Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Chinese Actors. Show all posts
Notepad++
Chinese Actors Cyber Attacks Cyberattack Databreach Notepad++

A Quiet Breach of a Familiar Tool, Notepad++

For six months last year the update system of Notepad++, one of the world’s most widely used Windows text editors, was quietly subverted by hackers linked by investigators to the Chinese state. The attackers used their access not to disrupt the software openly, but to deliver malicious versions of it to carefully chosen targets. 

According to a statement published this week on the project’s official website, the intrusion began in June with an infrastructure-level compromise that allowed attackers to intercept and redirect update traffic meant for notepad-plus-plus.org. Selected users were silently diverted to rogue update servers and served backdoored versions of the application. Control over the update infrastructure was not fully restored until December. 

The developers said the attackers exploited weaknesses in how older versions of Notepad++ verified updates. By manipulating traffic between users and the update servers, they were able to substitute legitimate downloads with malicious ones. 

Although update packages were signed, earlier design choices meant those signatures were not always robustly checked, creating an opening for tampering by a well-resourced adversary. Security researchers say the campaign was highly targeted. 

The attackers installed a previously unknown backdoor, dubbed Chrysalis, which Rapid7 described as a custom and feature-rich tool designed for persistent access rather than short-term disruption. Such sophistication suggests strategic objectives rather than criminal opportunism. 

Independent researcher Kevin Beaumont reported that several organisations with interests in East Asia experienced hands-on intrusions linked to compromised Notepad++ installations, indicating that attackers were able to take direct control of affected systems. 

He had raised concerns months earlier after a Notepad++ update quietly strengthened its updater against hijacking. The episode underlines a broader vulnerability in the global software supply chain. Open-source tools such as Notepad++ are deeply embedded in corporate and government systems, yet are often maintained with limited resources. That imbalance makes them attractive targets for state-backed hackers seeking discreet access rather than noisy disruption. 

Notepad++ developers have urged users to update manually to the latest version and large organisations to consider restricting automated updates. The incident also serves as a reminder that even modest, familiar software can become a conduit for serious espionage when its infrastructure is neglected.
Read more »
Software
Chinese Actors Chinese Hackers Cyber Attacks IPv4 vs IPv6 IPv6 Software

Chinese Hackers Exploit IPv6 Network Features to Hack Software Updates

Chinese Hackers Exploit IPv6 Network Features to Hack Software Updates

China-linked group attacks

ESET discovered both SpellBinder and WizardNet, tools used by Chinese hackers. A China-based APT group, “The Wizards,” has been linked to a lateral movement tool, Spellbinder, which allows adversary-in-the-middle (AitM) attacks.  It does so via IPv6 stateless address autoconfiguration (SLAAC) spoofing, to roam laterally in the compromised network, blocking packets and redirecting the traffic of legal Chinese software to download malicious updates from a server controlled by threat actors, ESET researchers said to The Hacker News

About malware WizardNet

The attack creates a path for a malicious downloader which is delivered by hacking the software update mechanism linked with Sogou Pinyin. Later, the downloader imitates a conduit to deploy a modular backdoor called WizardNet. 

In the past, Chinese hackers have abused Sogou Pinyin’s software update process to install malware. Last year, ESET reported a hacking group called Blackwood that delivered an implant called NSPX30 by abusing the update process of the Chinese input method software app. 

This year, the Slovak cybersecurity company found another threat actor called PlushDaemon that exploited the same process to deploy a custom downloader called LittleDaemon. 

The scale of the attack

The Wizards APT has targeted both individuals and the gambling industry in Hong Kong, Mainland China, Cambodia, the United Arab Emirates, and the Phillippines. 

Findings highlight that the Spellbinder IPv6 AitM tool has been active since 2022. A successful attack is followed by the delivery of a ZIP archive which includes four separate files. 

After this, the threat actors install “wincap.exe” and perform "AVGApplicationFrameHost.exe," to sideload the DLL. The DLL file then reads shellcode from “log.dat” and runs it in memory, resulting in the launch of Spellbinder. 

Not the first time

In a 2024 attack incident, the hackers utilized this technique to hack the software update process for Tencent QQ at the DNS level to help a trojanized version deploy WizardNet; a modular backdoor that can receive and run .NET payloads on the victim host. Spellbinder does this by blocking the DNS query for the software update domain ("update.browser.qq[.]com") and releasing a DNS response 

“The list of targeted domains belongs to several popular Chinese platforms, such as Tencent, Baidu, Xunlei, Youku, iQIYI, Kingsoft, Mango TV, Funshion, Yuodao, Xiaomi and Xioami's Miui, PPLive, Meitu, Quihoo 360, and Baofeng,” reports The Hacker News. 

Read more »
Threat Landscape
Chinese Actors Cyber Attacks Drone Makers Taiwan Threat Landscape

'TIDrone' Cybercriminals Target Taiwan's Drone Makers

 

A previously unknown threat actor with possible ties to Chinese-speaking groups has primarily targeted drone makers in Taiwan as part of a cyber attack operation that started in 2024. Trend Micro is tracking the adversary under the codename TIDRONE, claiming that the activity is espionage-driven due to the emphasis on military-related company chains. 

The specific initial access vector used to penetrate targets is currently unknown, although Trend Micro's study revealed the spread of unique malware such as CXCLNT and CLNTEND using remote desktop tools such as UltraVNC. An interesting feature identified across multiple victims is the use of the same enterprise resource planning (ERP) software, increasing the likelihood of a supply chain attack. 

After that, the attack chains move through three distinct phases that are intended to make it easier to escalate privileges through the use of credential dumping, security evasion by turning off antivirus software that is installed on the hosts, and User Account Control (UAC) bypass. 

Both backdoors are activated by sideloading a rogue DLL using the Microsoft Word application, allowing attackers to collect a wide range of confidential data. CXCLNT includes basic upload and download file capabilities, as well as facilities for removing traces, acquiring victim data such as file listings and device names, and downloading next-stage portable executable (PE) and DLL files for execution. 

CLNTEND, detected in April 2024, is a remote access tool (RAT) that supports a broader range of network communication protocols, including TCP, HTTP, HTTPS, TLS, and SMB (port 445).

"The consistency in file compilation times and the threat actor's operation time with other Chinese espionage-related activities supports the assessment that this campaign is likely being carried out by an as-yet unidentified Chinese-speaking threat group," security researchers Pierre Lee and Vickie Su stated.
Read more »
Vulnerabilities and Exploits
APT Backdoor Chinese Actors MITRE Threat Landscape Vulnerabilities and Exploits

Chinese Attackers Deployed Backdoor Quintet to Down MITRE

 

China-linked hackers used a variety of backdoors and Web shells to compromise the MITRE Corporation late last year. 

Last month, it was revealed that MITRE, widely known for its Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, had been exploited by Ivanti Connect Secure zero-day flaws. The hackers secured access to the Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified research and development network.

On May 3, MITRE disclosed further details regarding five distinct payloads used in an attack that spanned from New Year's Eve to mid-March. 

MITRE perpetrators infected it with the "Rootrot" web shell as a New Year's present in 2023. Rootrot is meant to implant itself in a valid Ivanti Connect Secure TCC file, allowing them to conduct reconnaissance and lateral movement within the NERVE system. 

The tool was created by the Chinese advanced persistent threat (APT) group UNC5221, which was also responsible for the first wave of alleged Ivanti-based attacks. Dark Reading had previously linked MITRE's intrusion to UNC5221, but retracted that detail at MITRE's request. 

After getting initial access and probing about, the criminals employed their compromised Ivanti appliance to connect to and ultimately seize control of NERVE's virtual environment. Then they infected several virtual machines (VMs) using multiple payloads. 

There was "Brickstorm," a Golang-based backdoor for VMware vCenter servers that appeared in two versions on MITRE's network. It can configure itself as a Web server, communicate with a command-and-control (C2) server, conduct SOCKS relaying, execute shell commands, and upload, download, and manipulate file systems. 

Following Brickstorm came the Wirefire (or Gifted Visitor) Web shell, a Python-based utility for uploading files and running arbitrary scripts. The attackers first installed it on their compromised Ivanti appliance on January 11, the day after the first batch of Ivanti vulnerabilities were made public. 

MITRE later discovered that the attackers were using the Perl-based Web shell Bushwalk to carry out command-and-control operations. Notably, this was an entirely different type than the Bushwalk, which Mandiant had previously reported on. 

The attack also included a previously undocumented Web shell called "Beeflush," which is renowned for its ability to read and encrypt web traffic data. To conclude its blog post, MITRE emphasised the importance of secure by design and zero trust movements, as well as regular authentication policies and software bill of materials (SBOMs).
Read more »
Vulnerabilities and Exploits
Chinese Actors Linux Malware Linux Servers Malicious actor Ransomware Attacks. VMware ESXi Vulnerabilities and Exploits

Qilin Ransomware Strikes VMware ESXi

The ransomware strain Qilin has surfaced as a new danger to computers using VMware ESXi, which is a recent development in the cryptocurrency space. Concerned observers have expressed concern over the fact that this Qilin Linux version exhibits a targeted and advanced strategy that particularly targets virtualized systems.

Qilin, a mythical creature in Chinese folklore, has taken its name seriously in the cyber realm, wreaking havoc on Linux-based systems. The malware, as detailed in reports from leading cybersecurity sources like Bleeping Computer and Linux Security, has honed in on VMware ESXi, a widely used virtualization platform.

The Qilin ransomware has raised concerns due to its ability to compromise the core infrastructure of organizations. VMware ESXi, being a popular choice for virtualization in data centers, has become a prime target. The attackers employ advanced techniques to exploit vulnerabilities in ESXi servers, encrypting critical data and demanding a ransom for its release.

GridinSoft, a cybersecurity company, has provided insights into the modus operandi of Qilin. Their analysis reveals the ransomware's deliberate focus on virtual machines, particularly those hosted on VMware ESXi. The attackers leverage vulnerabilities in ESXi versions, emphasizing the need for organizations to update and patch their systems promptly.

The cybersecurity community is actively collaborating to understand and counter the Qilin threat. As organizations scramble to bolster their defenses, it's crucial to stay informed about the evolving nature of the ransomware landscape. Constant vigilance, regular updates, and a robust backup strategy are imperative to mitigate the risks associated with Qilin and similar cyber threats.

Although the Qilin ransomware is a significant concern, it also highlights the larger problem of how constantly changing cyberthreats are. According to a cybersecurity expert, "attackers are getting more skilled at focusing on critical infrastructure, and the landscape of cyber threats is dynamic.To protect against such harmful operations, cybersecurity measures that are proactive and vigilant are vital."

The Qilin ransomware, which was first discovered to target VMware ESXi, is a clear reminder of how sophisticated cyber threats are getting. To strengthen their defenses against such powerful adversaries, organizations must prioritize cybersecurity procedures, such as patch management, regular upgrades, and reliable backup plans.
Read more »
US Government
Chinese Actors Cyber Attacks Energy sector FBI FBI notification LNG Russian Hackers US Government

FBI Warns Energy Sectors: Chinese and Russian Hackers may Actively Target Energy Sector


According to a recent notification sent by the FBI to the energy industry changes in the global energy supply will most probably result in an increase in the number of Chinese and Russian hackers attacking significant energy infrastructure.   

The notification, released on Thursday, lists several contributing causes, including rising LNG exports from the United States, shifts in the global crude oil supply chain favoring the United States, continued Western pressure on Russia's energy supply, and China's reliance on imported oil. 

The alert, however, did not mention any particular advanced persistent threat (APT) group linked with China or Russia, nor did it cite any cybersecurity incident targeting critical infrastructure. Instead, it makes general mention of how appealing U.S. networks are to foreign hackers and cautions recipients that Chinese and Russian hackers are always looking to examine important systems and improve their capabilities to exploit vulnerabilities they find.

According to Brian Harrell, former assistant secretary for infrastructure protection at the Department of Homeland Security and now an energy sector executive, “Utilities see probing and low-level attempted attacks every day by the Russians and PRC.”

These low-profile attacks help hackers to get an insight into the important aspects of specific systems like where a target has open ports or determine potential firewall restrictions. “China doesn’t make a lot of noise, but the small localized intrusions are helping build their network attack capabilities, likely for future use[…]There’s no doubt that the energy sector is on the front lines of malicious cyber-activity right now as China preps the battlefield,” Harrell added.

As the notification suggests, Chinese hackers have exploited certain US entities by conducting “post-exploitation activity with generic reconnaissance commands using ‘live off the land’ tools.”

“Living off the land,” certainly means an attacker is exploiting tools or features that are already present in the target environment. For instance, sneaky varieties of ransomware like WannaCry and LockBit have covered their tracks and survived inside a network by using a default Windows binary, an existing piece of operating system code. 

The warning states that state-backed Chinese hackers have been targeting common vulnerabilities since 2020, in order to, “target US and allied networks and software/hardware companies to steal intellectual property and develop access into sensitive networks to include critical infrastructure, defense industrial base sectors, and private sector organizations.”

However, the FBI declined to comment on the notification.

The notification further highlights how the Russian invasion of Ukraine altered the world's energy supply chain, citing Western sanctions as a "significant driver" of recent changes in the LNG supply chain. According to the notification, the modification will probably lead to an increase in Russian hackers' targeting of the American energy sector.

In 2022, 74% of Europe’s LNG imports originated in the U.S. the notification said, noting that the US was able to meet European LNG demand. 

It also added that since 2016, Russian hackers have targeted state agencies and several US-based critical infrastructure sectors by, “staging targets networks as pivot points and malware repositories when targeting their final intended victims.”

Read more »
Unauthorized access
Chinese Actors Command and Control(C2) Data Breach Firewalls Multi-factor authentication Ransomware Attacks. Sensitive data Software Unauthorized access

XWorm Malware Exploits Critical Follina Vulnerability in New Attacks

Security researchers have identified a new wave of attacks using the XWorm malware that exploits the Follina vulnerability. XWorm is a remote access trojan (RAT) that has been previously linked to state-sponsored Chinese hacking groups. The Follina vulnerability is a critical vulnerability in Microsoft Windows systems that was first disclosed in 2022.

The XWorm malware uses Follina to spread across networks and exfiltrate sensitive information. The malware can also open a backdoor to allow attackers to gain remote access to compromised systems. The attacks have been observed targeting a range of organizations in different sectors, including finance, healthcare, and government.

According to security experts, the XWorm malware is particularly dangerous because it can bypass traditional security measures. The malware can evade detection by anti-virus software and firewalls, making it difficult to detect and remove. Moreover, the Follina vulnerability is easily exploitable, and attackers can use it to gain access to vulnerable systems with minimal effort.

The XWorm malware is usually delivered through phishing emails or through exploit kits. Once a user clicks on a malicious link or opens a malicious attachment, the malware is installed on the victim's system. The malware then establishes communication with a command and control (C&C) server, allowing attackers to remotely control the infected machine.

To protect against the XWorm malware, security experts recommend that organizations apply the latest security patches and updates to their operating systems. They also advise users to be cautious when opening emails and attachments from unknown sources. Additionally, organizations should implement multi-factor authentication, network segmentation, and strong password policies to reduce the risk of unauthorized access.

The XWorm malware is a potent threat that exploits the Follina vulnerability to spread across networks and steal sensitive data. Organizations need to remain vigilant and take appropriate measures to protect their systems and data from such attacks.
Read more »
Vulnerabilities and Exploits
Chinese Actors Deepfake Phishing Attacks Sensitive data Software Vulnerabilities and Exploits

Deepfake Apps Remain Popular in China Despite Crackdown

The Chinese government has recently launched a crackdown on deepfakes, a type of synthetic media that involves manipulating images, videos, or audio to make them appear to be real. Despite these efforts, however, several Chinese apps that utilize deepfakes are finding a large audience in the country.

Deepfakes have become a significant concern in recent years due to their potential to spread misinformation and manipulate public opinion. Cybersecurity experts warn that deepfakes can be used for nefarious purposes such as identity theft, fraud, and even political propaganda.

China's new laws aim to prevent the spread of false information and improve cybersecurity. However, the government's efforts have not deterred developers from creating deepfake apps that remain popular among Chinese consumers. These apps allow users to create deepfake videos and images with ease, making it possible to manipulate content in ways that were previously impossible.

While these apps are designed to be entertaining and harmless, they can pose significant risks to personal privacy and security. Deepfake technology is becoming increasingly advanced, and it is becoming more difficult to distinguish between real and fake content.

To protect themselves, users should exercise caution when using deepfake apps and be aware of the potential risks. They should also ensure that they are downloading apps from reputable sources and regularly update their devices to the latest software version to mitigate any vulnerabilities.

The proliferation of deepfake apps highlights the importance of continued vigilance in the fight against cyber threats. Governments, organizations, and individuals must work together to stay ahead of evolving threats and take steps to mitigate risks.

China's crackdown on deepfakes has not stopped the popularity of deepfake apps in the country. Cybersecurity experts warn that these apps can pose significant risks to personal privacy and security, and users should exercise caution when using them. The continued proliferation of deepfakes emphasizes the importance of continued vigilance in the fight against cyber threats.

Read more »
Subscribe to: Comments (Atom)