Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label PlugX. Show all posts

Six Hackers Linked to Worldwide Cyber Attacks Arrested in Singapore


The Singaporean authorities have detained six people believed to be associated with a global cybercrime syndicate suspected of masterminding malicious cyber activities all over the world, latest reports said.

The arrest was a result of an extensive operation carried out by various law enforcement agencies in Singapore, further highlighting the growing complexity and reach of organised cybercrime.

The notion that hackers work in some sort of relative isolation is the furthest from the truth. The most substantial cyberattacks committed today are the work of organised crime or even state actors. The groups are very well organised and may be working in multiple countries to fulfil their objectives. To illustrate, North Korea-associated hacking entities have successfully withdrawn billions of dollars in ransomware attacks. These hackers don't work alone but instead use the assistance of other cyber-thieves who introduce them to sensitive information, corporate infrastructure, or digital tools which they use to push malware.

On September 9, 2024, Singapore's police conducted an operation of a large-scale raid comprising 160 officers from the Criminal Investigation Department, the Police Intelligence Department, the Special Operations Command, and the Internal Security Department. The raid was executed over several residential locations in Singapore and resulted in the arrest of six people- five Chinese nationals and one Singaporean. Members of these suspects have been associated with an international cybercrime group that is conducting its unlawful activities all over the world on the net.

Official sources claim that the suspects are connected to a gang engaged in malicious cyber activities from Singapore. During the operation, this resulted in the seizure of several devices, including hacking tools and personal data stolen from outside Singapore, as well as malware control software such as PlugX. Authorities further claim that they have seized about $850,000 worth of cryptocurrency from the suspects.

Even as the six men have been nabbed, investigations by the Singaporean police are still underway to find out their local network and connections with the worldwide cybercrime syndicate. Further investigations may throw more light on how all the cyber operations were executed from this location of Singapore.

The arrests once more underscore the cyber aspect, as criminal syndicates are using borderless operations to victimise private citizens, companies, and governments across the world. Singapore has acted quickly by arresting these hackers in the pursuit of controlling cybercrime and by underlining the importance of international cooperation, especially in fighting emerging threats.

This reminds one that cybercrime is a large and structured industry that goes beyond the hacker's operation. These criminal organisations are widely spread, and members of the outfit perform various other functions in an attack, including unauthorised access to computer systems and spewing of malware. The arrests are a blow to law enforcement agencies in Singapore, but further proof of the systemic problem of cybercrime on the global level.

International authorities have to come together, especially as cybercriminals get more clever and organised. The kind of cooperation between countries, of which the recent Singapore arrest is just a proof, helps dismantle the syndicates and bring before the law its perpetrators.



 

China-Linked Hackers Breach East Asian Firm for 3 Years via F5 Devices

 


The suspected China-based cyber espionage actor has been attributed with a prolonged cyber espionage attack that lasted approximately three years against an unnamed organization based in East Asia, in which the adversary allegedly established persistence using legacy F5 BIG-IP appliances, which served as a command-and-control system for the adversary, to evade defences. As a result of the cyber intrusion in late 2023, cybersecurity company Sygnia has been tracking the activity under Velvet Ant. 

Based on their observations, Velvet Ant has been characterized by being capable of pivoting and adapting their tactics to counter repeated attempts at eradication. Sygnia researchers explained in a blog post on June 17 that F5 Big-IP load balancer appliances are often placed at the perimeter of a network or between the segments of it, which are often trusted. 

To gain access to sensitive data, Velvet Ant was seen utilizing different tools and techniques, including the PlugX remote access trojan (RAT), which is a dormant persistence mechanism that can be deployed in unmonitored systems. As well as hijacking DLL search order, sideloading, phantom DLL loading, as well as tampering with the installed security software, the threat actor is believed to have used DLL search order hijacking, sideloading, and phantom DLL loading to install the PlugX malware. The hacking group had a high level of awareness of operational security (OPSEC) by not installing the malware on a workstation that had been configured to disable security software, showing a high level of operational security (OPSEC) awareness. 

Furthermore, Velvet Ant made use of the open-source software Impacket for remote code execution and lateral tool transfer on compromised machines, as well as the creation of firewall rules to allow the command-and-control server (C&C) to be accessed. When Sygnia identified the threat actor as having been eliminated from the victim's network, it was observed that it was infecting new machines with PlugX samples that were reconfigured to use the internal server as a command and control server and channelling external communication to the malware through the internal server. 

Researchers said attackers can gain considerable control over network traffic if they manage to compromise a device of this kind without raising suspicions.  The researchers said Velvet Ant used a variety of traditional Chinese state-sponsored threat actors' tools and techniques that they were typically associated with. There were several characteristics of the attacks, for example, a clear understanding of what they were about, a focus on network devices, exploiting vulnerabilities, and a toolkit that included Rootkits, Plugs, and the ShadowPad family of malware. 

They also included the use of side-loading methods employing DLLs. It has been suggested by researchers that Velvet Ant can sneak into sensitive data as a result of its cleverness and slippery nature. The threat actor quickly pivoted from one foothold to another after it was discovered and remedied, demonstrating agility and adaptability in evading detection as soon as the existing foothold was eliminated. A detailed understanding of the victim's network infrastructure was also demonstrated by the threat actor, as he exploited various entry points across the victim's network infrastructure, demonstrating that he possessed a comprehensive knowledge of the target." 

Sygnia uncovered a modified version of PlugX during their investigation in which malicious traffic was blended with legitimate network activity to avoid detection. In addition to this variant, another variant with an external command-and-control server for exfiltration was also deployed alongside this version, which targeted only endpoints with direct internet access in addition to other endpoints with network access. Concerning the second variant, it exploited a vulnerability in outdated F5 BIG-IP devices and used a reverse SSH tunnel to maintain communication with an external server, which lacked direct web connectivity, by exploiting vulnerabilities in obsolete F5 BIG-IP devices. 

F5 devices, which had been compromised, were examined forensically and revealed to contain a variety of tools, such as PMCD, which communicated periodically with the threat actor's command-and-control server through PMCD, network packet capture tools, and a SOCKS tunnelling tool called EarthWorm, which has been associated with espionage groups such as Gelsemium and Lucky Mouse in the past. It is still unclear how the attacker was able to gain access to the restricted system, whether through spear-phishing or using security vulnerabilities in internet-exposed devices. 

Following the growth of several China-linked espionage operations, such as Unfading Sea Haze, Operation Diplomatic Specter, and Operation Crimson Palace, all of which focused on sensitive intelligence across Asia, this incident comes as no surprise. The compromised F5 BIG-IP appliances used by the victim organization for firewall, web application firewall (WAF), load balancing, and local traffic management services were directly exposed to the internet and likely hacked through the exploitation of known vulnerabilities. On one of the compromised F5 appliances, the threat actor deployed several tools, including VelvetSting (for receiving commands from the command-and-control server), VelvetTap (to capture network packets), Samrid (the open-source Socks proxy tunneller EarthWorm), and Esrde (with capabilities similar to VelvetSting). Given the targeted organization, the deployment of ShadowPad and PlugX malware, and the use of DLL sideloading techniques, Sygnia assesses that Velvet Ant is a state-sponsored threat actor operating out of China.