Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Chinese Threat Actors. Show all posts
TLS
C2 Chinese Hackers Chinese Threat Actors Cyber Attacks Malware Attack NCSC Sophos TLS

NCSC Unveils “Pigmy Goat” Malware Targeting Sophos Firewalls in Advanced Chinese Cyberattack

 

The National Cyber Security Centre (NCSC) recently disclosed the presence of a Linux malware, “Pigmy Goat,” specifically designed to breach Sophos XG firewall devices. This malware, allegedly developed by Chinese cyber actors, represents a significant evolution in network infiltration tactics due to its complexity and advanced evasion methods. 

This revelation follows Sophos’ recent “Pacific Rim” reports, which detail a five-year campaign involving Chinese threat actors targeting network devices at an unprecedented scale. Among the identified tools, “Pigmy Goat” stands out as a rootkit crafted to resemble legitimate Sophos product files, making it challenging to detect. This strategy is known to use stealth by masking its identity within commonly named system files to evade basic detection protocols. “Pigmy Goat” enables threat actors to establish persistent, unauthorized access to the target’s network. Using the LD_PRELOAD environment variable, it embeds itself in the SSH daemon (sshd), allowing it to intercept and alter incoming connections. 

The malware seeks specific sequences called “magic bytes” to identify backdoor sessions, which it redirects through a Unix socket, thereby concealing its presence from standard security monitoring. Once a connection is established, it communicates with command and control (C2) servers over TLS. The malware cleverly mimics Fortinet’s FortiGate certificate, blending into networks where Fortinet devices are prevalent, to avoid suspicion. This backdoor offers threat actors multiple capabilities to monitor, control, and manipulate the network environment. Through commands from the C2, attackers can remotely open shell access, track network activity, adjust scheduled tasks, or even set up a SOCKS5 proxy, which helps them remain undetected while maintaining control over the network. These actions could allow unauthorized data access or further exploitation, posing significant threats to organizational cybersecurity. 

The NCSC report aligns “Pigmy Goat” with tactics used in “Castletap” malware, which cybersecurity firm Mandiant has linked to Chinese nation-state actors. The report’s insights reinforce concerns over the evolving sophistication in state-sponsored cyber tools aimed at infiltrating critical network infrastructure worldwide. Detection and prevention of “Pigmy Goat” are crucial to mitigating its impact. The NCSC report provides tools for identifying infection, including file hashes, YARA rules, and Snort rules, which can detect specific sequences and fake SSH handshakes associated with the malware. 

Additionally, monitoring for unusual files and behaviours, such as encrypted payloads in ICMP packets or the use of ‘LD_PRELOAD’ within the sshd process, can be effective. These insights empower network defenders to recognize early signs of compromise and respond swiftly, reinforcing defences against this sophisticated threat.
Read more »
Sharp Dragon
Africa Chinese Threat Actors Cyber Security cyber threat phishing Sharp Dragon

Sharp Dragon Shifts Cyber Attacks to New Frontiers: Africa and the Caribbean


Check Point Research has been monitoring Sharp Dragon, a Chinese cyber threat group, since 2021. This group, previously known as Sharp Panda, has primarily targeted organisations in Southeast Asia with phishing campaigns. Recently, however, they have expanded their activities to include government organisations in Africa and the Caribbean, marking a significant change in their strategy.

Starting in late 2023, Sharp Dragon shifted its focus to government entities in Africa and the Caribbean. They used previously compromised email accounts from Southeast Asia to send phishing emails. These emails contained documents that appeared legitimate but were actually designed to deliver Cobalt Strike Beacon malware, replacing their earlier use of VictoryDLL and the Soul framework.

The first attack targeting Africa occurred in November 2023, involving a phishing email about industrial relations between Southeast Asia and Africa. By January 2024, further attacks within Africa suggested that some initial attempts had been successful. Similarly, in December 2023, Sharp Dragon targeted a Caribbean government with a document related to a Commonwealth meeting. This was followed by a broader phishing campaign in January 2024, using a fake survey about opioid threats in the Eastern Caribbean.

Sharp Dragon has been refining its tactics. Their new approach includes more thorough checks on target systems before deploying malware. They now use Cobalt Strike Beacon, which allows them to control infected systems without exposing their custom tools immediately. This change helps them avoid detection and gather more information on their targets.

They have also shifted from using DLL-based loaders to executable files disguised as documents. These files write and execute malicious software and create scheduled tasks for persistence on the infected system.

Another major change is Sharp Dragon's use of compromised servers for their command and control operations. Instead of using dedicated servers, they exploit legitimate servers, making their activities harder to detect. For example, in May 2023, they used a vulnerability in the GoAnywhere platform to take over legitimate servers.

Sharp Dragon's new focus on Africa and the Caribbean shows a broader effort by Chinese cyber groups to increase their influence in these regions. After years of targeting Southeast Asia, Sharp Dragon is using its established tactics to gain foothold in new territories. Their refined methods and careful target selection highlight the need for enhanced cybersecurity measures in these regions, which have yet to be as heavily scrutinized by the global cybersecurity community.


Read more »
Online fraud
Chinese Threat Actors Cyber Security Digital Money Indian ED Agency Online fraud

Chinese Loan Apps Fraud: Indian Agency Raids Razorpay, Paytm, Cashfree

 

On Saturday, The Indian law Enforcement Directorate agency (ED) carry out raids at nine premises connected to online payment gateways including Paytm, Cashfree, and Razorpay in Bengaluru. Also, some of these companies are believed to be involved in illegal betting. 

The official said the raids were conducted in connection with a money laundering case — part of an ongoing investigation against some illegal loan apps allegedly run by Chinese Nationals. 

The ED reported that the law enforcement agency successfully seized Rs 17 crore kept in “merchant IDs and bank accounts of these Chinese persons-controlled entities” during the raids. 

In a statement, a Razorpay spokesperson said: “Some of our merchants were being investigated by law enforcement about a year-and-a-half back. As part of the ongoing investigation, the authorities requested additional information to help with the investigation. We have fully cooperated and shared KYC and other details. The authorities were satisfied by our due diligence process”. 

Furthermore, the agency added that after it started working on probes, many of these companies shut down their business and diverted funds through fintech companies to buy crypto assets so the money could be laundered abroad. 

In this connection, the Law enforcement agency searched various premises associated with crypto exchange WazirX and froze Rs 64 crore in its accounts. 

Cashfree said its processes adhere to PMLA directions. “We extended our diligent cooperation to the ED operations, providing them the required and necessary information on the same day of inquiry. Our operations and onboarding processes adhere to the PMLA and KYC directions, and we will continue to do so in the time to follow,” said a company spokesperson. 

Additionally, in August 2020, the agency successfully ran a raid and froze Rs 47 crore belonging to a Chinese company that was running illegal betting and loan apps in India. Also, the agency conducted searches at 15 premises in connection with the company across Delhi, Mumbai Gurgaon, and Pune. 

The Directorate of Enforcement (ED) agency is Indian law enforcement and economic intelligence agency which works for enforcing economic laws and conducting legal battles against economic frauds and crimes in India.
Read more »
Subscribe to: Posts (Atom)