpellBinder and WizardNet, tools used by Chinese hackers. A China-based APT group, “The Wizards,” has been linked to a lateral movement tool, Spellbinder, which allows adversary-in-the-middle (AitM) attacks.  It does so via IPv6 stateless address autoconfiguration (SLAAC) spoofing, to roam laterally in the compromised network, blocking packets and redirecting the traffic of legal Chinese software to download malicious updates from a server controlled by threat actors, ESET researchers said to The Hacker News

About malware WizardNet

The attack creates a path for a malicious downloader which is delivered by hacking the software update mechanism linked with Sogou Pinyin. Later, the downloader imitates a conduit to deploy a modular backdoor called WizardNet. 

In the past, Chinese hackers have abused Sogou Pinyin’s software update process to install malware. Last year, ESET reported a hacking group called Blackwood that delivered an implant called NSPX30 by abusing the update process of the Chinese input method software app. 

This year, the Slovak cybersecurity company found another threat actor called PlushDaemon that exploited the same process to deploy a custom downloader called LittleDaemon. 

The scale of the attack

The Wizards APT has targeted both individuals and the gambling industry in Hong Kong, Mainland China, Cambodia, the United Arab Emirates, and the Phillippines. 

Findings highlight that the Spellbinder IPv6 AitM tool has been active since 2022. A successful attack is followed by the delivery of a ZIP archive which includes four separate files. 

After this, the threat actors install “wincap.exe” and perform "AVGApplicationFrameHost.exe," to sideload the DLL. The DLL file then reads shellcode from “log.dat” and runs it in memory, resulting in the launch of Spellbinder. 

Not the first time

In a 2024 attack incident, the hackers utilized this technique to hack the software update process for Tencent QQ at the DNS level to help a trojanized version deploy WizardNet; a modular backdoor that can receive and run .NET payloads on the victim host. Spellbinder does this by blocking the DNS query for the software update domain ("update.browser.qq[.]com") and releasing a DNS response 

“The list of targeted domains belongs to several popular Chinese platforms, such as Tencent, Baidu, Xunlei, Youku, iQIYI, Kingsoft, Mango TV, Funshion, Yuodao, Xiaomi and Xioami's Miui, PPLive, Meitu, Quihoo 360, and Baofeng,” reports The Hacker News. 

Read more »
Technology News
IPv4 vs IPv6 IPv6 Russia Technology Technology News

Russians were warned about difficulties with access to Internet pages


The deficit of Internet addresses may occur at the end of September in Russia. Therefore, many users will not be able to visit portals and sites that they previously visited without problems.

A representative of one of the world's largest Internet registries RIPE Network Coordination Center (RIPE NCC) Alexey Semenyaka a few days ago said that by the end of September IP-addresses using IPv4 will end in Russia, as well as in the Middle East and Europe. This is due to the huge number of devices connected to the Network. A week ago there were 1.88 million free addresses in these regions, and on 9 September there were already 1.69 million.

In the fall of 2019, sites will begin to constantly require visitors to confirm that they are real people, not robots. Experts explained that this is due to the Internet features.

So, each user has their own IP address. Sometimes several people have the same IP. If they try to enter with a single IP a site, it can take it for a hacker attack or the actions of bots. This situation is quite likely with a lack of free IP-addresses.

Analysts said that millions of people in Russia will face this problem. So, it is necessary to transfer the Internet network to IPv6 protocol, which should completely replace outdated IPv4. Major providers have already taken care of this. For example, instead 192.168.39.156 will be used 3dfc:0:0:0:0217:cbff:fe8c:0. Available combinations will last for a long time.

However, according to the CEO of Telecom Daily Denis Kuskov, some small regional Internet providers may not have enough resources and competencies to switch to the new Protocol.

It became known this week that ROSKOMNADZOR (Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications ) at the request of the FSB (The Federal Security Service) may suspend the activities of two foreign postal services.

ROSKOMNADZOR demanded from companies Heinlein Support GmbH (owns a paid email service Mailbox.org) and SCRYPTmail LLC (operates the Scryptmail.com mail service) to provide encryption keys from user correspondence.

The FSB drew attention to the company's data because false reports of mining came from devices registered on scryptmail.com and mailbox.org. Representatives of the company refused to comment.

Recall, in the fall of 2017, Telegram was fined 800 thousand rubles, and then blocked in Russia because of the refusal to provide the FSB with encryption keys from user correspondence.

Read more »
Subscribe to: Posts (Atom)