Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Chinese Actors. Show all posts
Threat Landscape
Chinese Actors Cyber Attacks Drone Makers Taiwan Threat Landscape

'TIDrone' Cybercriminals Target Taiwan's Drone Makers

 

A previously unknown threat actor with possible ties to Chinese-speaking groups has primarily targeted drone makers in Taiwan as part of a cyber attack operation that started in 2024. Trend Micro is tracking the adversary under the codename TIDRONE, claiming that the activity is espionage-driven due to the emphasis on military-related company chains. 

The specific initial access vector used to penetrate targets is currently unknown, although Trend Micro's study revealed the spread of unique malware such as CXCLNT and CLNTEND using remote desktop tools such as UltraVNC. An interesting feature identified across multiple victims is the use of the same enterprise resource planning (ERP) software, increasing the likelihood of a supply chain attack. 

After that, the attack chains move through three distinct phases that are intended to make it easier to escalate privileges through the use of credential dumping, security evasion by turning off antivirus software that is installed on the hosts, and User Account Control (UAC) bypass. 

Both backdoors are activated by sideloading a rogue DLL using the Microsoft Word application, allowing attackers to collect a wide range of confidential data. CXCLNT includes basic upload and download file capabilities, as well as facilities for removing traces, acquiring victim data such as file listings and device names, and downloading next-stage portable executable (PE) and DLL files for execution. 

CLNTEND, detected in April 2024, is a remote access tool (RAT) that supports a broader range of network communication protocols, including TCP, HTTP, HTTPS, TLS, and SMB (port 445).

"The consistency in file compilation times and the threat actor's operation time with other Chinese espionage-related activities supports the assessment that this campaign is likely being carried out by an as-yet unidentified Chinese-speaking threat group," security researchers Pierre Lee and Vickie Su stated.
Read more »
Vulnerabilities and Exploits
APT Backdoor Chinese Actors MITRE Threat Landscape Vulnerabilities and Exploits

Chinese Attackers Deployed Backdoor Quintet to Down MITRE

 

China-linked hackers used a variety of backdoors and Web shells to compromise the MITRE Corporation late last year. 

Last month, it was revealed that MITRE, widely known for its Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, had been exploited by Ivanti Connect Secure zero-day flaws. The hackers secured access to the Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified research and development network.

On May 3, MITRE disclosed further details regarding five distinct payloads used in an attack that spanned from New Year's Eve to mid-March. 

MITRE perpetrators infected it with the "Rootrot" web shell as a New Year's present in 2023. Rootrot is meant to implant itself in a valid Ivanti Connect Secure TCC file, allowing them to conduct reconnaissance and lateral movement within the NERVE system. 

The tool was created by the Chinese advanced persistent threat (APT) group UNC5221, which was also responsible for the first wave of alleged Ivanti-based attacks. Dark Reading had previously linked MITRE's intrusion to UNC5221, but retracted that detail at MITRE's request. 

After getting initial access and probing about, the criminals employed their compromised Ivanti appliance to connect to and ultimately seize control of NERVE's virtual environment. Then they infected several virtual machines (VMs) using multiple payloads. 

There was "Brickstorm," a Golang-based backdoor for VMware vCenter servers that appeared in two versions on MITRE's network. It can configure itself as a Web server, communicate with a command-and-control (C2) server, conduct SOCKS relaying, execute shell commands, and upload, download, and manipulate file systems. 

Following Brickstorm came the Wirefire (or Gifted Visitor) Web shell, a Python-based utility for uploading files and running arbitrary scripts. The attackers first installed it on their compromised Ivanti appliance on January 11, the day after the first batch of Ivanti vulnerabilities were made public. 

MITRE later discovered that the attackers were using the Perl-based Web shell Bushwalk to carry out command-and-control operations. Notably, this was an entirely different type than the Bushwalk, which Mandiant had previously reported on. 

The attack also included a previously undocumented Web shell called "Beeflush," which is renowned for its ability to read and encrypt web traffic data. To conclude its blog post, MITRE emphasised the importance of secure by design and zero trust movements, as well as regular authentication policies and software bill of materials (SBOMs).
Read more »
Vulnerabilities and Exploits
Chinese Actors Linux Malware Linux Servers Malicious actor Ransomware Attacks. VMware ESXi Vulnerabilities and Exploits

Qilin Ransomware Strikes VMware ESXi

The ransomware strain Qilin has surfaced as a new danger to computers using VMware ESXi, which is a recent development in the cryptocurrency space. Concerned observers have expressed concern over the fact that this Qilin Linux version exhibits a targeted and advanced strategy that particularly targets virtualized systems.

Qilin, a mythical creature in Chinese folklore, has taken its name seriously in the cyber realm, wreaking havoc on Linux-based systems. The malware, as detailed in reports from leading cybersecurity sources like Bleeping Computer and Linux Security, has honed in on VMware ESXi, a widely used virtualization platform.

The Qilin ransomware has raised concerns due to its ability to compromise the core infrastructure of organizations. VMware ESXi, being a popular choice for virtualization in data centers, has become a prime target. The attackers employ advanced techniques to exploit vulnerabilities in ESXi servers, encrypting critical data and demanding a ransom for its release.

GridinSoft, a cybersecurity company, has provided insights into the modus operandi of Qilin. Their analysis reveals the ransomware's deliberate focus on virtual machines, particularly those hosted on VMware ESXi. The attackers leverage vulnerabilities in ESXi versions, emphasizing the need for organizations to update and patch their systems promptly.

The cybersecurity community is actively collaborating to understand and counter the Qilin threat. As organizations scramble to bolster their defenses, it's crucial to stay informed about the evolving nature of the ransomware landscape. Constant vigilance, regular updates, and a robust backup strategy are imperative to mitigate the risks associated with Qilin and similar cyber threats.

Although the Qilin ransomware is a significant concern, it also highlights the larger problem of how constantly changing cyberthreats are. According to a cybersecurity expert, "attackers are getting more skilled at focusing on critical infrastructure, and the landscape of cyber threats is dynamic.To protect against such harmful operations, cybersecurity measures that are proactive and vigilant are vital."

The Qilin ransomware, which was first discovered to target VMware ESXi, is a clear reminder of how sophisticated cyber threats are getting. To strengthen their defenses against such powerful adversaries, organizations must prioritize cybersecurity procedures, such as patch management, regular upgrades, and reliable backup plans.
Read more »
US Government
Chinese Actors Cyber Attacks Energy sector FBI FBI notification LNG Russian Hackers US Government

FBI Warns Energy Sectors: Chinese and Russian Hackers may Actively Target Energy Sector


According to a recent notification sent by the FBI to the energy industry changes in the global energy supply will most probably result in an increase in the number of Chinese and Russian hackers attacking significant energy infrastructure.   

The notification, released on Thursday, lists several contributing causes, including rising LNG exports from the United States, shifts in the global crude oil supply chain favoring the United States, continued Western pressure on Russia's energy supply, and China's reliance on imported oil. 

The alert, however, did not mention any particular advanced persistent threat (APT) group linked with China or Russia, nor did it cite any cybersecurity incident targeting critical infrastructure. Instead, it makes general mention of how appealing U.S. networks are to foreign hackers and cautions recipients that Chinese and Russian hackers are always looking to examine important systems and improve their capabilities to exploit vulnerabilities they find.

According to Brian Harrell, former assistant secretary for infrastructure protection at the Department of Homeland Security and now an energy sector executive, “Utilities see probing and low-level attempted attacks every day by the Russians and PRC.”

These low-profile attacks help hackers to get an insight into the important aspects of specific systems like where a target has open ports or determine potential firewall restrictions. “China doesn’t make a lot of noise, but the small localized intrusions are helping build their network attack capabilities, likely for future use[…]There’s no doubt that the energy sector is on the front lines of malicious cyber-activity right now as China preps the battlefield,” Harrell added.

As the notification suggests, Chinese hackers have exploited certain US entities by conducting “post-exploitation activity with generic reconnaissance commands using ‘live off the land’ tools.”

“Living off the land,” certainly means an attacker is exploiting tools or features that are already present in the target environment. For instance, sneaky varieties of ransomware like WannaCry and LockBit have covered their tracks and survived inside a network by using a default Windows binary, an existing piece of operating system code. 

The warning states that state-backed Chinese hackers have been targeting common vulnerabilities since 2020, in order to, “target US and allied networks and software/hardware companies to steal intellectual property and develop access into sensitive networks to include critical infrastructure, defense industrial base sectors, and private sector organizations.”

However, the FBI declined to comment on the notification.

The notification further highlights how the Russian invasion of Ukraine altered the world's energy supply chain, citing Western sanctions as a "significant driver" of recent changes in the LNG supply chain. According to the notification, the modification will probably lead to an increase in Russian hackers' targeting of the American energy sector.

In 2022, 74% of Europe’s LNG imports originated in the U.S. the notification said, noting that the US was able to meet European LNG demand. 

It also added that since 2016, Russian hackers have targeted state agencies and several US-based critical infrastructure sectors by, “staging targets networks as pivot points and malware repositories when targeting their final intended victims.”

Read more »
Unauthorized access
Chinese Actors Command and Control(C2) Data Breach Firewalls Multi-factor authentication Ransomware Attacks. Sensitive data Software Unauthorized access

XWorm Malware Exploits Critical Follina Vulnerability in New Attacks

Security researchers have identified a new wave of attacks using the XWorm malware that exploits the Follina vulnerability. XWorm is a remote access trojan (RAT) that has been previously linked to state-sponsored Chinese hacking groups. The Follina vulnerability is a critical vulnerability in Microsoft Windows systems that was first disclosed in 2022.

The XWorm malware uses Follina to spread across networks and exfiltrate sensitive information. The malware can also open a backdoor to allow attackers to gain remote access to compromised systems. The attacks have been observed targeting a range of organizations in different sectors, including finance, healthcare, and government.

According to security experts, the XWorm malware is particularly dangerous because it can bypass traditional security measures. The malware can evade detection by anti-virus software and firewalls, making it difficult to detect and remove. Moreover, the Follina vulnerability is easily exploitable, and attackers can use it to gain access to vulnerable systems with minimal effort.

The XWorm malware is usually delivered through phishing emails or through exploit kits. Once a user clicks on a malicious link or opens a malicious attachment, the malware is installed on the victim's system. The malware then establishes communication with a command and control (C&C) server, allowing attackers to remotely control the infected machine.

To protect against the XWorm malware, security experts recommend that organizations apply the latest security patches and updates to their operating systems. They also advise users to be cautious when opening emails and attachments from unknown sources. Additionally, organizations should implement multi-factor authentication, network segmentation, and strong password policies to reduce the risk of unauthorized access.

The XWorm malware is a potent threat that exploits the Follina vulnerability to spread across networks and steal sensitive data. Organizations need to remain vigilant and take appropriate measures to protect their systems and data from such attacks.
Read more »
Vulnerabilities and Exploits
Chinese Actors Deepfake Phishing Attacks Sensitive data Software Vulnerabilities and Exploits

Deepfake Apps Remain Popular in China Despite Crackdown

The Chinese government has recently launched a crackdown on deepfakes, a type of synthetic media that involves manipulating images, videos, or audio to make them appear to be real. Despite these efforts, however, several Chinese apps that utilize deepfakes are finding a large audience in the country.

Deepfakes have become a significant concern in recent years due to their potential to spread misinformation and manipulate public opinion. Cybersecurity experts warn that deepfakes can be used for nefarious purposes such as identity theft, fraud, and even political propaganda.

China's new laws aim to prevent the spread of false information and improve cybersecurity. However, the government's efforts have not deterred developers from creating deepfake apps that remain popular among Chinese consumers. These apps allow users to create deepfake videos and images with ease, making it possible to manipulate content in ways that were previously impossible.

While these apps are designed to be entertaining and harmless, they can pose significant risks to personal privacy and security. Deepfake technology is becoming increasingly advanced, and it is becoming more difficult to distinguish between real and fake content.

To protect themselves, users should exercise caution when using deepfake apps and be aware of the potential risks. They should also ensure that they are downloading apps from reputable sources and regularly update their devices to the latest software version to mitigate any vulnerabilities.

The proliferation of deepfake apps highlights the importance of continued vigilance in the fight against cyber threats. Governments, organizations, and individuals must work together to stay ahead of evolving threats and take steps to mitigate risks.

China's crackdown on deepfakes has not stopped the popularity of deepfake apps in the country. Cybersecurity experts warn that these apps can pose significant risks to personal privacy and security, and users should exercise caution when using them. The continued proliferation of deepfakes emphasizes the importance of continued vigilance in the fight against cyber threats.

Read more »
Zero-Day Attack
BoldMove Backdoor Chinese Actors Fortinet Fortinet FortiOS FortiOS Google Hackers Linux Mandiant Threat Intelligence Vulnerabilities and Exploits zero-day Zero-Day Attack

Hackers Designs Malware for Recently Patched Fortinet Zero-Day Vulnerability


Researchers who recently disclosed and patched the zero-day vulnerability in Fortinet's FortiOS SSL-VPN technology have identified a new backdoor, specifically created in order to run on Fortinet’s FortiGate firewalls. 

Initial evidence collected by Google-owned security firm Mandiant suggests that the exploitation occurred in October 2022, nearly two months before the vulnerability was patched. Targets included a government entity in Europe and a managed services provider in Africa. 

According to a report published by Mandiant, the malware appears to have been created by a China-based threat actor that conducts cyber-espionage operations against individuals and groups associated with the government. 

It is the most recent instance of attackers from the country attacking firewalls, IPS, IDS, and other technologies used by businesses to secure their networks that are internet-facing. 

BoldMove Backdoor 

The attacks involved the use of a sophisticated backdoor known as BOLDMOVE, a Linux variant created especially to run on Fortinet's FortiGate firewalls. 

The intrusion vector in question is the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw in FortiOS SSL-VPN that could allow for unauthenticated remote code execution through carefully constructed requests. 

Earlier this month, Fortinet revealed that the unidentified hacking groups had taken advantage of the flaw to attack governments and other major institutions with a generic Linux implant capable of delivering additional payloads and carrying out remote server commands. 

Mandiant findings also indicate that the hackers managed to exploit the zero-day vulnerability to their advantage, accessing target networks for espionage operations. "With BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats," Mandiant added. 

The BoldMove Backdoor malware, written in C, is apparently available in both Windows and Linux versions, with the latter being able to read data from a Fortinet-exclusive file format. 

Moreover, according to Fortinet’s report, an extended Linux sample comes with a feature that allows attackers to disable and manipulate logging features in order to evade detection. Despite the fact that no copies of the backdoor have been found in the wild, metadata analysis of the Windows variations reveals that they were created as early as 2021. 

"The exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom implants, is consistent with previous Chinese exploitation of networking devices," Mandiant noted. 

Schooled in FortiOS 

Meanwhile, Fortinet itself described the malware as a variant of “generic” Linux backdoor designed by threat actors for FortiOS. According to the company's analysis, affected systems may have had the malicious file disguising itself as a part of Fortinet's IPS engine. 

According to Fortinet, one of the malware's more advanced features included manipulating FortiOS log-in to avoid detection. The malware can search FortiOS for event logs, decompress them in memory, and search for and delete a specific string that allows it to reconstruct the logs. The malware can also completely disable logging processes. 

"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," says Fortinet. 

Fortinet adds that designing the malware would have required the threat actors to have a “deep understanding” of the FortiOS and its underlying hardware. "The use of custom implants shows that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS," the vendor said.  

Read more »
US Goverment
API Bug Chinese Actors Data Breach Data Privacy Laws FBI Tik Tok US Goverment

FBI: Tik Tok privacy issues


Christopher Wray, the director of the FBI, expressed its concern over the potential that the Chinese government might alter TikTok's recommendation algorithms, which can be utilised for conventional espionage activities.

The short clip social network is under federal attention recently, largely because of worries about data privacy, especially when it comes to youngsters, and because of the ongoing tension between the United States and China. In 2020, the Trump government made an unsuccessful effort to eliminate TikTok from app stores. Additionally, there have been legislative hearings on user data in both 2021 and this year.

While Wray acknowledged that there are numerous countries that pose cyberthreats to the United States, "China's rapid hacking operation is the largest, and they have gained more of Americans' personal and business data than any other country combined," Wray said.

He claimed that TikTok APIs may be used by China to manage the software on consumer devices, opening the door for the Chinese government to basically breach the appliances of Americans.

Rep. John Katko, D-NY, the ranking member of the committee and a persistent advocate of cybersecurity issues in Congress, claims that Chinese cyber operations pose a threat to the economic and national security of all Americans. He updated the members that ransomware assaults caused companies $1.2 billion in losses last year.

Using HUMINT operations, China has gained access to the US military and government and gathered important information about US intelligence operations. Due to the development of these abilities, China was able to intercept communications, gather sensitive information, and gather a variety of data regarding US military and diplomatic activities.





Read more »
Subscribe to: Posts (Atom)