Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Chinese Hackers. Show all posts
TLS
C2 Chinese Hackers Chinese Threat Actors Cyber Attacks Malware Attack NCSC Sophos TLS

NCSC Unveils “Pigmy Goat” Malware Targeting Sophos Firewalls in Advanced Chinese Cyberattack

 

The National Cyber Security Centre (NCSC) recently disclosed the presence of a Linux malware, “Pigmy Goat,” specifically designed to breach Sophos XG firewall devices. This malware, allegedly developed by Chinese cyber actors, represents a significant evolution in network infiltration tactics due to its complexity and advanced evasion methods. 

This revelation follows Sophos’ recent “Pacific Rim” reports, which detail a five-year campaign involving Chinese threat actors targeting network devices at an unprecedented scale. Among the identified tools, “Pigmy Goat” stands out as a rootkit crafted to resemble legitimate Sophos product files, making it challenging to detect. This strategy is known to use stealth by masking its identity within commonly named system files to evade basic detection protocols. “Pigmy Goat” enables threat actors to establish persistent, unauthorized access to the target’s network. Using the LD_PRELOAD environment variable, it embeds itself in the SSH daemon (sshd), allowing it to intercept and alter incoming connections. 

The malware seeks specific sequences called “magic bytes” to identify backdoor sessions, which it redirects through a Unix socket, thereby concealing its presence from standard security monitoring. Once a connection is established, it communicates with command and control (C2) servers over TLS. The malware cleverly mimics Fortinet’s FortiGate certificate, blending into networks where Fortinet devices are prevalent, to avoid suspicion. This backdoor offers threat actors multiple capabilities to monitor, control, and manipulate the network environment. Through commands from the C2, attackers can remotely open shell access, track network activity, adjust scheduled tasks, or even set up a SOCKS5 proxy, which helps them remain undetected while maintaining control over the network. These actions could allow unauthorized data access or further exploitation, posing significant threats to organizational cybersecurity. 

The NCSC report aligns “Pigmy Goat” with tactics used in “Castletap” malware, which cybersecurity firm Mandiant has linked to Chinese nation-state actors. The report’s insights reinforce concerns over the evolving sophistication in state-sponsored cyber tools aimed at infiltrating critical network infrastructure worldwide. Detection and prevention of “Pigmy Goat” are crucial to mitigating its impact. The NCSC report provides tools for identifying infection, including file hashes, YARA rules, and Snort rules, which can detect specific sequences and fake SSH handshakes associated with the malware. 

Additionally, monitoring for unusual files and behaviours, such as encrypted payloads in ICMP packets or the use of ‘LD_PRELOAD’ within the sshd process, can be effective. These insights empower network defenders to recognize early signs of compromise and respond swiftly, reinforcing defences against this sophisticated threat.
Read more »
Wiretaps
Chinese Hackers Cyber Espionage Campaign Data Breach United States Wiretaps

Chinese Hackers Breach US Telco Networks to Access US Court Wiretap Systems

 

A Wall Street Journal report claims that Chinese hackers gained access to systems used for court-authorized wiretaps by breaking into the networks of major US telecommunications companies. 

The breach, which targeted companies such as Verizon Communications, AT&T, and Lumen Technologies, may have allowed the attackers to go unnoticed for months while gathering critical details regarding government requests for communications data. 

The hackers, who are believed to be affiliated with a state-sponsored Chinese group, were able to breach the system that telecom firms use to handle wiretaps authorised by the government. This breach may have given the perpetrators access to sensitive US internet traffic, allowing them to monitor communications under surveillance orders. 

The attack was recently identified, and it is believed that the hackers may have had long-term access to these networks, gathering intelligence. US investigators have dubbed the group responsible for the breach "Salt Typhoon" The incident is part of a larger pattern of cyber espionage actions attributed to Chinese hackers. 

Earlier this year, US law enforcement shut down another significant Chinese hacking campaign known as "Flax Typhoon," a group suspected of widespread cyber-espionage. These operations are believed to be aimed at gathering intelligence for the Chinese government. 

China's denial

The Chinese foreign ministry responded to the charges by rejecting any involvement in the cyber operation. In a statement, they claimed they were unaware of the attack mentioned in the report and accused the US of fabricating a "false narrative" to blame China. 

The ministry also criticised the US for impeding global cybersecurity cooperation and communication, describing the charges as a roadblock to international efforts to confront cybersecurity concerns. Beijing has always refuted all allegations of state-sponsored hacking, including those made by the US government.

In this instance, China's foreign ministry mentioned details provided by their own cybersecurity agency, claiming that "Volt Typhoon," another supposed Beijing-linked gang, was actually the work of a global ransomware organisation.
Read more »
threat report
Business Security Chinese Hackers Cyber Security Mexico threat report

Here's How Criminals Are Targeting Users and Enterprises in Mexico

 

A recent Mandiant report highlighted the increasing cyber threats that Mexico is facing, including a sophisticated blend of domestic and global cybercrime that targets both individuals and businesses. 

Mexico's economy, ranked 12th largest in the world, makes it an appealing target for both financially driven hackers and cyber criminals from countries like North Korea, China, and Russia.

Since 2020, cyber espionage groups from over ten nations have been identified attempting to breach Mexican organisations. Among these, attackers affiliated with the People's Republic of China (PRC), North Korea, and Russia have been the most active, with China accounting for one-third of government-sponsored phishing activity.

Chinese actors are focussing specifically on news, education, and government organisations in Mexico; this is consistent with similar targeting strategies observed in regions where China has made large investments. 

Since the start of the war in Ukraine, North Korean outfits have focused on financial technology and cryptocurrency firms, while Russian cyber espionage activities have fallen substantially as resources have been diverted to other areas. The use of commercial spyware in Mexico is also highlighted in the report, with politicians, human rights advocates, and journalists being among the targets.

These tools are frequently sold to governments or attackers and are used to detect and exploit vulnerabilities in consumer devices. While spyware attacks only affect a few people at a time, they have significant implications for Mexico's press freedom and political integrity. 

Mandiant's report highlights a significant increase in ransomware and extortion operations in Mexico. From January 2023 to July 2024, Mexico ranked second in Latin America in terms of data leak site (DLS) listings following ransomware attacks, trailing only Brazil. LockBit, ALPHV, and 8BASE have been the most active in Mexico, concentrating on industries including manufacturing, technology, and financial services.

Threats from financial malware distribution efforts persist in Mexico, as attackers use lures related to taxes and finance to trick unsuspecting victims into downloading malicious software. UNC4984 and other groups have been seen distributing malware to Mexican banks via spoofed Mexican government websites, including the Mexican Tax Administration Service (SAT).
Read more »
Vulnerabilities and Exploits
Chinese Hackers CISA Cyber Threats Software Vulnerabilities and Exploits

Chinese Hackers Exploit Serious Flaw in Versa SD-WAN Systems


 

A Chinese cyber-espionage group, known as Volt Typhoon, has been exploiting a newly discovered security flaw in Versa Networks' SD-WAN Director servers. This zero-day vulnerability, identified as CVE-2024-39717, has already been used to infiltrate several organizations. Given the seriousness of this issue, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has listed it among known exploited vulnerabilities, urging immediate corrective actions.

The CVE-2024-39717 vulnerability impacts all versions of Versa Director released before version 22.1.4. The issue originates from a feature in the system's graphical user interface (GUI) that allows for customisation. Versa Director is a crucial part of Versa Networks' software-defined wide area networking (SD-WAN) solutions, which are used by ISPs, MSPs, and large corporations to manage network devices, route traffic, and enforce security policies. Unfortunately, this vulnerability enables attackers to steal user credentials, potentially leading to further attacks.

Dan Maier, Versa's Chief Marketing Officer, noted that this flaw could allow attackers to escalate privileges without authorization. Attackers can initially access Versa Director through high-availability management ports 4566 and 4570, particularly if these ports are left open to the internet. Once inside, they can gain administrator-level credentials, giving them complete control over the system. Maier emphasised that Versa has long advised customers to limit access to these critical ports to prevent such security breaches.

The vulnerability was first discovered by researchers at Lumen Technologies' Black Lotus Labs. They found that Volt Typhoon had been exploiting this flaw since at least June 2024. The attackers used small office/home office (SOHO) devices, a common tactic for this group, to infiltrate vulnerable Versa Director systems via the exposed management ports. After gaining access, the attackers deployed a custom web shell named "VersaMem" to capture plaintext user credentials and monitor the Apache Tomcat web server's incoming traffic.

On June 21, Lumen researchers informed Versa about the vulnerability, shortly after they believed Volt Typhoon started exploiting it. Versa responded by issuing advisories on July 26 and August 8, outlining steps to reduce the risk. By August 26, they had published a detailed security bulletin describing the flaw and providing guidance for customers to protect their systems.

At least five organisations, including four based in the United States, have been compromised due to this vulnerability. These organisations are primarily from the managed service provider, internet service provider, and IT sectors. Given the seriousness of the situation, CISA has mandated that federal agencies apply the necessary mitigations by September 13 or cease using the vulnerable technology until it is secured.

Although the vulnerability was rated as moderately severe with a CVSS score of 6.6 out of 10, Versa has highlighted the significant risks associated with it. While the vulnerability is complex to exploit and requires high-level privileges, it becomes much easier to exploit if the management ports are exposed. In such cases, attackers can upload unauthorized files and execute code via the VersaMem web shell, leading to severe security breaches.

Versa has strongly advised its customers to update their systems to the latest versions, which include security enhancements that make the software more resistant to attacks. They have also recommended following their system hardening and firewall guidelines to reduce the likelihood of exploitation.

The Volt Typhoon group’s exploitation of the CVE-2024-39717 vulnerability highlights the ongoing threat posed by state-backed cyber actors. Although Versa has patched the vulnerability, organizations using Versa Director must act quickly to secure their systems and prevent further breaches. This incident serves as a reminder of the importance of keeping software updated and securing all network entry points to defend against sophisticated cyber threats.

Read more »
USA
Chinese Hackers CloudSorcerer Cyber Attacks Technology Threats USA

Chinese Hacking Groups Target Russian government, IT firms

At the end of July 2024, a series of targeted cyberattacks began, aimed at Russian government organizations and IT companies. These attacks have been linked to Chinese hacker groups APT31 and APT27. The cybersecurity firm Kaspersky uncovered this activity and named the campaign "EastWind."  

The attackers used an updated version of the CloudSorcerer backdoor, which was first seen in a similar campaign back in May 2024 that also targeted Russian government entities. 
However, CloudSorcerer has not only been used in attacks on Russia; in May 2024, Proofpoint identified a related attack on a U.S.-based think tank. 

To check if a system has been compromised, look for DLL files larger than 5MB in the 'C:\Users\Public' directory, unsigned 'msedgeupdate.dll' files, and a running process named 'msiexec.exe' for each logged-in user. 

The initial stage of the attack involved phishing emails. These emails carried RAR archive attachments that were named after the target. Once opened, the archive used a technique called DLL side loading to drop a backdoor on the system, while simultaneously opening a document to distract the victim. 

The backdoor allowed attackers to explore the victim’s filesystem, execute commands, steal data, and deploy additional malware. The attackers used this backdoor to introduce a trojan called 'GrewApacha,' which has been linked to APT31. 

The latest version of GrewApacha, compared to previous versions from 2023, has been improved to use two command servers instead of one. These servers' addresses are stored in base64-encoded strings on GitHub profiles, which the malware accesses. Another tool loaded by the backdoor is a refreshed version of CloudSorcerer. 

This version uses a unique encryption mechanism to ensure it only runs on the targeted system. If run on a different machine, the encryption key will differ, causing the malware to fail. The updated CloudSorcerer now fetches its command-and-control (C2) server addresses from public profiles on Quora and LiveJournal instead of GitHub. 

A third piece of malware introduced during the EastWind attacks is called PlugY. This is a previously unknown backdoor with versatile capabilities, including executing commands, capturing screens, logging keystrokes, and monitoring the clipboard. 

Researchers found that the code used in PlugY has similarities with attacks by the APT27 group and a specific library for C2 communications found in PlugY is also used in other Chinese threat actor tools.
Read more »
Vulnerability management
Chinese Hackers Cyber Security Data Privacy Endpoint security Vulnerability management

Chinese APT40 Can Exploit Flaws Within Hours of Public Release

 

A joint government advisory claims that APT40, a Chinese state-sponsored actor, is focusing on recently discovered software vulnerabilities in an attempt to exploit them in a matter of hours.

The advisory, authored by the Cybersecurity and Infrastructure Security Agency, FBI, and National Security Agency in the United States, as well as government agencies in Australia, the UK, Canada, New Zealand, Germany, South Korea, and Japan, stated that the cyber group has targeted organisations in a variety of arenas, employing techniques commonly employed by other state-sponsored actors in China. It has often targeted Australian networks, for instance, and remains a threat, the agencies warned. 

Rather than using strategies that involve user engagement, the gang seems to prefer exploiting vulnerable, public-facing infrastructure and prioritising the collection of valid credentials. It frequently latches on public exploits as soon as they become accessible, creating a "patching race" condition for organisations. 

"The focus on public-facing infrastructure is interesting. It shows they're looking for the path of least resistance; why bother with elaborate phishing campaigns when you can just hit exposed vulnerabilities directly?" stated Tal Mandel Bar, product manager at DoControl. 

The APT targets newly disclosed flaws, but it also has access to a large number of older exploits, according to the agencies. As a result, a comprehensive vulnerability management effort is necessary.

Comprehensive reconnaissance efforts 

APT40 conducts reconnaissance against networks of interest on a regular basis, "including networks in the authoring agencies' countries, looking for opportunities to compromise its targets," according to the joint advice. The group then employs Web shells for persistence and focuses on extracting data from sensitive repositories.

"The data stolen by APT40 serves dual purposes: It is used for state espionage and subsequently transferred to Chinese companies," Chris Grove, director of cybersecurity strategy at Nozomi Networks, stated. "Organizations with critical data or operations should take these government warnings seriously and strengthen their defenses accordingly. One capability that assists defenders in hunting down these types of threats is advanced anomaly detection systems, acting as intrusion detection for attackers able to 'live off the land' and avoid deploying malware that would reveal their presence.” 

APT40's methods have also advanced, with the group now adopting the use of compromised endpoints such as small-office/home-office (SOHO) devices for operations, allowing security agencies to better track it. Volt Typhoon's noted approach is just one of many parts of the group's operation that are comparable to other China-backed threat groups including Kryptonite Panda, Gingham Typhoon, Leviathan, and Bronze Mohawk, the advisory reads. 

The advisory provides mitigating approaches for APT40's four major types of tactics, techniques, and procedures (TTPs), which include initial access, execution, persistence, and privilege escalation.
Read more »
Five Eye
APT40 Chinese Hackers Cyber Crime cyber espionage Five Eye

Chinese APT40 Attackers Exploit SOHO Routers to Launch Attacks

 

Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the United Kingdom, and the United States have issued a joint advisory about APT40, a China-linked cyber espionage group, warning regarding its ability to co-opt exploits for newly disclosed security vulnerabilities within hours or days of public release.

"APT40 has previously targeted organizations in various countries, including Australia and the United States," the agencies noted. "Notably, APT40 possesses the ability to quickly transform and adapt vulnerability proofs-of-concept (PoCs) for targeting, reconnaissance, and exploitation operations.” 

The threat group, also known as Bronze Mohawk, Gingham Typhoon (previously Gadolinium), ISLANDDREAMS, Kryptonite Panda, Leviathan, Red Ladon, TA423, and TEMP.Periscope, has been active since at least 2011, carrying out cyber attacks against companies in the Asia Pacific region. It is believed to be based in Haikou.

In July 2021, the US and its allies officially identified the group as being linked to China's Ministry of State Security (MSS), indicting several members of the hacking crew for orchestrating a multiyear campaign aimed at various sectors to facilitate the theft of trade secrets, intellectual property, and high-value information. 

Over the last few years, APT40 has been linked to intrusion waves that distribute the ScanBox reconnaissance framework, as well as the exploitation of a security vulnerability in WinRAR (CVE-2023-38831, CVSS score: 7.8) as part of a phishing effort targeting Papua New Guinea to deliver a backdoor known as BOXRAT. Then, earlier this March, the New Zealand government implicated the threat actor in the 2021 deal between the Parliamentary Counsel Office and the Parliamentary Service.

The group has also been observed using out-of-date or unpatched devices, such as small-office/home-office (SOHO) routers, as part of its attack infrastructure in an attempt to reroute malicious traffic and avoid detection, a strategy similar to that used by other China-based groups such as Volt Typhoon.

According to Google-owned Mandiant, this is part of a larger shift in Chinese cyber espionage activity that aims to prioritise stealth by increasingly weaponizing network edge devices, operational relay box (ORB) networks, and living-off-the-land (LotL) techniques to avoid detection. 

Attack chains also include reconnaissance, privilege escalation, and lateral movement actions that use the remote desktop protocol (RDP) to steal credentials and exfiltrate sensitive information. To reduce the risks posed by such threats, organisations should maintain adequate logging mechanisms, enforce multi-factor authentication (MFA), implement an effective patch management system, replace obsolete equipment, disable unused services, ports, and protocols, and segment networks to prevent access to sensitive data.
Read more »
Hckers
Chinese Hackers Cyber Security Cyberattacks CyberCrime FBI Hckers

Cybersecurity Crisis Looms: FBI Chief Unveils Chinese Hackers' Plan to Target US Infrastructure

 


As the head of the FBI pointed out Wednesday, Beijing was positioning itself to disrupt the daily lives of Americans if there was ever a war between the United States and China if it were to plant malware to damage civilian infrastructure. U.S. officials said Wednesday they disrupted a state-backed Chinese effort to plant malware. 

As FBI Director Chris Wray addressed House legislators just before the operation was announced, a botnet comprising hundreds of U.S.-based small office and home routers owned by individuals and companies was disrupted as part of the operation. Chinese hackers hijacked these routers to hide their presence as they sow malware. 

To achieve their ultimate objectives, they sought to attack water treatment plants, electrical grids, and transportation systems throughout the country. During a hearing scheduled for the House Select Committee on the Chinese Communist Party this afternoon, a copy of a prepared speech that Mr Wray intends to make in front of the House Select Committee on the Chinese Communist Party, it is stated that "far too little attention" has been paid to a cyber threat that is of concern to “every American.” 

During the US House hearing on Wednesday, Christopher Wray, the director of the Federal Bureau of Investigation, said that China’s hackers are targeting infrastructure to create havoc and harm American citizens and communities. In a report released by Wray hours after the FBI, with the support of the US Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), identified and disabled hundreds of routers hacked by a group known as Volt Typhoon, which US intelligence agencies suspect may be financed by the Chinese government. 

As a result of the group's work, Chinese critical infrastructure, such as communications, energy, transport, and water, was exploited by China using malware developed and distributed by the group. There is a consensus among outside cybersecurity firms, such as Microsoft, that Chinese state-backed hackers have been targeting U.S. critical infrastructure, and these comments align with statements made by outside cybersecurity firms in May. 

In the event of future crises between the U.S. and Asia, these technological advancements could lay the technical groundwork for the disruption of critical communications. In the month following, Mandiant reported that it was suspected state-backed Chinese hackers had hacked the networks of hundreds of public and private organizations across the globe using a security hole in a popular email security appliance. 

Among the many senior U.S. officials who have been raising the alarm for years about not only Chinese hacking prowess but also Beijing's determination to steal American scientific and industrial research have been raising the alarm for years. Multiple criminal indictments have laid out detailed evidence supporting China's claims that those accusations are unfounded. 

During these last few years, officials in the United States have been concerned about the possibility of such hackers hiding in U.S. infrastructure. For example, when the Volt Typhoon exploited older Cisco and NetGear routers no longer supported by their manufacturers with security updates, they became easy prey. 

To meet the urgency, law enforcement officials said, investigators worked with U.S. cyber operators who removed the malware from the routers without informing their owners directly - and added code to prevent the routers from being infected again. 

In a statement given to reporters under the condition of anonymity by government ground rules, a Justice Department official said officials were determined to interrupt Volt Typhoon's operation as soon as possible since the hackers were using it as a stepping stone to hide in U.S. internet traffic. 

The hackers burrow their way into critical infrastructure networks, ready to take advantage of that access whenever they please, ready to exploit it at any time of the day or night. According to Chinese government officials, the US government's allegations are unfounded and unfounded. 

A spokesman for the Chinese foreign ministry, Wang Wenbin, made a statement last year, according to which the Chinese government believes that China is the biggest victim of cyberattacks in the world due to almost daily and huge amounts of intrusions into its systems. 

The commander of US Cyber Command, Gen. Paul Nakasone, who is leaving the post, has maintained that responsible cyber actors do not attack civilian infrastructure as part of their activities. When Leon Panetta testified on Tuesday before the same committee, he said that he believed that Chinese agents had implanted malware within our computer networks and that the Chinese government would spread disinformation using artificial intelligence as a method of spreading disinformation. 

Panetta was the director of the Central Intelligence Agency and the secretary of defence in the Obama administration. There was an onset of a prime-time hearing last month, kicked off by Republican Representative Mike Gallagher of Wisconsin, who has been calling for establishing a committee devoted to countering China. Chinese officials have used their influence to lash out at the committee, accusing its members of ideological bias and the mindset of a zero-sum game typical of the Cold War.
Read more »
Vulnerability and Exploits
Chinese Hackers Cyber Hackers CyberCrime Cybersecurity Exploitation VMware Vulnerability and Exploits

Undetected Threat: Chinese Hackers' Long-Term VMware Exploitation

 


CVE-2023-34048 is a pathogen that can be exploited remotely by an attacker who has network access to execute arbitrary code remotely due to an out-of-bounds write flaw found in VMware’s DCERPC implementation, which can be tracked as CVE-2023-34048 (CVSS 9.8). 

As a result of the severity of the problem and the lack of workaround, VMware released patches for this vulnerability in October, noting that the patch was also available for versions of its products that had reached the end-of-life period (EOL). 

There has been some reported exploitation of CVE-2023-34048 in the wild since last week, according to the virtualization technology company's advisory, but it does not provide any specific details on the attacks observed. 

A zero-day vulnerability in VMware and Fortinet devices has been exploited by Chinese state-sponsored hackers named UNC3886 for years, experts have revealed, indicating that they have long exploited this vulnerability. 

Earlier this week, Mandiant issued a report alleging that a group was exploiting the vulnerability to deploy malware, steal credentials, and ultimately exfiltrate sensitive information. The security patch was released in late October of 2023, and it carries a severity rating of 9.8/10 (critical). 

The flaw is described as an out-of-bounds write flaw that can allow attackers who have access to the VirtualCenter Server to execute code remotely. Cyberspies took advantage of this to gain access to their targets' vCenter servers and to use the compromised credentials to install maliciously crafted vSphere Installation Bundles (VIBs) on ESXi hosts with VirtualPita and VirtualPie backdoors via maliciously crafted backdoors. 

Next, the attackers exploited a VMware Tools authentication bypass flaw in CVE-2023-20867 to gain access to guest virtual machines, harvest files, and exfiltrate them. Although Mandiant was not yet certain how the attackers acquired privileged access to victims' VMware servers, a VMware service crash minutes before the backdoors were deployed made it evident that the link was established by a VMware service crash, which closely coincided with the exploit of CVE-2023-34048 in late 2023.

It has been revealed by Mandiant that the zero-day attacker targeting VMware has been exploiting CVE-2023-34048 as a zero-day weaponized by them, allowing them to gain privileged access to the vCenter system, enumerate all VMware ESXi hosts and their virtual machines which they are connected to, and gain access to the vCenter server. 

Next, the adversary will be able to connect directly to the hosts by retrieving the cleartext "vpxuser" credentials for the hosts and connecting to them directly to install the malware VIRTUALPITA and VIRTUALPIE, allowing them to interact with them directly. 

As Mandiant revealed in June 2023, this paves the way for exploiting another VMware flaw, (CVE-2023-20867, CVSS score: 3.9). As a consequence, arbitrary commands can be executed on guest VMs and files can be transferred between the guest virtual machines from a compromised ESXi host using this flaw. 

As Mandiant pointed out in their analysis, the same crashes were observed in several UNC3886 intrusions that began in late 2021, suggesting the attacker had access to the vulnerability for approximately one and a half years. As well as removing the 'vmdird' core dumps from the compromised environments, the cybersecurity firm observed that they had also preserved the log entries to cover their tracks. 

With the release of the 8.0U2 update from VMware, the vulnerability found in vCenter version 8.0U2 has been patched. The patches are available for vCenter Server versions 8.0U1, 7.0U3, 6.7U3, 6.5U3, VCF 3.x, as well as Async vCenter Server Versions 5.x and 4.x.
Read more »
Network Breach
Chinese Hackers Cyber Security Generative AI National Security Network Breach

China Backed Actors are Employing Generative AI to Breach US infrastructure

 

Cybercriminals of all skill levels are utilising AI to hone their skills, but security experts warn that AI is also helping to track them down. 

At a workshop at Fordham University, National Security Agency head of cybersecurity Rob Joyce stated that AI is assisting Chinese hacker groups in bypassing firewalls when infiltrating networks. 

Joyce warned that hackers are using generative AI to enhance their use of English in phishing scams, as well as to provide technical help when penetrating a network or carrying out an attack. 

Two sides of the same coin

2024 is expected to be a pivotal year for state-sponsored hacking groups, particularly those operating on behalf of China and Russia. Taiwan's presidential election begins in a few days, and China will want to influence the result in its pursuit of reunification. However, attention will be centred around the upcoming US elections in November, as well as the UK's general election in the second half of 2024. 

China-backed groups have begun developing highly effective methods for infiltrating organisations, including the use of artificial intelligence. "They're all subscribed to the big name companies that you would expect - all the generative AI models out there," adds Joyce. "We're seeing intelligence operators [and] criminals on those platforms.” 

In 2023, the US saw a surge in attacks on major energy and water infrastructure facilities, which US officials attributed to groups linked to China and Iran. One of the attack techniques employed by the China-backed 'Volt Typhoon' group is to get clandestine access to a network before launching attacks using built-in network administration tools. 

While no specific examples of recent AI attacks were provided, Joyce states, "They're in places like electric, transportation pipelines, and courts, trying to hack in so that they can cause societal disruption and panic at the time and place of their choosing." 

China-backed groups have gained access to networks by exploiting implementation flaws - vulnerabilities caused by poorly managed software updates - and posing as legitimate users of the system. However, their activities and traffic inside the network are frequently odd. 

Joyce goes on to say that, "Machine learning, AI and big data helps us surface those activities [and] brings them to the fore because those accounts don't behave like the normal business operators on their critical infrastructure, so that gives us an advantage." 

Just as generative AI is expected to help narrow the cybersecurity skills gap by offering insights, definitions, and advice to industry professionals, it may also be reverse engineered or abused by cybercriminals to guide their hacking activities.
Read more »
SentinelOne
C++ Chinese Hackers Cyber Security Hackers IT Environment Keypluggs Microsoft Threat PwC Sandmam APT SentinelOne

Sandman APT Gains Traction: Chinese Hackers Amplify Cybersecurity Risks

 


It has been discovered that there is a strong coincidence in the targeting and tactics of Sandman, a mysterious advanced persistent threat (APT) that has been identified to use backdoors referred to as "Keypluggs," and KEYPLUG, a China-based threat cluster. 

Following this assessment, SentinelOne, PwC, and Microsoft Threat Intelligence have been working together on this since they have determined that the adversary's Lua-based malware, LuaDream, and the KEYPLUG have both been found to cohabit in the victim network alongside each other. 

Microsoft, SentinelLabs and PwC have collectively alerted consumers and businesses to the fact that threat actors who were allegedly linked to Chinese cybercriminals have deployed an advanced persistent threat (APT) referred to as Sandman to infiltrate IT environments with malware. 

An expert at SentinelOne, Aleksandar Milenkoski, said that Sandman has now been linked to STORM-0866/Red Dev 40, a threat actor aligned with the Chinese government's national interests, meaning that STORM-0866/Red Dev 40 targets Chinese companies. 

Following a series of cyberattacks carried out on telcos across the Middle East, Western Europe, and South Asia, Sandman was first identified in August. These attacks utilized a backdoor referred to as "LuaDream," which is a programming language that is based on Lua, as well as a backdoor titled "Keyplug," which is a programming language that is based on C++. 

SentinelOne revealed the existence of Sandman for the first time in September 2023, covering attacks on telecommunications providers in Europe, the Middle East, and South Asia by using an implant codenamed LuaDream that was used in its attacks. 

In August 2023, a record of intrusions was made. On the other hand, Storm-0866/Red Dev 40 refers to a cluster of APTs primarily targeting entities located in the Middle East and South Asia, such as telecommunication providers and government agencies, that represent an emerging APT network. 

Storm-0866 has several powerful tools at his disposal, one of which is KEYPLUG. This backdoor was first exposed by Google-owned Mandiant in the context of attacks conducted by the Chinese-based APT41 (also known as Brass Typhoon or Barium) actor between May 2021 and February 2022 in which he infiltrated six state government systems. 

The Recorded Future company reported earlier this month that the use of KEYPLUG was being used by a Chinese state-sponsored threat activity group it is tracking under the name RedGolf, which they claimed was "closely aligned with the threat activity produced by APT41/Barium. As part of its report, Mandiant informed the public that they first discovered the Keyplug backdoor in March 2022, which was used by a known Chinese group, APT41. 

Additionally, Microsoft and PwC teams discovered that the Keyplug backdoor was passed around to multiple other Chinese-based threat groups, according to the report. Researchers believe that the new obfuscation tools provided by Keyplug malware give the group a new advantage compared to previous versions. 

According to the report, the STORM-0866/Red Dev 40 cluster differs from the others because of specific malware characteristics, such as the unique encryption keys used to communicate with KEYPLUG command and control servers, as well as an increased sense of operational security, which can be attributed to the use of cloud-based reverse proxy infrastructure to hide the real locations where their C2 servers are hosted," says the report. 

According to the researchers, when they analyzed both the C2 configuration and the LuaDream and Keyplug malware strains, the overlaps were overwhelming, which can be interpreted as suggesting that their operators were seeking similar functional requirements. To grow, and effectively collaborate between the increasing number of Chinese APT groups, the report concluded, cyber security community members must share similar knowledge. 

There is a great deal of certainty that the constituent threat actors will continue to cooperate and coordinate, exploring new ways to enhance the functionality, flexibility, and stealthiness of their malware to further enhance the threat actors' threat. 

An influential example of how this can be applied is the adoption by developers of the Lua development paradigm. Overcoming the threat landscape requires a constant flow of information sharing between members of the threat intelligence research community. 

A few instances of espionage-motivated APTs historically considered Western or Western-aligned have been associated with Lua-based modular backdoors, such as LuaDream. This has proven to be a very rare occurrence and is often associated with APTs that are espionage-motivated. In our research on Sandman, we found that a broader set of cyberespionage threat actors are utilizing the Lua development paradigm because of its modularity, portability, and simplicity.
Read more »
NXP
Chinese Hackers Chip Maker Cyber Attacks Dutch Firm NXP

Chinese Hackers Lurked for Over Two Years to Steal NXP's Chipmaking IP

 

Chinese-affiliated hacker group Chimaera secured access to the network of the massive Dutch semiconductor company NXP for more than two years, from late 2017 to the start of 2020, NRC reported.During this time, the notorious hackers allegedly stole intellectual property, including chip designs; however, the full extent of the theft has yet to be revealed. NXP is Europe's largest chipmaker, and the scale and scope of the disclosed attack is alarming. 

The report claims that the hackers lurked in the company's network for almost 2.5 years before the breach was discovered; the Dutch airline Transavia, a subsidiary of KLM, was the target of a similar attack. In September 2019, hackers gained access to Transavia's reservation systems. The NXP hack was discovered as a result of communications with NXP IPs found during an investigation into the Transavia hack. The attack uses the ChimeRAR hacker tool, which is one of the defining characteristics of the Chimaera hacking group. 

To gain access to NXP, the hackers first used credentials extracted from previous data leaks on platforms such as LinkedIn or Facebook, and then used brute force attacks to guess passwords. They also got around double authentication by changing phone numbers. The attackers were patient, only checking for new data to steal every few weeks, and then snuck the data out by uploading encrypted files to online cloud storage services such as Microsoft's OneDrive, Dropbox, and Google Drive. 

Being a significant player in the global semiconductor market, NXP gained even more clout in 2015 when it purchased the American company Freescale. NXP is well-known for creating secure Mifare chips for Dutch public transport in addition to secure components for the iPhone, specifically Apple Pay.

NXP claims that the breach did not cause material damage, despite acknowledging that its intellectual property had been stolen. The company cites the complexity of the stolen data as a barrier to easy design replication. According to the NRC, the company felt no need to notify the public as a result. 

NXP apparently strengthened its network security after the breach. The business tightened its internal data accessibility and transfer policies and upgraded its monitoring systems. These preventative measures were meant to avert future incidents of the same kind, preserve the network's integrity, and protect the company's valuable intellectual property.
Read more »
User Privacy
Chinese Hackers Data Breach Hacking Group Malicious actor Phishing Attacks Red Cross Unauthorized access User Privacy

AtlasCross Hackers Target Organizations with Red Cross Phishing Lures

A new hacking group called AtlasCross is targeting organizations with phishing lures impersonating the American Red Cross. The group uses macro-enabled Word documents to deliver backdoor malware to victims' devices.

The phishing emails typically contain a link to a malicious website or an attachment containing a macro-enabled Word document. If the victim opens the attachment and enables macros, the malware will be installed on their device.

The malware used by AtlasCross is called DangerAds and AtlasAgent. DangerAds is a system profiler and malware loader, while AtlasAgent is a backdoor that allows attackers to remotely control the victim's device.

Once the attackers have control of the victim's device, they can steal sensitive data, such as login credentials, financial information, and trade secrets. They can also use the device to launch further attacks against other organizations.

Bill Toulas, CEO of NSS Labs, aptly notes, "The AtlasCross phishing campaign is a reminder that even the most sophisticated organizations can be targeted by cybercriminals. It is important to be vigilant and take steps to protect yourself from these attacks."

How to protect your organization from AtlasCross phishing attacks:

  • Exercise Caution with Unsolicited Emails: Especially those bearing attachments or links.
  • Scrutinize Known Senders: Verify email addresses to confirm legitimacy.
  • Exercise Restraint with Unknown Emails: Refrain from opening attachments or clicking links if authenticity is in doubt.
  • Disable Macros in Microsoft Office: Unless they are absolutely essential, it's prudent to keep macros disabled to thwart potential malware delivery.
  • Maintain Updated Software: Ensure your operating system, web browser, and antivirus software are up-to-date, as these updates frequently contain vital security patches.

Organizations can take the following steps to augment their defense against AtlasCross phishing campaigns:
  • Employee Education: Provide thorough training on recognizing and evading phishing attempts, as employees are the first line of defense.
  • Utilize a Robust Security Solution: Employ a solution adept at detecting and thwarting phishing emails based on various indicators.
  • Segment Your Network: Isolate devices to prevent easy lateral movement in case of a compromise.
  • Enforce Stringent Password Policies: Implement multi-factor authentication to bolster device and account security.
Global organizations and individuals are seriously threatened by the AtlasCross hacking group. The aforementioned advice can help you safeguard yourself from phishing attempts. It is significant to remember that there is a possibility that you could fall victim to a phishing assault even if you take all necessary safeguards. Cybercriminals are continually creating new phishing attack methods as they get more proficient.

.



Read more »
US-China
Chinese Hackers Cyber Data Cyber Safety Data Safety malware Ransonware Secure Security US-China

Report: Possible Chinese Malware in US Systems a 'Ticking Time Bomb'

 

According to a report by The New York Times on Saturday, the Biden administration has raised concerns about China's alleged implantation of malware into crucial US power and communications networks. The officials fear this could act as a "ticking time bomb" capable of disrupting US military operations in the event of a conflict.

The malware, as reported by the Times, could potentially grant China's People's Liberation Army the capability to disrupt not only US military bases' water, power, and communications but also those of homes and businesses across the country. 

The main concern is that if China were to take action against Taiwan, they might utilize this malware to hamper US military operations.

This discovery of the malware has led to a series of high-level meetings in the White House Situation Room, involving top military, intelligence, and national security officials, to track down and eliminate the malicious code.

Two months prior to this report, Microsoft had already warned about state-sponsored Chinese hackers infiltrating critical US infrastructure networks, with Guam being singled out as one target. 

The stealthy attack, ongoing since mid-2021, is suspected to be aimed at hindering the United States in case of a regional conflict. Australia, Canada, New Zealand, and Britain have also expressed concerns that Chinese hacking could be affecting infrastructure globally.

The White House, in response, issued a statement that did not specifically mention China or military bases. The statement emphasized the administration's commitment to defend the US critical infrastructure and implement rigorous cybersecurity practices.

These revelations come at a tense moment in US-China relations, with China asserting its claim over Taiwan and the US considering restrictions on sophisticated semiconductor sales to Beijing.
Read more »
US Firms
Chinese Hackers cyber espionage Cyber Security Cyber Warfare US Firms

Chinese-Sponsored Hacking Group Targeting Critical U.S. Infrastructure, Microsoft Claims

 

The employment of hackers to gather intelligence data is prevalent in practically every nation on earth. Intelligence organisations like the Fancy Bear and Equation Group are used by both the US and Russia. 

Microsoft Corp. stated last week that Volt Typhon was "pursuing the development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises." Concern over the relationship between China and the US on Taiwan immediately arose after this statement. Pacific-wide cyberattacks may result from disputes between the US and China.

What precisely is a Volt Typhoon? 

A suspected hacker organisation goes by the name of "Volt Typhoon." The gang is thought to have China's support. The Volt Typhoon is reported to be capable of both digital sabotage and intelligence gathering. 

Is the Volt Typhoon a genuine threat to the infrastructure of the United States, or is it merely a new network of digital spies? 

Potential threats 

The American infrastructure is thought to be seriously threatened by the Volt Typhoon. The following are potential risks to the group: 

Espionage concerns: Spying is a concern for experts. In the midst of tensions over Taiwan, experts believe Volt Typhoon is a group of hackers ready to attack the American infrastructure. 

The assessment of Microsoft is given a "moderate confidence" rating, which denotes that the idea is plausible and backed by reliable sources but is not yet fully supported. Few experts believe there is any proof of sabotage planning, despite the fact that many researchers have discovered and evaluated the group's many elements.

According to Marc Burnard and Secureworks, the Volt Typhoon currently appears to be designed to steal data from organisations that hold information about the U.S. government or military.

Volt Typhoon is known as the "Bronze Silhouette" by Secureworks, and according to Marc Burnard, its primary function is espionage. 

Sneaky storm: Almost all cyber spies try to hide their tracks; Microsoft and other analysts believe Volt Typhoon was a quiet operator who camouflaged its activity by passing it through hijacked network equipment such as residential routers. These are well-planned wiped proof of intrusion from the victim's logs. 

China, on the other hand, has consistently denied any involvement in the Volt Typhoon cyberattack. However, Beijing has been preparing documentation of cyberespionage efforts for more than two decades. Spying has become a major emphasis in the recent decade, since Western experts have linked breaches to specific units of the People's Liberation Army. US law enforcement has indicted a slew of Chinese operatives with eavesdropping on US secrets. 

According to Secureworks in a blog post, the Volt Typhoon's interest in operational security may stem from the US claims, as well as increased pressure from Chinese leaders to refrain from scrutinising cyberespionage acts. 

Mitigation tips

In line with Microsoft's research on Volt Typhoon, spotting an activity that exploits standard sign-in channels and system binaries necessitates behavioural monitoring, and remediation necessitates shutting or resetting credentials for compromised accounts. In these circumstances, Microsoft recommends that security operations teams investigate the activities of compromised accounts for any dangerous actions or exposed data.
Read more »
Unauthorized access
ByteDance Chinese Apps Chinese Hackers Data Breach Data Privacy Laws Personal Data TikTok Unauthorized access

China's Access to TikTok User Data Raises Privacy Concerns

A former executive of ByteDance, the parent company of the popular social media platform TikTok, has made shocking claims that China has access to user data from TikTok even in the United States. These allegations have raised concerns about the privacy and security of TikTok users' personal information.

The ex-employees claims come at a time when TikTok is already under scrutiny due to its ties to China and concerns over data privacy. The United States and other countries have expressed concerns that user data collected by TikTok could be accessed and potentially misused by the Chinese government.

According to the former executive, Chinese Communist Party (CCP) officials have direct access to TikTok's backend systems, which allows them to obtain user data from anywhere in the world, including the US. This access allegedly enables the Chinese government to monitor and potentially exploit user data for various purposes.

These claims have significant implications for the millions of TikTok users worldwide. It raises questions about how their personal information is secure and protected from unauthorized access or potential misuse. Furthermore, it adds to the ongoing debate surrounding the relationship between Chinese tech companies and the Chinese government, and the potential risks associated with data sharing and surveillance.

ByteDance has previously denied allegations that TikTok shares user data with the Chinese government. The company has implemented measures to address privacy concerns, such as establishing data centers outside of China and hiring independent auditors to assess its data security practices.

However, these latest claims by a former executive fuel the skepticism and reinforce the need for transparency and independent verification of TikTok's data handling practices. It also underscores the importance of robust data protection regulations and international cooperation in addressing the challenges posed by global technology platforms.

Regulators and policymakers in various countries have examined TikTok's data privacy practices and explored potential restrictions or bans. These claims may add further impetus to those efforts, potentially leading to stricter regulations and increased scrutiny of TikTok's operations.

The allegations made by the ex-ByteDance executive regarding China's access to TikTok user data in the US have sparked fresh concerns about data privacy and security. As the popularity of TikTok continues to grow, it is crucial for the company to address these claims transparently and take additional steps to reassure users that their data is protected. Meanwhile, governments and regulatory bodies must continue to evaluate and enforce robust privacy regulations to safeguard user information in the era of global technology platforms.
Read more »
URL
APT Backdoor Botnet Chinese Hackers Data Breach Sensitive Information Software URL

Chinese APT Group Hijacks Software Updates for Malware Delivery

An advanced persistent threat (APT) group from China, known as Evasive Panda, has been discovered to be hijacking legitimate software update channels of Chinese-developed applications to deliver custom malware to individuals in China and Nigeria for cyber-espionage purposes. Researchers from Eset discovered that when performing automated updates, a legitimate application software component downloaded MgBot backdoor installers from legitimate URLs and IP addresses. The modular malware allows Evasive Panda to spy on victims and enhance its capabilities on the go.

The APT group's activity was fairly easy to attribute to Evasive Panda as researchers have never observed any other threat actors using the MgBot backdoor. The attacks have been ongoing for two years, and the primary goal is to steal credentials and data for espionage purposes. This is another example of state-sponsored actors' increasing sophistication and persistence in cyberspace.

Using legitimate software update channels is a clever technique employed by the group to avoid detection by traditional security measures. Once the malware is delivered through the update, it can operate in the background undetected, and the APT group can exfiltrate sensitive information from the victim's device.

This discovery highlights the importance of maintaining a secure software supply chain and the need for constant vigilance in monitoring the activity of state-sponsored threat actors. Organizations and individuals should always keep their software up to date, maintain robust security measures, and be wary of any suspicious activity or unexpected system changes.

The Eset researchers noted that the MgBot malware has been specifically customized for each victim, suggesting a high degree of sophistication and customization by the APT group. This type of advanced malware is difficult to detect and defend against, making it imperative for individuals and organizations to be proactive in their cybersecurity measures.
Read more »
malware
Chinese Apps Chinese Hackers Google Playstore Malicious actor malware

Pinduoduo App Malware: A Security Warning

Pinduoduo, a popular Chinese e-commerce app, has come under scrutiny from cybersecurity experts after multiple reports of malware surfaced. According to CNN, a recent analysis found that the app contained a 'sophisticated and complex' malware strain that allowed attackers to steal personal data and spy on users' activities.

In a report by Bloomberg, cybersecurity researchers noted that the malware was able to "hijack user accounts, steal payment information, and even take control of users' phones." The report also highlighted that the app had been downloaded over one billion times, making it a significant threat to users' security and privacy.

In response to these reports, Google Play has suspended the app from its platform. The South China Morning Post notes that this is not the first time that Pinduoduo has come under fire for suspected malware. In 2021, the app was accused of selling counterfeit goods and allowing the sale of illegal and fake products.

Brian Krebs, a cybersecurity expert, notes that the Pinduoduo case highlights the risks of using apps from untrusted sources. He emphasizes that "users should always be wary of downloading apps from unfamiliar sources, as they may contain malicious code that can compromise their security and privacy."

The Pinduoduo case also underscores the importance of regularly updating software and using trusted security solutions to protect against malware and other cyber threats. As the threat landscape continues to evolve, it is essential that individuals and organizations remain vigilant and proactive in protecting their digital assets.

The Pinduoduo incident serves as a sobering reminder of the dangers presented by unreliable apps and the significance of cybersecurity in the current digital era. Users must take the necessary precautions to protect themselves and their data as cyber threats continue to grow in sophistication and complexity. Individuals and organizations can reduce the dangers of cyber assaults and secure their online safety by remaining educated, upgrading software on a regular basis, and employing reputable security solutions.

Read more »
Cyber Attacks
APT41 Chinese Hackers Covi-19 Cyber Attacks

Chinese Hackers Steal U.S Covid-19 Relief Funds, Experts suspect APT41


Chinese Hackers steal US Covid funds

The US Secret Service alleged that a Chinese hacking group stole tens of millions of dollars from US Covid-19 relief funds. The incident has increased the threat that the US and its citizens are facing from threat actors.

State-sponsored cyber criminal group APT41 scammed and stole $20 million that was used as a pandemic relief during Covid-19. 

Experts say this is the first theft of APT41, it is known for cyber espionage and financial cyberattacks. But this time, it is confirmed that APT41 has targeted US government funds. The money consists of small business administration plans and unemployment insurance funds.  

It also shows APT41's capability to defraud the US on a bigger scale, given the depth of details it has retrieved about American citizens.

"Fintech companies contracted by the federal government to process pandemic payouts rushed through processing applications in pursuit of higher fees, which contributed to the fraud that occurred, according to a report by the US House Select Subcommittee on the Coronavirus Crisis published on December 1. The key issue at hand is the state-sponsored group’s ability to scale future fraud attempts via automated technology and troves of taxpayer data China is believed to have obtained after security breaches at credit bureau Equifax and the US Office of Personnel Management, Hamilton said. OPM houses all federal employee data.ls it has retrieved about the American citizens," reports Bloomberg 

APT41 believed behind the theft

It is not clear if agencies believe APT41 compromised government systems or citizens' personal accounts to get the Covid-19 relief funds, or if they hacked into already stolen information to engage in an identity scam. 

Investigating agencies didn't disclose any more details about how the theft took place, saying  “with respect to a potentially ongoing investigation, we have no further publicly available information.” 

For individual US citizens, it may be hard to imagine themselves as victims of a states sponsored attack like China, however, the threat is rising.

“When you look at how many records they have, talk about massive fraud. If the Chinese-based hackers wanted to use that information for fraud, they would have a very easy time with that because they have it all," said Linn Freedman, cybersecurity partner of Robinson Cole LLP. 

The threat scale has increased

Currently, not much information is available to determine the security loopholes that resulted in fraudulent activity related to the relief funds, it is believed that the money theft is not an isolated incident. 

Mike Hamilton, the chief information security officer at cybersecurity agency Critical Insight, believes that the cyberattack was a "beta test" of APT41's capabilities to defraud the American government and also that APT41 attacked the funds because it was easy to steal. 

Bloomberg reports, "APT41 recently compromised at least six state government websites and exfiltrated personally identifiable information as part of a deliberate hacking campaign targeting states, according to a report published by cybersecurity firm Mandiant in March 2022."






Read more »
RaaS
APT actors Chinese Hackers Command and Control(C2) Data Breach Encryption Log4Shell PowerShell RaaS

Cheerscrypt Spyware Attributed to Chinese APT Entity

The Emperor Dragonfly Chinese hacker group, notorious for frequently switching between several ransomware families to avoid detection, has been connected to the Cheerscrypt virus. 

The attacks were linked by the cybersecurity company Sygnia to a threat actor also dubbed Bronze Starlight and DEV-0401. The hacking gang seems to be a ransomware operation, but past research suggests that the Chinese government is interested in many of its victims.

Cheerscrypt is the most recent addition to a long range of ransomware families that the gang has previously used, including LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0 in a little over a year.

Recently, Sygnia researched a Cheerscrypt ransomware operation that utilized Night Sky ransomware TTPs. The attackers then dropped a Cobalt Strike beacon linked to a C2 address formerly tied to Night Sky operations. 

The code for the Babuk ransomware, which was exposed online in June 2021, was used to develop the Cheerscrypt ransomware family, which Trend Micro first analyzed in May 2022. Cheerscrypt is one of several ransomware families used by the APT organization. The DEV-0401 group, unlike other ransomware gangs, oversees every stage of the assault chain directly, from the first access to the data theft. It does not rely on a system of affiliates.

A significant Log4Shell vulnerability in Apache Log4j was utilized by hackers in January 2022 assaults to acquire initial access to VMware Horizon servers. They subsequently dropped a PowerShell payload that was used to send an encrypted Cobalt Strike beacon. Apart from the beacon, the hackers also sent three Go-based tools: a keylogger that sent keystrokes to Alibaba Cloud, a customized version of the internet proxy tool iox, and the tunneling program NPS.

Trend Micro initially identified Cheerscrypt in May 2022, highlighting its capacity to target VMware ESXi servers as a component of a tried-and-true strategy known as double extortion to force its victims into paying the ransom or risk having their data exposed.

The hackers break into networks, take information, and encrypt devices just like other ransomware groups that target businesses. The victim is then coerced into paying a ransom through double-extortion methods using the data. The stolen data is posted on a data leak website when a ransom is not paid.

A PowerShell payload that can deliver an encrypted Cobalt Strike beacon has been dropped on VMware Horizon servers by infection chains that have exploited the major Log4Shell vulnerability in the Apache Log4j library.

Cheerscrypt and Emperor Dragonfly share initial access vectors, and lateral movement strategies, including the use of DLL side-loading to distribute the encrypted Cobalt Strike beacon. Notably, the ransomware gang is acting as a 'lone wolf' separated from the rest of the cybercrime community rather than as a RaaS (Ransomware-as-a-Service) platform for affiliates.






Read more »
Subscribe to: Posts (Atom)