Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Chinese Cyber Threat. Show all posts
WInnti Hackers
Chinese Cyber Threat Cyber Attacks CyberCrime Cyberhackers Cybersecurity CyberThreat Glutton PHP Backdoors WInnti Hackers

Rising Tactics of Winnti Hackers Include Deploying Glutton PHP Backdoors

 


In the past few months, researchers at a Chinese cybersecurity firm have been responsible for the discovery of an advanced PHP backdoor that supports Winnti, a group linked to Chinese cybercrime that is launching increasingly sophisticated attacks. Research has been conducted into the use of a PHP-based backdoor called Glutton, which has been used by cyber criminals to target China, Japan, the Republic of Korea, Cambodia, Pakistan, and South Africa through cyber attacks. 

As early as late April 2024, the Chinese nation-state group set up by Winnti (aka APT41), which has roots in North Korea, discovered malicious activity in a network from the Chinese nation-state group Chongqing Henchmen. The company also disclosed that its investigation revealed that Glutton's creators deliberately targeted systems within the cybercrime market with their tools to create malware. They poisoned operations intending to turn cybercriminals' tools against them, similar to the classic scenario from the movie.

The Winnti hacking group, sometimes referred to as APT41 is a notorious state-sponsored group known for conducting cyber espionage and financial fraud campaigns on behalf of the Chinese government. When the group appeared on the scene in 2012, it focused mostly on organizations involved in gaming, pharmaceuticals, and telecommunications, though it also attacked political organizations and government agencies. A modular backdoor made up of ELF modules, Glotto provides flexibility to craft tailored attacks to meet the attacker's specific needs. Several key components make up this malware: task_loader, which assesses the environment; init_task, which installs the backdoor; client_loader, which obfuscates the application; and client_task, which manages PHP backdoor operations and communicates with the command-and-control (C2) server. 

Through fileless execution, the malware runs entirely within PHP or PHP-FPM processes and injects malicious code into PHP files within popular frameworks such as ThinkPHP, Yii, Laravel, and Dedecms, thereby achieving stealth. Glutton maintains persistence in the system by modifying system files including those in the init[.]d network section and those in the Baota panel, allowing it to steal credentials and maintain a foothold on the system. 

By using a modular approach to code, Glutton can function without leaving traditional digital footprints behind, because all code execution is carried out within PHP, and there is a feature called PHP-FPM (FastCGI) that is used to optimize PHP process handling on web servers, which ensures that no files are left behind and that the backdoor remains undetected until it is discovered.  There are several PHP frameworks that Glutton can exploit to extract data or inject malicious code into widely used PHP frameworks, including Baota, ThinkPHP, Yii, and Laravel, when deployed with Glutton. 

It was in December 2023, when researchers traced the unusual activity to an IP address that was distributing a backdoor which targeted Unix-like operating systems, also commonly known as ELF-based malware, that researchers first discovered that Glutton was a backdoor. Further research revealed that the ELF-based malware also contained a malicious PHP file. Researchers uncovered a network of malicious PHP payloads connected to a network of malicious PHP payloads, revealing a complex attack infrastructure.

Researchers have indicated that the malware has a connection with Winnti’s historical activities, but they point out that there are several shortcomings when it comes to stealth and execution, which are uncharacteristically underwhelming for an APT group. Even though Winnti's behaviour normally does not include plaintext PHP samples and simplistic C2 communication protocols, the researchers believe that Winnti is the one responsible for the malware with some degree of confidence. The researchers also pointed out that Winnti "deliberately targeted systems within the cybercrime market" to spread the malware to as many targets as possible.

According to XLab researchers, Winnti "deliberately targeted systems within the cybercrime market" to help spread its virus as far as possible, but that was not the case.  Recent research has consistently shown that threat actors piggyback on each other’s infrastructure to exploit their vulnerabilities. In a report published by Microsoft, it was found that Turla, an APT group linked to the Russian government, has been running its operations using infrastructure previously set up by other APT groups or cybercriminals. 

In addition to being a fully functional backdoor, the PHP backdoor is also able to execute 22 unique commands, including switching C2 connections to UDP from TCP, launching a shell, downloading and uploading files, performing file and directory operations, and running arbitrary PHP code. Additionally, this framework provides the ability to periodically poll the C2 server for more PHP payloads, allowing for the retrieval and execution of more PHP payloads. According to XLab, these payloads are highly modular, capable of being executed independently by the payload module or sequentially by the task_loader module, providing a comprehensive framework to execute attacks, independently. 

There is no file payload left behind, ensuring no files or data are left behind after code execution, which ensures a completely stealthy footprint since all the code is executed within PHP or PHP-FPM (FastCGI) processes. In addition to this, HackBrowserData is also being used by cybercrime operators to steal sensitive information to inform future phishing or social engineering campaigns in the future. This tool can be used on any system used by a cybercriminal to steal sensitive information.
Read more »
T-Mobile
Chinese Cyber Threat CISA Cyber Crime cyber espionage Cyber Hackers Cyber Threats CyberCrime Cybersecurity Seerver T-Mobile

T-Mobile System Intrusion Tied to Chinese Cyber Threat

 


T-Mobile Corporation has confirmed that it has been a victim of cyber-espionage campaigns launched against telecom companies for a long time. T-Mobile is the latest telecommunications company to report being affected by a large-scale cyber-espionage campaign waged by state-sponsored hackers in China. 

There has been some confusion as to whether the breach involves customer data or critical systems. However, T-Mobile has maintained that there has been no significant impact on its customers' data and critical systems. This breach is part of a larger attack on major telecom providers, raising questions regarding the security of critical communications infrastructure around the world. 

It has been reported that the FBI and CISA are pursuing investigations into a massive cyber-espionage campaign perpetrated by Chinese-linked threat actors that targeted U.S. telecommunications, stealing call records and accessing private communications of government officials and political figures by compromising networks. 

It was confirmed by the USA intelligence agencies that Chinese threats had penetrated the private communications of a "limited number" of government officials after several U.S. broadband providers had been compromised. 

A cyber spy stole personal information belonging to the targeted individuals, according to court orders, which were subject to a search warrant by the United States government to gather that information. This attack was conducted by an intrusion team targeting the World Expo scheduled to take place in Osaka, Japan in 2025, as a lure for the intrusion team, according to ESET's APT Activity Report for the period between April and September 2024.

MirrorFace continues to capture the attention of Japanese people and events, despite this new geographical target, proving their dedication to Japan and its related events. MirrorFace, as well as Earth Kasha, is one of the clusters categorized under an umbrella group called APT10, which includes other clusters classified under Earth Tengshe and Bronze Starlight, as well. 

At least since 2018, the company has been targeting Japanese organizations, although its operations have been further expanded to include Taiwan and India with a new campaign observed in early 2023, albeit it is still focused on the Japanese market. During the hacking crew's history, it has evolved from a few backdoor programs, namely ANEL (a.k.a. Uppercut), LODEINFO, and NOOPDOOR (also known as HiddenFace), to an arsenal of infections, which now consists of backdoors and credential thieves, such as MirrorStealer and ANEL. 

Having said that, it's important to note that T-Mobile's cybersecurity practice has recently been subjected to massive criticism since it's experienced a lot of data breaches in recent years. It was part of the company's settlement with the FCC of $31.5 million for previous breaches, of which half was for an improvement of the security infrastructure. The data breaches that have repeatedly targeted T-Mobile, which is owned by Deutsche Telekom Corporation, have been one of the most challenging aspects of the company's recent history. 

According to the company, back in August 2021, 49 million T-Mobile account holders were affected by the data breach, but the hackers claimed that they had stolen data from 100 million users on the network. According to T-Mobile, it is actively monitoring the situation and is working closely with government officials to investigate the breach to prevent any further issues from occurring. Currently, there is no evidence that the company's systems have hurt the privacy, security, or functionality of its customers, but the firm maintains that no harm has been caused. 

The company is paying close attention to this industry-wide attack that is affecting the entire industry. Quite to the contrary, due to the security controls in our network structure, and the diligent monitoring and response of our systems, T-Mobile has not witnessed any significant impact on its data or systems. As far as we are aware, no evidence has been found that the company's customer or other sensitive information has been accessed or exfiltrated as other companies may have done. 

The situation will be closely monitored by industry peers as well as the relevant authorities, and we will work with them to resolve it.” A recent incident at T-Mobile has come at a time when the company is expanding its cyber-security practices to combat these threats. In February of this year, the company settled a $31.5 million lawsuit with the Federal Communications Commission, more than half of which was devoted to improving security infrastructure as a result of its prior breaches. 

The T-Mobile Security breach is a prime example of the unique challenges that face the telecommunications sector, which is classified as critical infrastructure under federal law because of its importance to the nation. As an upstream provider of information and communications, telecommunications companies play a vital role in healthcare, government, and the private sector, allowing everything from emergency services to business transactions to personal connectivity to take place. 

Therefore, these networks are prime targets for state-sponsored cyber campaigns that seek to exploit their role in facilitating sensitive communications by exploiting their vulnerability to state-sponsored cyber campaigns. There has been a shift in how cyber-espionage tactics have been used over the past few years twhichis disturbing. Attackers like Salt Typhoon take advantage of wiretap systems and sensitive communication channels to steal data and compromise the integrity of systems and networks vital to national security efforts. 

As part of a new analysis published on November 19, 2024, Trend Micro discovered that the MirrorFace actor was using the vulnerability of Array AG (CVE-2023-45727), Proself (CVE-2023-45727) and FortiOS/FortiProxy (CVE-2023-45727) for the initial access of its public-facing enterprise products, which enabled the MirrorFace attacker to access the products. It has been reported that they had installed several backdoors within the victim's network after gaining access to achieve persistence on the network," said security researcher Hara Hiroaki. Among these are the 'Cobalt Strike' and 'LODEINFO' programs, as well as the 'NOOPDOOR' program that was discovered last year. 

A sophisticated and complex implant like NOOPDOOR can be decrypted and launched using a shellcode loader named NOOPLDR to install it on the system. It includes built-in functions, in addition to modules that enable the uploading and downloading of files, the running of additional programs, and the communication with a server controlled by an attacker either actively or passively. As a result, Hiroaki noted, both active and passive modes, for the most part, use different encryption algorithms, as well as backdoor commands, respectively, which means that the channels can't be accessed by one another and are completely independent of one another.
Read more »
Subscribe to: Posts (Atom)