Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cyber Espionage Campaign. Show all posts

Chinese Hackers Breach US Telco Networks to Access US Court Wiretap Systems

 

A Wall Street Journal report claims that Chinese hackers gained access to systems used for court-authorized wiretaps by breaking into the networks of major US telecommunications companies. 

The breach, which targeted companies such as Verizon Communications, AT&T, and Lumen Technologies, may have allowed the attackers to go unnoticed for months while gathering critical details regarding government requests for communications data. 

The hackers, who are believed to be affiliated with a state-sponsored Chinese group, were able to breach the system that telecom firms use to handle wiretaps authorised by the government. This breach may have given the perpetrators access to sensitive US internet traffic, allowing them to monitor communications under surveillance orders. 

The attack was recently identified, and it is believed that the hackers may have had long-term access to these networks, gathering intelligence. US investigators have dubbed the group responsible for the breach "Salt Typhoon" The incident is part of a larger pattern of cyber espionage actions attributed to Chinese hackers. 

Earlier this year, US law enforcement shut down another significant Chinese hacking campaign known as "Flax Typhoon," a group suspected of widespread cyber-espionage. These operations are believed to be aimed at gathering intelligence for the Chinese government. 

China's denial

The Chinese foreign ministry responded to the charges by rejecting any involvement in the cyber operation. In a statement, they claimed they were unaware of the attack mentioned in the report and accused the US of fabricating a "false narrative" to blame China. 

The ministry also criticised the US for impeding global cybersecurity cooperation and communication, describing the charges as a roadblock to international efforts to confront cybersecurity concerns. Beijing has always refuted all allegations of state-sponsored hacking, including those made by the US government.

In this instance, China's foreign ministry mentioned details provided by their own cybersecurity agency, claiming that "Volt Typhoon," another supposed Beijing-linked gang, was actually the work of a global ransomware organisation.

Chinese-Linked Cyberespionage Groups Now Using Ransomware to Hide Activities

 

Chinese-linked cyberespionage campaigns are increasingly deploying ransomware to either make money, distract their adversaries, or make it harder to attribute their activities, according to researchers from SentinelLabs and Recorded Future. This shift marks a change from the traditional practices of state-backed hackers, who previously avoided using ransomware. 

A report published on Wednesday identified that ransomware attacks in 2022, including those on the Brazilian presidency and the All India Institute of Medical Sciences (AIIMS), were actually the work of a Chinese-linked cyberespionage group known as ChamelGang or CamoFei. 

By employing ransomware, these cyberespionage groups can obscure their true identity and activities, making it appear as if the attacks were carried out by independent cybercriminals instead of state-sponsored actors. 

"Misattributing cyberespionage as purely financially motivated cybercrime can have strategic repercussions," the researchers noted. This is particularly concerning when ransomware attacks target government or critical infrastructure organizations. 

Ransomware attacks typically lock files and data, with attackers demanding a ransom for decryption. However, sometimes the attackers never decrypt the data, turning the attack into a destructive one. This complicates efforts to restore systems and obscures the true nature of the attack, benefiting cyberespionage groups by erasing traces of their operations. 

In November 2022, Delhi police labeled the AIIMS attack an act of “cyber terrorism,” with anonymous officials attributing it to Chinese hackers. Despite these allegations, the Chinese Embassy in Washington, D.C., denied involvement, emphasizing the complexity of tracing cyberattacks and the need for substantial evidence. 

The report comes amid growing concerns from U.S. officials about aggressive Chinese cyber activities, such as Volt Typhoon, which are designed to influence U.S. decision-making in the event of a conflict. While Chinese cyber operations using ransomware is not unprecedented, it reflects a broader trend of state-linked groups, including Russian military intelligence, using disruptive malware to mislead and amplify psychological impacts. 

Ransomware acts as a smoke screen, serving various strategic goals and allowing state-aligned operations to replenish their disruptive tools more quickly. Ben Carr, chief security and trust officer at Halcyon, suggests that this approach allows cyberespionage groups to gather intelligence and simulate more malicious activities, effectively "wargaming" potential future scenarios.

Dutch Intelligence Warns of Extensive Chinese Cyber-Espionage Campaign


 

The Dutch Military Intelligence and Security Service (MIVD) has issued a warning about the far-reaching consequences of a Chinese cyber-espionage operation disclosed earlier this year. According to the MIVD, the scale of this campaign is "much larger than previously known," impacting numerous systems across multiple sectors. 

In a joint report with the General Intelligence and Security Service (AIVD) released in February, the MIVD described how Chinese hackers exploited a critical vulnerability in FortiOS/FortiProxy (CVE-2022-42475). This remote code execution flaw was used over several months between 2022 and 2023 to deploy malware on susceptible Fortigate network security devices. During this "zero-day" period, about 14,000 devices were compromised. Targets included various Western governments, international organizations, and many companies within the defense industry. 

The malware, identified as the Coathanger remote access trojan (RAT), was detected on a network used by the Dutch Ministry of Defence for research and development (R&D) of unclassified projects. However, network segmentation prevented the attackers from spreading to other systems. The MIVD highlighted that this previously unknown malware strain could persist through system reboots and firmware upgrades. It was used by a Chinese state-sponsored hacking group in a political espionage campaign targeting the Netherlands and its allies. 

This persistent access allowed the state actor to maintain control over compromised systems even after security updates were applied. "The exact number of victims with malware installed is unknown," stated the MIVD. "However, the Dutch intelligence services and the NCSC believe that the state actor could potentially expand its access to hundreds of victims worldwide and engage in further actions such as data theft." Since February, the Dutch military intelligence service discovered that the Chinese threat group had accessed at least 20,000 FortiGate systems globally over a span of a few months in 2022 and 2023, beginning at least two months before Fortinet disclosed the vulnerability. 

The Coathanger malware's ability to intercept system calls to avoid detection and its resilience against firmware upgrades make it particularly difficult to remove. Fortinet disclosed in January 2023 that the CVE-2022-42475 vulnerability was exploited as a zero-day to target government organizations and related entities. The MIVD's findings mirror the characteristics of another Chinese hacking campaign that targeted unpatched SonicWall Secure Mobile Access (SMA) devices with cyber-espionage malware designed to withstand firmware updates. 

The revelations from Dutch intelligence underscore the increasing sophistication and persistence of state-sponsored cyber-espionage campaigns. As cyber threats continue to evolve, the importance of robust cybersecurity measures and vigilant monitoring becomes ever more critical to protect sensitive information and infrastructure from these advanced persistent threats.

Russian Turla Leveraged Other Hackers' USB-Delivered Malware

 

Russian state-sponsored cyber threat actor Turla victimized a Ukrainian organization in a recent attack. The hackers leveraged legacy Andromeda malware that was executed by other hackers via an infected USB drive, Mandiant reports. 

Turla is active since at least 2006, however, the group came into light in 2008 as the group was behind the agent.btz, a venomous piece of malware that spread through US Department of Defense systems, gaining widespread access via infected USB drives plugged in by the Pentagon employee who was unaware of the danger. 

Also, the group has been historically associated with the use of the ComRAT malware. After 15 years, the group again came into the spotlight. However, this time the group is trying a new trick that is hijacking the USB infections of other malicious actors to piggyback on their infections to spy on targets.

Legacy Andromeda malware also known as Wauchos or Gamarue which has been active since at least September 2011, is a modular trojan that is capable of checking whether it is being executed or debugged in a virtual environment by using anti-virtual machine techniques. 

In the Turla-suspected operation tracked as UNC4210, at least three expired Andromeda command and control (C&C) domains were used for victim profiling, Mandiant discovered. 

The attack took place in September 2022, however, the Ukrainian organization was infected with a legacy Andromeda sample in December 2021 via an infected USB drive. A malicious LNK file on the drive was used for malware installations. Also, it downloads other malware from its commanding servers in order to steal information from infected computers. The countries that are most affected by the malware are India (24%), Vietnam (12%), and Iran (7%). 

The study on Turla operations has been conducted by Kaspersky, Symantec, and CrySyS Lab in Budapest and they revealed that the threat actors behind the campaign are highly sophisticated in their methods. More than one malicious file is used by the threat actor to accomplish their end goals. 

First, a backdoor mostly known as “Wipbot” and “Tavdig” (also known as “WorldCupSec” or “TadjMakhal”) is designed to collect important data. Then it delivered its main module, which has the ability to execute a variety of commands and exfiltrate data on the targeted system. 

“As older Andromeda malware continues to spread from compromised USB devices, these re-registered domains pose a risk as new threat actors can take control and deliver new malware to victims. This novel technique of claiming expired domains used by widely distributed, financially motivated malware can enable follow-on compromises at a wide array of entities,” Mandiant reported. 

Furthermore, it says that this is the first suspected Turla attack that has targeted Ukrainian organizations after the Russian invasion.

Worok Cyber Espionage Group Employs Malicious PNG Images to Propagate Malware

 

Cybersecurity researchers have unearthed new malware threats manufactured to exploit steganography methodologies. Worok seems to be a complex cyber-espionage operation whose individual stages are still unknown. The campaign's final stage, however, has been identified by two cybersecurity firms.

Worok employs multi-stage malware created to siphon data and target high-profile victims, using steganography ways to conceal parts of the payloads in a plain PNG image file. The new malware was first uncovered by ESET in September. 

The researchers described Worok as a new cyber spying group that employs undocumented tools, including a steganography methodology designed to exfiltrate a malicious payload from a plain PNG image file. 

The cyber espionage group targeted high-profile victims like government agencies, particularly in the Middle East, Southeast Asia, and South Africa. ESET's knowledge of the trouble's attack chain was limited, but the latest report from Avast has provided fresh details regarding this malicious campaign.

According to the Czech security firm, Worok employs a complex multistage design to conceal its activities. The hackers employ sideloading to execute the CLRLoader malware which, in turn, implements the PNGLoader DLL, capable of reading obfuscated code masking in PNG files. 

That code translates to DropBoxControl, a custom .NET C# infostealer that abuses Dropbox file hosting for communication and data theft. The info stealer can support multiple commands, including running cmd /c, launching an executable, downloading and uploading data, deleting and renaming files, capturing file information, spy network communications, and extracting metadata. 

While researchers are still trying to put all the pieces together, the latest report from Avast confirms that Worok is a custom operation manufactured to siphon data, spy, and target high- victims in specific parts of the globe. 

“The key finding of this research is the interception of the PNG files, as predicted by ESET. The stenographically embedded C# payload (DropBoxControl) confirms Worok as the cyberespionage group. They steal data via the DropBox account registered on active Google emails,” Researchers at AVAST explained. “The prevalence of Worok’s tools in the wild is low, so it can indicate that the toolset is an APT project focusing on high-profile entities in private and public sectors in Asia, Africa, and North America.”

Cyberattacks On Small Businesses: The US Economy’s ‘Achilles Heel’?


Small business firms play an important role when it comes to the economy, but they are more vulnerable to cyberattacks. 

At the time when Elena Graham, co-founder of Canada-based security service CYDEF, started selling cyber security software to smaller firms and businesses, business was relatively slow. However, now the demand is increasing, driven by a sharp rise in remote work that has exposed small businesses to cyberattacks. 

Since the start of the year, business at her security firm has tripled reaching an all-time high. "It was a total head-in-the-sand situation. 'It's not going to happen to me. I'm too small.' That was the overwhelming message that I was hearing five years ago. But yes, it is happening." says Elena. 

But with the booming security services, one can deduce that small businesses are comparatively at higher risk of being attacked by threat actors, than large businesses, as noted by Barracuda Networks.  

The risks were dramatically bolstered by the global pandemic. According to a report by RiskReconm, a Mastercard company that evaluated companies’ cyber-security risk, cyberattacks on small companies surged by more than 150% between 2020-21. 

"The pandemic created a whole new set of challenges and small businesses weren't prepared," says Mary Ellen Seale, chief executive of the National Cybersecurity Society, a non-profit that helps small businesses create cyber-security plans. 

In March 2020, at the peak of the pandemic, a survey of small businesses by broadcaster CNBC concluded that only 20% planned on investing in cyber-protection. 

Working remotely, during the pandemic, meant that more personal devices like smartphones, tablets, and laptops had access to sensitive corporate information.  

Lockdown, however, put a strain on budgets, curtailing the amount of money businesses could invest in security. Cybersecurity and costly in-house experts were frequently out of reach. Consequently, the weak cyber-security infrastructure was prone to cyber-attacks. 

With just one compromised supplier, cyber criminals could access networks of organizations further up the supply chain. According to Ms. Seale, "Large businesses depend on small businesses[…]They are the lifeblood of the United States, and we need a wake-up call." Small businesses account for more than 99% of companies in the US and employ nearly half of all Americans, playing a critical role in the global economy. In regard to this, Dr. Kim says they are like the economy's "Achilles heel". 

“They may be a small company but what they sell to large businesses could be very important. If they're hacked, [their product] won't be fed into supply chains and everything will be affected," Dr. Kim further adds. 

Iranian Attackers are Employing a New DNS Hijacking Malware to Target Organizations

 

The Iran-linked Lycaeum cyber espionage group, also known as Hexane or Spilrin, group is employing a new .NET-based DNS backdoor to target firms in the energy and telecommunication sectors.

Lyceum has previously targeted communication service vendors in the Middle East via DNS-tunneling backdoors. 

According to analytics from Zscaler ThreatLabz researchers, the backdoor is based on a DIG.net open-source tool to launch "DNS hijacking" assaults – DNS query manipulation to redirect users to malicious clones of authentic sites – implement commands, drop payloads, and exfiltrate data. 

 Employs Word doc 

The hackers target organizations via macro-laced Microsoft Documents downloaded from a domain named "news-spot[.]live," impersonating a legitimate site. The document is masked as a news report with an Iran Military affairs topic. 

When a victim downloads the file from this site, it asks to enable the macro to view the content. After enabling macros, the DnsSystem.exe backdoor is the DNS backdoor is dropped directly onto the Startup folder for establishing persistence between reboots. 

"The threat actors have customized and appended code that allows them to perform DNS queries for various records onto the custom DNS Server, parse the response of the query to execute system commands remotely, and upload/download files from the Command & Control server by leveraging the DNS protocol." - Zscaler researchers Niraj Shivtarkar and Avinash Kumar explained in a report published last week.

Initially, the malware sets up the DNS hijacking server by securing the IP address of the "cyberclub[.]one" domain and generates an MD5 based on the victim's username to serve as a unique victim ID. Additionally, the malware is well trained to upload and download arbitrary files to and from the remote server as well as implement malicious system commands remotely on the exploited server.

 Evolution of Lyceum 

The Lyceum APT group was first spotted at the beginning of August 2019 attempting to secure access to the organization’s systems via password spraying or brute-force attacks. 

Lyceum primarily focuses on cyber espionage, and this new stealthy and potent backdoor is evidence of its evolution in the field. The Iranian group is expected to continue participating in these data theft campaigns that often include multiple hacking groups from the country. 

"APT threat actors are continuously evolving their tactics and malware to successfully carry out attacks against their targets," the researchers stated. "Attackers continuously embrace new anti-analysis tricks to evade security solutions; re-packaging of malware makes the static analysis even more challenging."

European Organizations Targeted by 'Mustang Panda’ Hacking Group

 

Cybersecurity researchers have unearthed a new campaign by advanced persistent threat (APT) group Mustang Panda targeting European and Russian organizations using topical spear-phishing lures linked to the war in Ukraine. 

Mustang Panda, also known as RedDelta, Bronze President, or TA416 has been active since at least 2012 and over the years has targeted entities in EU member states, the United States and Asian countries where China has interests. The targets have included diplomatic organizations, non-governmental organizations (NGOs), religious organizations, telecommunication firms, and political activists.

"Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves," Cisco Talos said in a new report published this week. 

The hacking group is known for designing its phishing lures based on current scenarios that might be of interest to its targets. These have included the COVID-19 pandemic, international summits, and political topics. The attacks observed this year by researchers from Cisco Talos and several other security firms used reports from EU institutions regarding the security situation in Europe both before and after Russia's invasion of Ukraine. 

Mustang Panda modus operandi 

The PlugX RAT, also known as KorPlug, continues to remain the Mustang Panda's preferred spying tool. is Mustang Panda’s malware of choice. The threat actor has used multiple variants of it for several years, together with other threat actors originating from China. 

Recent attack campaigns spotted this year have primarily phishing messages containing malicious lures masquerading as official European Union reports on the ongoing conflict in Ukraine or Ukrainian government reports, both of which download malware onto infected devices. 

A similar technique is also used to target various entities in the U.S. and several Asian countries like Myanmar, Hong Kong, Japan, and Taiwan. 

The researchers also spotted Mustang Panda distributing a malicious file containing PlugX with a Russian name referencing the Blagoveshchensk Border Guard Detachment. But similar attacks identified towards the end of March 2022 show that the actors are upgrading their tactics by minimizing the remote URLs used to obtain different components of the infection chain. 

Other than PlugX, infection chains utilized by the APT group have involved the deployment of custom stagers, reverse shells, Meterpreter-based shellcode, and Cobalt Strike, all of which are used to establish remote access to their targets with the intention of conducting espionage and information theft. 

"By using summit- and conference-themed lures in Asia and Europe, this attacker aims to gain as much long-term access as possible to conduct espionage and information theft," Talos researchers added.

Taiwanese Government Suffers 5 Million Cyber Attacks Per Day

 

The Taiwanese government faces Five Million cyberattacks per day. Nearly half of them are believed to be originated from China. 

Cyber security department director Chien Hung-Wei told parliament representatives on Wednesday that government infrastructure faces “five million attacks and scans a day”. Security experts are working tirelessly to strengthen defensive measures and collect relevant data for examination in a bid to stop the assaults.

Taiwan’s defence ministry warns of an increase in the attacks carried by China-linked actors against its systems. The ministry accused China of ramping up since the 2016 election of President Tsai Ing-wen, who always claimed the independence of the island from Beijing. On the other end, Beijing considers the island as part of its own territory and does not exclude its military occupation in the future. 

According to the report shared by Taiwan’s defence ministry, the ministry of information security and protection centre handled around 1.4 billion “anomalies” from 2019 to August 2021 to prevent potential hacking. Last year in August 2020, Chinese attackers secured access to around 6,000 email accounts belonging to at least 10 Taiwan government agencies. 

Since 2018, the China-linked cyber espionage groups tracked as Blacktech and Taidoor have been targeting government agencies and information service providers. All these cyber assaults are part of a cyber espionage campaign, Taiwan Bureau Cyber Security Investigation Office reported. The Chinese government has increased diplomatic and economic pressure on Taiwan over the years, it also showed the muscles increasing military drills near the country in recent weeks. 

Many defence experts believe that the Chinese cyber warfare department is at least a decade ahead in terms of cyber capabilities and is aiming towards the goal of instantly disrupting or at least weakening the enemy’s computer networks so as to paralyze their decision-making capability at the very commencement of hostilities.

According to a paper titled China’s Cyber Warfare Capability and India’s Concerns, published in the Journal of Defence Studies, the author revealed that Chinese government is training its military personnel in Information Warfare. In 2013, a security firm Mandiant published a detailed report attributing a Chinese Military Unit to cyber espionage. This was perhaps the first time that such technical evidence and analysis linking activities to a government entity had been made public.

Experts Find Kurdish Espionage Campaign Active on Facebook

 

Experts at ESET have probed a targeted espionage mobile campaign towards the Kurdish ethnic group, the campaign is in action since March 2020, disseminating (through dedicated FB accounts) two android backdoors named as SpyNote and 888 RAT, appearing to be genuine apps. The profiles were found presenting android news in Kurdish and news for pro Kurds. Few profiles intentionally sent additional monitoring apps to FB groups (public) with content in Kurd's support. Data downloaded from a website hints that around 1,481 URL downloads were promoted through FB posts.

Live Security said "we identified 28 unique posts as part of this BladeHawk campaign. Each of these posts contained fake app descriptions and links to download an app, and we were able to download 17 unique APKs from these links."The latest Android 888 Rat was used by the BladeHawk and Kasablanka groups. Both the groups used false names to call out the same Android Rat- Gaza007 and LodaRat respectively. 

The espionage campaign in this article is directly linked to two cases (publicly disclosed) that surfaced in 2020. QiAnXin Threat Intelligence center identified the hacking group behind the BladeHawk campaign, which it has adopted. 

The 2 campaigns were spread through FB, via malware with built-in commercials, samples using the same C&C servers, and automated tools (SpyNote and 888 Rat). Experts found six FB profiles linked to the BladeHawk attack, distributing Android espionage. These were reported to FB and eventually taken down. 

Two FB profiles targeted tech users and the other four disguised as Pro Kurds. The profiles were made in 2020 and soon after, started distributing the fake apps. Except for one account, none of the other profiles have posted any content except Android Rat posing to be genuine applications.

"These profiles are also responsible for sharing espionage apps to Facebook public groups, most of which were supporters of Masoud Barzani, former President of the Kurdistan Region; an example can be seen in Figure 1. Altogether, the targeted groups have over 11,000 followers," reports Live Security.

Chinese Military Unit Linked to Cyber Espionage Campaign Targeting India

 

Recorded Future, a US security firm, revealed a cyber espionage campaign linked to a suspected Chinese state-sponsored threat activity group, named RedFoxtrot. Recorded Future's threat research arm Insikt Group, discovered evidence dating back to 2014 that interconnects RedFoxtrot and Chinese military-intelligence apparatus, the People's Liberation Army (PLA) Unit 69010. 

Before restructuring in 2015, PLA’s cyber-attack unit 69010 was known as the Lanzhou Military Region’s Second Technical Reconnaissance Bureau, and now it has been incorporated into the Network Systems Department of the PLA’s Strategic Support Force (SSF). According to a report published by Recorded Future’s Insikt Group, cybersecurity experts have detected intrusions targeting aerospace, defense, government, telecommunications, mining, and research organizations in Afghanistan, India, Kazakhstan, Kyrgyzstan, Pakistan, Tajikistan, and Uzbekistan.

“Notable RedFoxtrot victims over the past 6 months include multiple Indian aerospace and defense contractors; telecommunications companies in Afghanistan, India, Kazakhstan, and Pakistan; and several national and state institutions in the region. Activity over this [past six-month] period showed a particular focus on Indian targets, which occurred at a time of heightened border tensions between India and the People’s Republic of China (PRC,” analysts explained.

According to the research team, for its attacks, the RedFoxtrot group employs both bespoke and publicly available malware families, including IceFog, ShadowPad, Royal Road, PCShare, PlugX, and web server infrastructure to host and deliver payloads and to collect stolen information. Some of the group’s past campaigns have been previously documented by other security firms under different names in something that has become a common sight in modern-day threat hunting.

“The recent activity of the People's Liberation Army has largely been a black box for the intelligence community. Being able to provide this rare end-to-end glimpse into PLA activity and Chinese military tactics and motivations provides invaluable insight into the global threat landscape. The persistent and pervasive monitoring and collection of intelligence is crucial in order to disrupt adversaries and inform an organization or government's security posture", Christopher Ahlberg, CEO, and Co-Founder of Recorded Future, stated.

Recorded Future researchers were successful in making connections inside this nebula of Chinese state-sponsored hacking activity to RedFoxtrot (and subsequently to PLA Unit 69010) due to lax operational security (OpSec) measures of one of its members. 

“Insikt Group is not publicly disclosing the identity of this individual; however, an extensive online presence provided corroborating evidence indicating that this individual is located in Ürümqi, has an interest in hacking, and also has a suspected historical affiliation with the PLA’s former Communications Command Academy located in Wuhan,” the researchers further stated.