Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label China Hackers. Show all posts
Security Breaches
China Hackers Cyber Security CyberCrime Cyberhackers Cyberthreats Privacy Issues Security Breaches

Security Breach Exposes U.S. Wiretap Systems to China-Linked Hackers

 


A report in The Wall Street Journal on Saturday reported that Chinese hackers broke into the network of a major U.S. broadband service provider and obtained information about the wiretapping system being used by the federal government, according to the journal. The U.S. telecom industry recently experienced a major cyberattack involving Chinese hacker groups infiltrating its networks, gaining access to highly sensitive wiretapping data. 

However, it was not as severe as the NPD breach earlier in 2017. This attack targeted companies such as Verizon, AT&T, and Lumen Technologies, among others, giving unauthorized access to critical systems used for court-authorized wiretaps - a vital tool used for law enforcement surveillance - meaning that users could access their accounts without authority. As a result of the intrusion, the hackers had in their possession this data for months, which raised concerns regarding the depth of the intrusion and its implications for national security and individual privacy, as well as the future of our country. 

These hackers had been identified by U.S. authorities as being part of a Chinese cyber espionage group. It has brought renewed attention to the vulnerability of American broadband networks and the risks that they pose to the nation's security and surveillance systems as tensions between the two countries have already reached a high point over cyber operations. 

As reported by the Wall Street Journal, an attack linked to the Chinese government penetrated several US broadband providers' networks, allowing access to information that the federal government uses for court-authorized network wiretap requests," according to the article. As of the moment, several people familiar with the matter believe that hackers have been able to access network infrastructure, which was used by the US to facilitate legal requests for communication data for months or even years. It is also reported that these attackers were able to access other tranches of more generic Internet traffic as well, as WSJ sources stated. 

To determine who is responsible for the attack, "Salt Typhoon", a Chinese hacking group, has been attributed to it. This attack has been attributed to a Chinese hacker group that appears to have been performing the attack for intelligence-gathering purposes. The U.S. military previously referred to it as the "Salt Typhoon" due to its salty nature. 

The Department of Homeland Security disrupted a major Chinese hacking group called “Flax Typhoon” earlier this year, just months after highlighting the sweeping cyber espionage China is conducting under the title “Volt Typhoon” in a confrontation with the Chinese government. The Wall Street Journal report also states that Microsoft and others in the cybersecurity industry are investigating the Salt Typhoon attacks.  Besides FamousSparrow, Salt Typhoon is also tracked by GhostEmperor, which is also a subsidiary of Empress Network. 

According to ESET, Famous Sparrow is an active cyberespionage group that has been active for the last couple of years, at least as far back as 2019. Security firms at the time reported that a threat actor had been observed primarily targeting airports, hotels, and government and law firms, as well as international companies in countries including Brazil, Canada, Israel, Saudi Arabia, Taiwan, the UK, and many more.  According to Kaspersky, a security company that described GhostEmperor as a highly skilled and stealthy threat actor with a wide range of targets in Southeast Asia and around the globe, it was made official in 2021. 

Until the end of 2023, Sygnia did not see any activity from this group until it noticed rootkits being delivered through attacks.   A report in the Post and a report in the WSJ both suggested that the US wiretapping system could have been penetrated, although it is unlikely that this has yet been proven. It was recently reported that Homeland Security had disrupted an important Chinese hacking group, the "Flax Typhoon," earlier this year, just a few months after they revealed the sweeping cyber espionage China has been conducting under a codename called "Volt Typhoon," to take on the Chinese state. 

It has also been reported that Microsoft has joined other companies in the cybersecurity industry in investigating the Salt Typhoon attacks, according to the Wall Street Journal report.  The GhostEmperor information surveillance service, which is also run by Empress Network, tracks Salt Typhoon in addition to FamousSparrow. Depending on ESET's definition, Famous Sparrow is part of a cyber espionage group that has been active over the past two years, at least as far back as 2019. The group was created to eavesdrop on networks. 

The authors of this report state that, at the time of writing, security organizations reported that a threat actor had been observed primarily targeting airports, hotels, and law firms, along with international companies from a variety of countries, including Mexico, Brazil, Canada, Israel, Saudi Arabia, Taiwan, and the UK.  A security company called Kasperksy has described GhostEmperor as a highly skilled and stealthy threat actor with a wide range of targets in Southeast Asia as well as across the globe. 

It went official in 2021; a year after the threat actor had formed. After Sygnia's surveillance of this group came to a halt until the end of 2023, Sygnia noticed that rootkits were being delivered through attacks that showed that this group was active.   It was reported both in the Post and the Wall Street Journal that American wiretaps may have been compromised. However, there is no evidence to support this claim, even though it is unlikely that it will ever be proven.
Read more »
Velvet Ant
China Hackers Cyber Hackers Cyberattacks CyberCrime Data Breach F5 Devices OPSEC PlugX Velvet Ant

China-Linked Hackers Breach East Asian Firm for 3 Years via F5 Devices

 


The suspected China-based cyber espionage actor has been attributed with a prolonged cyber espionage attack that lasted approximately three years against an unnamed organization based in East Asia, in which the adversary allegedly established persistence using legacy F5 BIG-IP appliances, which served as a command-and-control system for the adversary, to evade defences. As a result of the cyber intrusion in late 2023, cybersecurity company Sygnia has been tracking the activity under Velvet Ant. 

Based on their observations, Velvet Ant has been characterized by being capable of pivoting and adapting their tactics to counter repeated attempts at eradication. Sygnia researchers explained in a blog post on June 17 that F5 Big-IP load balancer appliances are often placed at the perimeter of a network or between the segments of it, which are often trusted. 

To gain access to sensitive data, Velvet Ant was seen utilizing different tools and techniques, including the PlugX remote access trojan (RAT), which is a dormant persistence mechanism that can be deployed in unmonitored systems. As well as hijacking DLL search order, sideloading, phantom DLL loading, as well as tampering with the installed security software, the threat actor is believed to have used DLL search order hijacking, sideloading, and phantom DLL loading to install the PlugX malware. The hacking group had a high level of awareness of operational security (OPSEC) by not installing the malware on a workstation that had been configured to disable security software, showing a high level of operational security (OPSEC) awareness. 

Furthermore, Velvet Ant made use of the open-source software Impacket for remote code execution and lateral tool transfer on compromised machines, as well as the creation of firewall rules to allow the command-and-control server (C&C) to be accessed. When Sygnia identified the threat actor as having been eliminated from the victim's network, it was observed that it was infecting new machines with PlugX samples that were reconfigured to use the internal server as a command and control server and channelling external communication to the malware through the internal server. 

Researchers said attackers can gain considerable control over network traffic if they manage to compromise a device of this kind without raising suspicions.  The researchers said Velvet Ant used a variety of traditional Chinese state-sponsored threat actors' tools and techniques that they were typically associated with. There were several characteristics of the attacks, for example, a clear understanding of what they were about, a focus on network devices, exploiting vulnerabilities, and a toolkit that included Rootkits, Plugs, and the ShadowPad family of malware. 

They also included the use of side-loading methods employing DLLs. It has been suggested by researchers that Velvet Ant can sneak into sensitive data as a result of its cleverness and slippery nature. The threat actor quickly pivoted from one foothold to another after it was discovered and remedied, demonstrating agility and adaptability in evading detection as soon as the existing foothold was eliminated. A detailed understanding of the victim's network infrastructure was also demonstrated by the threat actor, as he exploited various entry points across the victim's network infrastructure, demonstrating that he possessed a comprehensive knowledge of the target." 

Sygnia uncovered a modified version of PlugX during their investigation in which malicious traffic was blended with legitimate network activity to avoid detection. In addition to this variant, another variant with an external command-and-control server for exfiltration was also deployed alongside this version, which targeted only endpoints with direct internet access in addition to other endpoints with network access. Concerning the second variant, it exploited a vulnerability in outdated F5 BIG-IP devices and used a reverse SSH tunnel to maintain communication with an external server, which lacked direct web connectivity, by exploiting vulnerabilities in obsolete F5 BIG-IP devices. 

F5 devices, which had been compromised, were examined forensically and revealed to contain a variety of tools, such as PMCD, which communicated periodically with the threat actor's command-and-control server through PMCD, network packet capture tools, and a SOCKS tunnelling tool called EarthWorm, which has been associated with espionage groups such as Gelsemium and Lucky Mouse in the past. It is still unclear how the attacker was able to gain access to the restricted system, whether through spear-phishing or using security vulnerabilities in internet-exposed devices. 

Following the growth of several China-linked espionage operations, such as Unfading Sea Haze, Operation Diplomatic Specter, and Operation Crimson Palace, all of which focused on sensitive intelligence across Asia, this incident comes as no surprise. The compromised F5 BIG-IP appliances used by the victim organization for firewall, web application firewall (WAF), load balancing, and local traffic management services were directly exposed to the internet and likely hacked through the exploitation of known vulnerabilities. On one of the compromised F5 appliances, the threat actor deployed several tools, including VelvetSting (for receiving commands from the command-and-control server), VelvetTap (to capture network packets), Samrid (the open-source Socks proxy tunneller EarthWorm), and Esrde (with capabilities similar to VelvetSting). Given the targeted organization, the deployment of ShadowPad and PlugX malware, and the use of DLL sideloading techniques, Sygnia assesses that Velvet Ant is a state-sponsored threat actor operating out of China.
Read more »
Subscribe to: Posts (Atom)