Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label APT Backdoor. Show all posts
Vulnerabilities and Exploits
APT Backdoor Chinese Actors MITRE Threat Landscape Vulnerabilities and Exploits

Chinese Attackers Deployed Backdoor Quintet to Down MITRE

 

China-linked hackers used a variety of backdoors and Web shells to compromise the MITRE Corporation late last year. 

Last month, it was revealed that MITRE, widely known for its Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, had been exploited by Ivanti Connect Secure zero-day flaws. The hackers secured access to the Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified research and development network.

On May 3, MITRE disclosed further details regarding five distinct payloads used in an attack that spanned from New Year's Eve to mid-March. 

MITRE perpetrators infected it with the "Rootrot" web shell as a New Year's present in 2023. Rootrot is meant to implant itself in a valid Ivanti Connect Secure TCC file, allowing them to conduct reconnaissance and lateral movement within the NERVE system. 

The tool was created by the Chinese advanced persistent threat (APT) group UNC5221, which was also responsible for the first wave of alleged Ivanti-based attacks. Dark Reading had previously linked MITRE's intrusion to UNC5221, but retracted that detail at MITRE's request. 

After getting initial access and probing about, the criminals employed their compromised Ivanti appliance to connect to and ultimately seize control of NERVE's virtual environment. Then they infected several virtual machines (VMs) using multiple payloads. 

There was "Brickstorm," a Golang-based backdoor for VMware vCenter servers that appeared in two versions on MITRE's network. It can configure itself as a Web server, communicate with a command-and-control (C2) server, conduct SOCKS relaying, execute shell commands, and upload, download, and manipulate file systems. 

Following Brickstorm came the Wirefire (or Gifted Visitor) Web shell, a Python-based utility for uploading files and running arbitrary scripts. The attackers first installed it on their compromised Ivanti appliance on January 11, the day after the first batch of Ivanti vulnerabilities were made public. 

MITRE later discovered that the attackers were using the Perl-based Web shell Bushwalk to carry out command-and-control operations. Notably, this was an entirely different type than the Bushwalk, which Mandiant had previously reported on. 

The attack also included a previously undocumented Web shell called "Beeflush," which is renowned for its ability to read and encrypt web traffic data. To conclude its blog post, MITRE emphasised the importance of secure by design and zero trust movements, as well as regular authentication policies and software bill of materials (SBOMs).
Read more »
The Shadow Brokers
APT Backdoor Backdoor Bvp47 Cyber Security Hackers NSA Equation Group Researchers The Shadow Brokers

Researchers Disclosed Details of NSA Equation Group’s Bvp47 Backdoor

 

Pangu Lab researchers have revealed information of a Linux top-tier APT backdoor dubbed as Bvp47, which is linked to the US National Security Agency (NSA) Equation Group. 

The term "Bvp47" is derived from several references to the string "Bvp" and the numerical figure "0x47" used in the encryption algorithm. The Bvp47 backdoor was first identified in 2013 during a forensic examination into a security breach at a Chinese government entity. The backdoor was discovered on Linux computers after an in-depth forensic assessment of a host in a key domestic department, according to the experts. The malware seemed to be a top-tier APT backdoor, but to further investigate the malicious code needed the attacker’s asymmetric encrypted private key to activate the remote control function.

The hacking group, The Shadow Brokers disclosed a trove of data reportedly taken from the Equation Group in 2016 and 2017, including a slew of hacking tools and exploits. The hackers disclosed a new dump at the end of October 2016, this time featuring a list of systems compromised by the NSA-linked Equation Group. The Bvp47 backdoor was identified by Pangu Lab researchers within material exposed by The Shadow Brokers. In ten years, the Equation Group attacked over 287 targets in 45 countries, including Russia, Japan, Spain, Germany, and Italy, according to stolen data. 

Governments, telecommunications, aircraft, energy, financial institutions, nuclear research, oil and gas, military, transportation, and companies researching encryption technologies were among the industries targeted by the group. The attacks involving the Bvp47 backdoor have been termed "Operation Telescreen" by Pangu Lab. The malicious code was created to allow operators to gain long-term control over compromised devices. 

The report published by the experts stated, “The implementation of Bvp47 includes complex code, segment encryption and decryption, Linux multi-version platform adaptation, rich rootkit anti-tracking techniques, and most importantly, it integrates advanced BPF engine used in advanced covert channels, as well as cumbersome communication encryption and decryption process”  

Experts believe there was no security against the backdoor's network attack capacity, which is loaded with zero-day vulnerabilities. The Pangu Lab research covers technical specifics about the backdoor as well as information about the Equation Group's relationship with the US National Security Agency. The Equation Group's engagement is based on exploits found in the encrypted archive file "eqgrp-auction-file.tar.xz.gpg" released by the Shadow Brokers following a failed 2016 auction.
Read more »
Subscribe to: Posts (Atom)