Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label APAC. Show all posts

Cybersecurity in APAC: AI and Quantum Computing Bring New Challenges in 2025

 



Asia-Pacific (APAC) enters 2025 with serious cybersecurity concerns as new technologies such as artificial intelligence (AI) and quantum computing are now posing more complex threats. Businesses and governments in the region are under increased pressure to build stronger defenses against these rapidly evolving risks.

How AI is Changing Cyberattacks

AI is now a primary weapon for cybercriminals, who can now develop more complex attacks. One such alarming example is the emergence of deepfake technology. Deepfakes are realistic but fake audio or video clips that can mislead people or organizations. Recently, deepfakes were used in political disinformation campaigns during elections in countries such as India and Indonesia. In Hong Kong, cybercriminals used deepfake technology to impersonate individuals and steal $25 million from a company. Audio-based deepfakes, and in particular, voice-cloning scams, will likely be used much more by hackers. It means that companies and individuals can be scammed with fake voice recordings, which would increase when this technology gets cheaper and becomes widely available. As described by Simon Green, the cybersecurity leader, this situation represents a "perfect storm" of AI-driven threats in APAC.

The Quantum Computing Threat

Even in its infancy, quantum computing threatens future data security. One of the most pressing is a strategy called "harvest now, decrypt later." Attackers will harvest encrypted data now, planning to decrypt it later when quantum technology advances enough to break current encryption methods.

The APAC region is moving at the edge of quantum technology development. Places like India, Singapore, etc., and international giants like IBM and Microsoft continue to invest so much in such technology. Their advancement is reassuring but also alarms people about having sensitive information safer. Experts speak about the issue of quantum resistant encryption to fend off future threat risks.

With more and more companies embracing AI-powered tools such as Microsoft Copilot, the emphasis on data security is becoming crucial. Companies have now shifted to better management of their data along with compliance in new regulations in order to successfully integrate AI within their operations. According to a data expert Max McNamara, robust security measures are imperative to unlock full potential of AI without compromising the privacy or safety.

To better address the intricate nature of contemporary cyberattacks, many cybersecurity experts suggest unified security platforms. Integrated systems combine and utilize various instruments and approaches used to detect threats and prevent further attacks while curtailing costs as well as minimizing inefficiencies.

The APAC region is now at a critical point for cybersecurity as threats are administered more minutely. Businesses and governments can be better prepared for the challenges of 2025 by embracing advanced defenses and having the foresight of technological developments.




Andromeda Malware Resurfaces: Targeting APAC Manufacturing and Logistics Industries

In a fresh revelation by the Cybereason Security Services Team, a new wave of attacks linked to the notorious Andromeda malware has been uncovered, focusing on manufacturing and logistics sectors in the Asia-Pacific (APAC) region. This decades-old malware, first detected in 2011, continues to evolve, proving itself as a relentless tool in the cybercriminal arsenal. 

Known for its modular nature, Andromeda has long been a favorite for hackers due to its versatility. Historically spread through malicious email attachments, infected USB drives, and secondary payloads, the malware is now leveraging more sophisticated techniques to wreak havoc. Once installed, Andromeda’s capabilities include stealing sensitive data, such as passwords, creating backdoor access, and downloading additional malware, making it a multipurpose threat for industrial espionage. 

One of its standout features is its use of “USB drop attacks.” Compromised USB drives can execute malicious files automatically, infecting systems upon connection. The malware’s disguise game is strong—DLLs with inconspicuous names like “~$W*.USBDrv” and “~$W*.FAT32” are loaded using rundll32.exe to fly under the radar. 

Additionally, “desktop.ini” files, typically seen as harmless system files, are being weaponized to trigger the malware’s activities. A critical part of Andromeda’s resurgence lies in its advanced command-and-control (C2) infrastructure. During Cybereason’s investigation, one such C2 domain, suckmycocklameavindustry[.]in, demonstrated agility by resolving to multiple IP addresses, ensuring constant communication between infected systems and the threat operators. 

The attackers also use WebDAV exploitation to download these malicious payloads. Their tactics highlight the ongoing evolution of Andromeda, as it adapts to modern cybersecurity challenges. Cybereason’s investigation suggests that this campaign may be tied to the infamous Turla group, also known as UNC4210. It also indicates that an older Andromeda sample may have been hijacked and repurposed by the group, further complicating attribution. 

The ultimate target of these attacks appears to be industrial espionage. Manufacturing and logistics companies in the APAC region are being infiltrated to steal valuable data, disrupt operations, and potentially execute further malicious actions. The campaign underscores the ongoing risks faced by industries heavily reliant on supply chains and operational technology.

Earth Baxia Exploits GeoServer to Launch APAC Spear-Phishing Attacks


 

An analysis by Trend Micro indicates that the cyber espionage group Earth Baxia has been attempting to target government agencies in Taiwan, as well as potentially other countries in the Asia-Pacific (APAC) region, through spear-phishing campaigns and exploitation of a critical GeoServer vulnerability known as CVE-2024-36401, a critical security vulnerability. 

It is part of an ongoing campaign intended to infiltrate key sectors of society, including one of the most vital sectors of the economy: telecommunications, energy, and government. There are several vulnerabilities within GeoServer, an open-source platform for sharing geospatial data, which may allow hackers to execute remote code through an exploit known as CVE-2024-36401. 

Earth Baxia could exploit this vulnerability by downloading malicious components directly into the victim environment, using tools such as "curl" and "scp" to cast harmful files, including customized Cobalt Strike beacons, and other payloads directly into the victim's environment. By deploying these payloads, attackers were able to execute arbitrary commands inside compromised systems, which gave them a foothold within those compromised environments. 

The Earth Baxia threat actor used a wide range of technologies to break into several countries in the Asia-Pacific region, targeting government organizations, telecommunications companies, and the energy industry. During the attack, the group employed sophisticated techniques, like spear-phishing emails and exploiting a GeoServer vulnerability (CVE-2024-36401) to achieve their goal. 

The attackers deployed custom Cobalt Strike components as well as a new backdoor, called EAGLEDOOR, on computers that were compromised. Multiple communication protocols can be used to gather information and deliver payloads for EAGLEDOOR. To be able to track these attackers, they utilized public cloud services to host the malicious files. 

It was also possible to deploy additional payloads via methods such as GrimResource injection and AppDomainManager injection, which were utilized by them. Among the countries that were affected by this campaign are Taiwan, the Philippines, South Korea, Vietnam, Thailand, and possibly China as well. The subject lines in most of the emails are meticulously tailored with varying content, and the attachment ZIP file contains a decoy MSC file called RIPCOY which is used as a decoy file in the email subject lines. 

By double-clicking this file, the embedded obfuscated VBScript will attempt to download multiple files from a public cloud service, typically Amazon Web Services via a mechanism called GrimResource, which extracts the data from the cloud service in the best way possible. In addition to the decoy PDF document, there are also .NET applications and a configuration file included in this pack. 

As a result of being dropped by the MSC file, .NET applications and configuration files became vulnerable to malicious injection as a result of using a technique known as AppDomainManager injection. This allows the injection of a custom application domain within the target application process so that it can run arbitrary code. 

It's a mechanism that provides the ability for any .NET application to load an arbitrarily managed DLL on its own, either locally or remotely, without directly invoking any Windows API calls, and it can be used in any scenario. The next-stage downloader is downloaded by legit .NET applications based on a URL specified in the application configuration file (.config), which points to a file that includes a .NET DLL. 

To encrypt the URL of this download, it has been encrypted in Base64 with AES obfuscation. During this stage, most of the download sites available for downloading through public cloud services, usually Aliyun were considered to be hosting websites. After retrieving the shellcode from the DLL, it executes it using the CreateThread API, with all processes being executed in the DLL being run entirely in memory at the same time. Vision One Threat Intelligence from Trend Micro provides the following features:  

Keeping pace with emerging threats is Trend Micro customers' number one priority, which is why Trend Micro Vision One users have access to a range of Intelligence Reports and Threat Insights. With Threat Insights, customers will be able to stay on top of cyber threats long before they happen and be more prepared when new cyber threats emerge. This report contains comprehensive information about threat actors, their malicious activities, and the techniques that they employ to harm users. 

Using this intelligence as a basis for proactive measures, customers can reduce their risks and ensure that they respond effectively to threats by taking proactive steps to protect their environment. In the context of various countries in the Asian Pacific region, Earth Baxia is likely to be based in China and carry out sophisticated campaigns targeting the government and energy sectors. 

To infiltrate and exfiltrate data, they employ advanced tactics such as GeoServer exploitation, spear-phishing, customized malware (Cobalt Strike and EAGLEDOOR), and a combination of these. Even though EAGLEDOOR uses public cloud services for hosting malicious files and supports a wide range of protocols, their operations are complex and highly adaptable as a result. 

Continuous vigilance and sophisticated threat detection measures are essential for such threats to be dealt with effectively. To mitigate the risks associated with such threats, security teams are advised to implement several best practices. One critical measure is the implementation of continuous phishing awareness training for all employees. This ensures that staff remain informed about evolving phishing techniques and are better equipped to identify and respond to malicious attempts. 

Additionally, employees should be encouraged to thoroughly verify the sender and subject of any emails, especially those originating from unfamiliar sources or containing ambiguous subject lines. This practice helps in identifying potentially harmful communications before they lead to further complications. It is equally important to deploy multi-layered protection solutions, which serve to detect and block threats early in the malware infection chain. Such solutions enhance the organization’s overall security posture by providing multiple defences, significantly reducing the likelihood of a successful attack.