Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Chinese Hacker. Show all posts

Chinese Hackers Exploit Unpatched Fortinet Zero-Day Vulnerability

 

A Chinese state-sponsored actor abused an unpatched, unreported Fortinet vulnerability, despite the fact that the flaw was reported to the security firm in July. 

Volexity, a threat intelligence vendor, published research earlier this week referencing a new zero-day flaw -- one without a current CVE designation -- that allowed a Chinese state-sponsored actor known as "BrazenBamboo" to steal credentials in instances of Fortinet's Windows VPN client, FortiClient.

Perhaps most notably, Volexity stated that it disclosed the issue to Fortinet on July 18, with the latter acknowledging the report on July 24. "At the time of writing, this issue remains unresolved, and Volexity is not aware of an assigned CVE number," Volexity researchers Callum Roxan, Charlie Gardner, and Paul Rascagneres said in the blog post. 

Volexity's report lacks a description of the flaw itself. The researchers of the study identified a "zero-day credential disclosure flaw in Fortinet's Windows VPN client that allowed credentials to be stolen from the memory of the client's process." The blog also provides YARA rules, indicators of compromise, and an in-depth look at BrazenBamboo's "Deepdata" post-exploitation tool, which was employed in threat activity targeting the vulnerability. 

Roxan, Gardner, and Rascagneres said that their investigation began with the identification of an archive file associated with BrazenBamboo, which could be linked to a known Chinese advanced persistent threat (APT) group. The researchers uncovered files in the package related to Windows malware families known as "Deepdata" and "Deeppost," as well as a Windows form of LightSpy malware.

Deepdata, according to Volexity researchers, is a modular utility for Windows that "facilitates the collection of private data from a compromised system," and requires the perpetrator to have command-line access to the target device. It features both a loader and a virtual file system. Deeppost is a post-exploitation data exfiltration program that transfers files to a remote system. The researchers discovered the Fortinet zero day after uncovering a FortiClient plugin in Deepdata. 

"DEEPDATA supports a wide range of functionality to extract data from victims' systems. The observed functionality of several plugins is commonly seen and includes items typically stolen from victim systems," researchers explained. "However, Volexity noted the FortiClient plugin was uncommon and investigated it further. Volexity found the FortiClient plugin was included through a library with the filename msenvico.dll. This plugin was found to exploit a zero-day vulnerability in the Fortinet VPN client on Windows that allows it to extract the credentials for the user from memory of the client's process.”

The researchers further stated that "the FortiClient plugin looks for the username, password, remote gateway, and port from two different JSON objects in memory." Meanwhile, LightSpy is a command-and-control spyware that has previously been linked to campaigns targeting Hong Kong citizens. The malware is generally employed in attacks on Android, iOS, and macOS devices, so it's noteworthy that Volexity received files of a Windows edition.

Chinese Threat Actors Leveraging 'Noodle RAT' Backdoor

 

A backdoor in Executable and Linkable Format (ELF) files used by Chinese hackers has been misidentified as a version of existing malware for years, Trend Micro claimed in a recent analysis. 

In Noodle RAT: Reviewing the New Backdoor utilised by Chinese-Speaking Groups, a blog post based on a Botconf 2024 presentation, Trend Micro Research revealed Noodle RAT, a remote access Trojan employed by Chinese-speaking groups involved in espionage or criminal activity.

Noodle RAT, aka ANGRYREBEL or Nood RAT, has been active since at least 2018. However, it was always regarded as a variant of an existing malware strain, such as Gh0st RAT or Rekoobe.

“For instance, NCC Group released a report on a variant of Gh0st RAT used by Iron Tiger in 2018. Talos released a report on an ELF backdoor used by Rocke (aka Iron Cybercrime Group) in 2018. Sophos released a report on a Linux version of the Gh0st RAT variant used in the Cloud Snooper Campaign in 2018. Positive Technology Security released a report on Calypso RAT used by Calypso APT in 2019,” noted Trend Micro. 

The cybersecurity provider's threat intelligence team revealed that the ELF backdoor mentioned in these reports was actually a new malware strain known as Noodle RAT. 

Noodle RAT: New Malware Strain

Since 2020, the researchers claim to have discovered espionage campaigns employing Noodle RAT that targeted Thailand, India, Japan, Malaysia, and Taiwan. 

The Windows version of Noodle RAT contains several links to Gh0st RAT, a malware strain developed by the C. Rufus Security Team in China and exposed in 2008. For example, Win.NOODLERAT and Gh0st RAT share plugins, and the former employs a slightly similar packet encryption method to that employed by various Gh0st RAT variants, including Gh0stCringe, HiddenGh0st, and Gh0stTimes. 

However, the rest of Win.NOODLERAT and Gh0st RAT's code does not appear to be comparable, prompting Trend Micro to infer that the plugins were simply reused, despite the fact that the backdoor is completely different. 

Additionally, some Linux.NOODLERAT's code is identical to Rekoobe v2018, a backdoor built on Tiny SHell (or tsh) whose source code is freely available on GitHub. Specifically, both use the same reverse shell and process name spoofing techniques. 

“Still, since the rest of the code of Linux.NOODLERAT is totally different from any version of Rekoobe or Tiny SHell, we can conclude that Linux.NOODLERAT should be classified as another malware family,” Trend Micro concluded.

Indian Authorities Probes Data Breach Concerns Involving PMO and EPFO

 

The Open-Source Intelligence (OSINT) team at India Today reviewed leaked data that claimed a Chinese state-affiliated hacker group had targeted major Indian government offices, such as the "PMO" (likely the Prime Minister's Office), as well as businesses like Reliance Industries Limited and Air India. 

Over the weekend, thousands of files, images, and chat messages related to I-Soon—a claimed cybersecurity contractor for China's Ministry of Public Security (MPS)—were secretly shared on GitHub.

The leak reveals a complex network of covert attacks, spyware operations, and sophisticated surveillance by Chinese government-linked cyber criminals. 

A machine-translated version of the leaked internal documents, originally written in Mandarin, shows hackers documenting their techniques, targets, and exploits. Targets included the North Atlantic Treaty Organisation (NATO), an intergovernmental military alliance, European governments, and organisations, as well as Beijing's friends such as Pakistan. 

Indian targets 

The data stolen names Indian targets such as the Ministry of Finance, the Ministry of External Affairs, and the "Presidential Ministry of the Interior," which is likely a reference to the Ministry of Home Affairs. 

During the peak of India-China border tensions, advanced persistent threat (APT) or hacker groups stole 5.49GB of data from various offices of the "Presidential Ministry of the Interior" between May 2021 and October 2021. 

"In India, the primary work goals are the ministries of foreign affairs, finance, and other key departments. We continue to monitor this sector closely and want to capitalise on its potential in the long run," reads the translated India section of what appears to be an internal report prepared by iSoon. 

User data for the state-run pension fund management, the Employees' Provident Fund Organisation (EPFO), the state telecom provider Bharat Sanchar Nigam Limited (BSNL), and the private healthcare chain Apollo Hospitals were also allegedly compromised. 

The leaked documents also mentioned about 95GB of India's immigration statistics from 2020, referred to as "entry and exit points data". Notably, following the conflict in Galwan Valley in 2020, India-China relations deteriorated further.

"India has always been a major emphasis for the Chinese APT side of things. The stolen data inevitably covers quite a few Indian organisations, including Apollo Hospital, persons coming in and out of the nation in 2020, the Prime Minister's Office, and population figures," said Taiwanese researcher Azaka, who initially uncovered the GitHub hack. 

This is not the first time China has been blamed for cyberattacks on India. Seven Indian power hubs were reportedly targeted by hackers linked to China in 2022. Threat actors attempted to breach India's power system in 2021 as well.

US House Panel Launches Probe Into China's US Gov Email Hack

 

The recent email system hacks at the Commerce and State departments, which China may have been engaged in, are the subject of an inquiry, the U.S. House of Representatives Oversight Committee revealed on Wednesday. 

Representative James Comer, chair of the committee, and the heads of two subcommittees sought staff briefings from Secretaries of State Antony Blinken and the Department of Commerce by August 9. 

"We are also concerned that this attack on federal agencies, including the email account of a senior U.S. government official such as yourself, reflects a new level of skill and sophistication from China’s hackers," the lawmakers Raimondo stated. 

A person with knowledge of the incident claims that Raimondo was one of a number of senior U.S. officials whose emails were stolen at the beginning of this year by a group Microsoft (MSFT.O) believed was based in China. 

In the midst of rising tensions between Beijing and Washington on a variety of issues, from trade to Taiwan, the disclosure that senior State and Commerce department officials' emails had been obtained by Chinese hackers last month sparked controversy. 

At least 20 additional organisations were affected by the breach, but it's unclear how severe it was. The American ambassador to China, Daniel Kritenbrink, reportedly had his email account hacked, according to The Wall Street Journal last month. 

Hundreds of thousands of emails were reportedly stolen in total, The Journal reported. 

Despite the alleged Chinese hacking, Raimondo stated last month that she still intended to travel to China this year. In spite of the fact that the trip is currently being planned, Raimondo told CNBC, "We do not justify any hacking or breach of our security." 

The Chinese embassy in Washington previously issued a statement in which it acknowledged the difficulty of determining the source of cyberattacks and issued a warning against making "groundless speculations and allegations."

Multiple Chinese Hacker Outfits are Targeting Organisations Worldwide

 

Western intelligence services and cybersecurity organisations have lately identified many Chinese hacker outfits. These groups are said to be behind global campaigns of digital espionage that are directed at corporations, media outlets, and institutions of international business and the military. 

Chinese officials have consistently denied any involvement in state-sponsored hacking, despite cybersecurity firms' belief that many of these teams are supported by the Chinese government. Security experts claim that China is also a common target for cyberattacks and have called the United States a "empire of hacking."

Here are multiple widely recognised hacking groups with Chinese origins.

STORM-0558 

Since May, there have been allegations that Chinese hackers had gained access to the email accounts of roughly 25 different companies, including Microsoft and U.S. government agencies.

Based on multiple reports, the stolen accounts belong to Gina Raimondo, the secretary of commerce for the United States, Nicholas Burns, the ambassador to China, and Daniel Kritenbrink, the assistant secretary of state for East Asia. 

Microsoft claimed that a Chinese actor going by the handle Storm-0558 misused one of its cryptographic keys and then employed a bug in the code to steal emails. The Chinese embassy in Washington denied the claims and issued a warning against making false accusations regarding the origin of cyber attacks. 

Volt Typhon

Earlier this year on May 24, Volt Typhoon, a state-sponsored organisation, was charged by Microsoft and Western intelligence agencies of engaging in major cyber-espionage against several vital infrastructure organisations in the United States, including telecommunications and transportation centres.

One of the biggest Chinese cyber espionage campaigns to target crucial American infrastructure was said to have taken place in 2023, according to reports. These accusations were refuted by China's foreign ministry.

APT 41 

APT 41, also known as Wintti, Double Dragon, and Amoeba, has been involved in government-backed cyber incursions and financially driven data breaches, noted US-based cybersecurity firms FireEye and Mandiant. 

According to the US Secret Service, the group was involved in stealing tens of millions of dollars in COVID-19 relief benefits from 2020 to 2022. Taiwan-based cybersecurity firm TeamT5 reported APT 41's targeting of government, telecommunications, and media groups in multiple nations, including Japan, Taiwan, South Korea, the United States, and Hong Kong. 

APT 41 was linked by the U.S. Department of Justice to bring charges against seven hackers who were convicted of hacking into more than hundred companies worldwide in September 2020. However, these reports have been dismissed by Chinese authorities as "groundless accusations." 

APT 27 

Western intelligence agencies and cybersecurity experts accuse the Chinese hacking group APT 27, which they claim is state-sponsored, of carrying out several attacks on Western and Taiwanese government institutions.

When Nancy Pelosi, the speaker of the U.S. House of Representatives, visited Taiwan in 2022, APT 27 claimed responsibility for the hacks, claiming it was a response to her rejection of China's warnings. 

Between May 2021 and February 2022, according to Mandiant, the group infiltrated the computer networks of at least six state governments in the United States, while APT 27 was held accountable by German authorities for assaults on German pharmaceutical, technology, and other businesses.

Webworm Hackers Deploy Modified RATs in Espionage Assaults to Target Government Entities

 

A Chinese hacker tracked under the moniker Webworm has been linked to multiple Windows-based remote-access Trojans, some of which are believed to be in the experimentation phase. 

Threat analysts from Symantec, part of Broadcom Software, said "the group has developed customized versions of three older remote access trojans (RATs), including Trochilus RAT, Gh0st RAT, and 9002 RAT.”  

The researchers stated at least one of the indicators of compromise (IOCs) was employed in a cyber assault against an IT service vendor operating in several Asian nations. 

It's worth noting that all three backdoors are mainly linked to Chinese hackers such as Stone Panda (APT10), Aurora Panda (APT17), Emissary Panda (APT27), and Judgement Panda (APT31), among others, although they have been utilized by other hacking groups. 

Symantec said the Webworm hacker group employs multiple methodologies that overlap with other threat actor groups reported and analyzed this year. Earlier this year in May, Positive Technologies tracked the group as Space Pirates striking entities in the Russian aerospace industry with novel malware. 

The malicious group is also associated with other Chinese hackers tracked as Wicked Panda and Mustang Panda. These hackers also rely on the usage of post-exploitation modular RATs and other pieces of malware like ShadowPad. 

The Webworm hacking group has been operating since 2017 and has a track record of targeting government organizations involved in IT services, aerospace, and electric power industries located in Russia, Georgia, Mongolia, and multiple other Asian countries. 

A malicious campaign involves the use of dropper malware that harbors a loader manufactured to target modified versions of Trochilus, Gh0st, and 9002 remote access trojans. Most of the changes are intended to bypass detection tools. 

"Webworm's use of customized versions of older, and in some cases open-source, malware, as well as code, overlaps with the group known as Space Pirates, suggest that they may be the same threat group," the researchers added. 

"However, the common use of these types of tools and the exchange of tools between groups in this region can obscure the traces of distinct threat groups, which is likely one of the reasons why this approach is adopted, another being cost, as developing sophisticated malware can be expensive in terms of both money and time."

Chinese Hacker Scarab Targets Ukrainian System, CERT-UA Warns

 

Ukraine’s Computer Emergency Response Team (CERT-UA) released evidence last week regarding a malicious campaign tracked as UAC-0026, which SentinelLabs associated with China-linked Scarab APT. threat actors. 

Scarab APT was first spotted in 2015, but researchers believe it has been active since at least 2012, conducting surgical assaults against multiple nations across the globe, including Russia and the United States. 

Threat actors are targeting the Ukrainian system by distributing malware via phishing messages using weaponized documents that deploy the HeaderTip malware. The phishing texts employ a RAR-archive titled “On the preservation of video recordings of the criminal actions of the army of the Russian Federation.rar” which contains the EXE-file of the same name. The malicious document employed in the campaign spotted by CERT-UA mimics the National Police of Ukraine. 

“Running the executable file will create a lure document ‘# 2163_02_33-2022.pdf’ on the computer (applies to a letter from the National Police of Ukraine), as well as a DLL file with the MZ header ‘officecleaner.dat’ and the BAT file ‘officecleaner’ removed. .bat,’ which will ensure the formation of the correct DLL-file, run it and write to the Windows registry to ensure consistency. The mentioned DLL-file is classified as a malicious program HeaderTip, the main purpose of which is to download and execute other DLL-files.” 

The HeaderTip samples employed by Chinese hackers are 32-bit DLL files written in C++. The malware executes backdoor capabilities and is also used as a first-stage malware. CERT-UA, which did not mention China or Scarab in its alert, added that identical attacks were observed in September last year. According to SentinelOne, it was able to tie UAC-0026 to Scarab through an analysis of the malware employed in the assault. 

“Further relationships can be identified through the reuse of actor-unique infrastructure between the malware families associated with the groups,” SentinelOne explained, adding that there is sufficient evidence depicting that the author of the malware is employing the Windows operating system in a Chinese language setting. 

“Based on known targets since 2020, including those against Ukraine in March 2022, in addition to specific language use, we assess with moderate confidence that Scarab is Chinese speaking and operating under geopolitical intelligence collection purposes,” SentinelOne concluded.