Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label PlugX. Show all posts
Technology
Cyber-Espionage CyberCrime Cyberhackers CyberThreat PlugX Ransomware Software Technology

Chinese Spies Allegedly Engaged in Ransomware Operations

 


Backed by the Chinese government, a cyber-espionage group has been observed engaging in ransomware-related activities as part of its intelligence activities. Further, this observation demonstrates how nation-state cyber operations and financially motivated cybercrimes have become increasingly convergent as a result of financial incentives. 

In late November 2024, Symantec's research team observed that threat actors infiltrated a medium-sized software and services company in South Asia by exploiting a critical authentication bypass vulnerability (CVE-2024-0012) in Palo Alto Network's security systems to gain access to its databases. Several days after the initial compromise, the attackers obtained administrative credentials from the company's intranet, and this gave them access to the Veeam server. 

Upon discovering the AWS S3 credentials on the server, they discovered that data management tools like Veeam are often using these credentials to facilitate access to cloud storage accounts through the use of cloud storage tools. It is believed that these credentials were used by the attackers to gain access to the company's sensitive data stored in an S3 buckettoo to encrypt its Windows-based systems with RA World ransomware. At first, the attackers demanded a ransom of $2 million but offered a $1 million reduction if the ransom was paid within three days. 

Cybersecurity professionals are becoming increasingly concerned about the increasing intersection between state-sponsored cyberespionage, as well as traditional cybercriminal tactics, which further complicates the task of attribution of threat information and developing defense strategies against it. In addition to a legitimate Toshiba executable, which has been deployed on the victims' computers to facilitate DLL sideloading, the threat actors have also used a legitimate Toshiba executable to implement a DLL sideload. The PlugX backdoor is the result of this technique.

It is heavily obfuscated and contains the backdoor, Korplug. It has been previously reported by Symantec that the custom PlugX backdoor you see here has been associated with Mustang Panda (also known as Earth Preta), a Chinese espionage group that is believed to have been used for economic purposes. However, this specific variant has never been associated with non-Chinese threat actors. 

There are four government ministries involved in Southeast Asian countries from differing nations: the foreign ministry of one country in the region, the government of another Southeastern European country, a telecommunications operator from the region, and two other government ministries involved in different Southeast Asian nations. These intrusions are all related to espionage, all of which are driven by espionage purposes.

A Symantec analysis indicates, however, that the same toolset was employed in a November 2024 extortion attempt targeting a medium-sized software and services company based in South Asia, as well. In this case, the attacker leveraged the Toshiba executable to sideload the malicious DLL, which had the same PlugX variant as used in earlier espionage attacks, to install the malicious DLL. As a result, the victim's systems were infected with the ransomware known as RA World, which marked a shift in cyber-espionage towards financial extortion, as opposed to traditional cyber-espionage.

Several cyber-espionage groups allegedly backed by the Chinese government have been observed participating in ransomware activities, thus emphasizing how nation-state cyber operations and financially motivated cybercrime are becoming increasingly intertwined. In a report released by Symantec in late November 2024, a research team uncovered that threat actors successfully infiltrated a medium-sized software and services company in South Asia by exploiting a critical authentication bypass vulnerability found in Palo Alto Networks' security system (CVE-2024-0012).

Aside from stealing administrative credentials from the company's intranet following the initial compromise, the attackers were able to gain access to the Veeam server via the exfiltration of administrative credentials from the company's intranet. They found AWS S3 credentials on this server that are commonly used to facilitate access to cloud storage accounts by data management tools like Veeam. 

Using these credentials, the attackers were able to access sensitive data stored in S3 buckets of the company's servers before encrypting the Windows-based systems with the RA World ransomware. As a first response, the attackers initially demanded a ransom of $2 million. However, if the ransom was paid within three days, they reduced the amount to $1 million. Cybersecurity professionals are becoming increasingly concerned about the increasing intersection between state-sponsored cyberespionage, as well as traditional cybercriminal tactics, which further complicates the task of attribution of threat information and developing defense strategies against it. 

In the latest RA World ransomware attack, Bronze Starlight (also known as Emperor Dragonfly) has been identified as a possible source of the attack, a Chinese-based threat group previously linked with numerous ransomware attacks, including LockFile, AtomSilo, and NightSky. There was also evidence that the attackers used NPS, a proxy tool developed in China and previously associated with Bronze Starlight, which further strengthened the connection between the attackers and Bronze Starlight. 

A group whose mission is to provide espionage services is typically not involved in financially motivated cybercrime on a large scale. However, the possibility that this group may be involved in ransomware operations raises serious concerns. As one theory suggests, the ransomware deployment may have been an attempt to distract from the true espionage objectives of the operation, to obscure these objectives. Despite this, this theory fails to hold water due to the absence of sophisticated concealment techniques as well as the fact that it targets a non-strategic company. 

Several cybersecurity experts have suggested that the most likely explanation is that either one or more individuals in the group are seeking to profit financially from the espionage tools and infrastructure they already have. The same pattern has also been observed by other threat actor groups, in which members repurpose advanced cyber capabilities for their benefit. Even though cyber threats continue to evolve, some lines continue to blur between state-sponsored cyber operations and financially driven cybercrime.

In the case of the RA World ransomware attack, Bronze Starlight (also known as Emperor Dragonfly) has been linked with the attack, which is an established China-based cyber threat group. In the past, this group was responsible for distributing LockFile, AtomSilo, and NightSky ransomware. Moreover, the ransomware operation was also accompanied by the use of NPS, a proxy tool developed by the Chinese government and previously employed by Bronze Starlight, further suggesting a connection between the ransomware operation and the group. Even though the possibility of Bronze Starlight being associated with RA World ransomware raises several concerns, it is unlikely that espionage-focused threat actors will engage in financially motivated cybercrime. 

Ransomware deployments are thought to serve as diversionary tactics that may hide the underlying espionage objectives that are driving the operation. Despite this, the fact that the espionage tools were obfuscated in a way that is not sophisticated and that the company targeted was not a strategic company casts doubt on this hypothesis. Experts in the field of cyber security propose a more plausible explanation for the attack: an individual or a small faction in the threat group aims to gain financial gain through the use of tools and infrastructure that were originally designed to conduct espionage operations during the attack. 

Observations have been made of the same pattern by other cyber threat groups, where members repurpose their skills and access to advanced cyber capabilities for their benefit. State-sponsored cyber operations have been converged with traditional cybercrime for some time, making it more difficult to attribute and mitigate threats of this kind. The analysis conducted by Symantec suggests that the RA World ransomware attack was likely perpetrated by a single individual, likely due to his or her desire to generate personal financial gain by impersonating their employer's operations to exploit the cyber assets of the company. 

Symantec points out several inconsistencies with the alternative theory that the ransomware deployment was merely a decoy of a broader espionage campaign, stating that it may have been a decoy. There was no strategic significance for the target, no effort was put into concealing the attacker's actions, and evidence was found to be that the attacker was actively negotiating with the victim regarding a ransom payment, indicating there was more to it than just a distraction involving financial gain. 

The Symantec report also points out that Chinese cyber-espionage groups usually work together very closely and share resources, so direct involvement in ransomware attacks is an anomaly. This tactic has been observed by North Korean state-sponsored cyber actors in the past, so strategies within the threat landscape may be evolving in the future.
Read more »
PlugX malware server
Chinese Hackers Cyber Attacks Cybersecurity measures FBI Hacking malware protection PlugX PlugX malware server

FBI Hacks 4,200 Computers to Remove PlugX Malware Linked to Chinese Hackers

 

The FBI has successfully hacked and removed PlugX malware from approximately 4,200 computers across the US in a large-scale cybersecurity operation. The malware, allegedly deployed by the China-based hacking group known as “Mustang Panda” or “Twill Typhoon,” has been used since at least 2012 to steal sensitive information from victims in the US, Asia, and Europe. 

The Department of Justice announced the takedown on Tuesday, highlighting the collaborative efforts with French law enforcement to mitigate the cyber threat and prevent further damage. PlugX malware, which infects Windows computers via USB ports, allows hackers to gain unauthorized access and remotely execute commands on compromised systems. The malware operates stealthily in the background, enabling cybercriminals to exfiltrate data, monitor activity, and take control of infected machines. 

According to the FBI, compromised computers establish a connection with a command-and-control server operated by the attackers, with the malware’s IP address embedded directly into the code. Since September 2023, at least 45,000 US-based IP addresses have communicated with the server, indicating the widespread reach of the cyberattack. To eliminate the malware, the FBI leveraged the same exploit used by the attackers. After gaining access to the command-and-control infrastructure, agents retrieved the IP addresses of affected devices and issued a native command that instructed PlugX to delete itself from compromised systems. 

This command removed all files created by the malware, stopped its operation, and ensured its permanent deletion from the infected machines. The successful execution of this operation marks a significant step in neutralizing the ongoing cyber threat posed by Mustang Panda. This coordinated effort was not the first time the FBI has intervened remotely to remove malicious software from infected systems. 

In 2023, the agency dismantled a network of Quakbot-infected computers by deploying an uninstallation tool to affected devices, effectively neutralizing the botnet. Similarly, in 2021, the FBI took proactive measures to counter the Hafnium hack, which targeted Microsoft Exchange servers, by remotely patching vulnerabilities and securing affected systems. These operations demonstrate the FBI’s evolving approach to addressing cyber threats through direct intervention and international cooperation. 

Despite these successful operations, cybersecurity experts warn that PlugX and similar malware strains continue to pose a significant risk, especially given their ability to spread through USB devices. Organizations and individuals are advised to remain vigilant by implementing strong cybersecurity practices such as regularly updating software, disabling USB autorun features, and using endpoint protection tools to detect and prevent unauthorized access. 

The FBI’s decisive action highlights the persistent threat posed by state-sponsored hacking groups and underscores the importance of international collaboration in combating cybercrime. Moving forward, law enforcement agencies are expected to adopt more aggressive measures to counter cyber threats and protect sensitive information from being exploited by malicious actors.

Read more »
Singapore
cryptocurrency cybercrime syndicate malware PlugX Singapore

Six Hackers Linked to Worldwide Cyber Attacks Arrested in Singapore


The Singaporean authorities have detained six people believed to be associated with a global cybercrime syndicate suspected of masterminding malicious cyber activities all over the world, latest reports said.

The arrest was a result of an extensive operation carried out by various law enforcement agencies in Singapore, further highlighting the growing complexity and reach of organised cybercrime.

The notion that hackers work in some sort of relative isolation is the furthest from the truth. The most substantial cyberattacks committed today are the work of organised crime or even state actors. The groups are very well organised and may be working in multiple countries to fulfil their objectives. To illustrate, North Korea-associated hacking entities have successfully withdrawn billions of dollars in ransomware attacks. These hackers don't work alone but instead use the assistance of other cyber-thieves who introduce them to sensitive information, corporate infrastructure, or digital tools which they use to push malware.

On September 9, 2024, Singapore's police conducted an operation of a large-scale raid comprising 160 officers from the Criminal Investigation Department, the Police Intelligence Department, the Special Operations Command, and the Internal Security Department. The raid was executed over several residential locations in Singapore and resulted in the arrest of six people- five Chinese nationals and one Singaporean. Members of these suspects have been associated with an international cybercrime group that is conducting its unlawful activities all over the world on the net.

Official sources claim that the suspects are connected to a gang engaged in malicious cyber activities from Singapore. During the operation, this resulted in the seizure of several devices, including hacking tools and personal data stolen from outside Singapore, as well as malware control software such as PlugX. Authorities further claim that they have seized about $850,000 worth of cryptocurrency from the suspects.

Even as the six men have been nabbed, investigations by the Singaporean police are still underway to find out their local network and connections with the worldwide cybercrime syndicate. Further investigations may throw more light on how all the cyber operations were executed from this location of Singapore.

The arrests once more underscore the cyber aspect, as criminal syndicates are using borderless operations to victimise private citizens, companies, and governments across the world. Singapore has acted quickly by arresting these hackers in the pursuit of controlling cybercrime and by underlining the importance of international cooperation, especially in fighting emerging threats.

This reminds one that cybercrime is a large and structured industry that goes beyond the hacker's operation. These criminal organisations are widely spread, and members of the outfit perform various other functions in an attack, including unauthorised access to computer systems and spewing of malware. The arrests are a blow to law enforcement agencies in Singapore, but further proof of the systemic problem of cybercrime on the global level.

International authorities have to come together, especially as cybercriminals get more clever and organised. The kind of cooperation between countries, of which the recent Singapore arrest is just a proof, helps dismantle the syndicates and bring before the law its perpetrators.



 

Read more »
Velvet Ant
China Hackers Cyber Hackers Cyberattacks CyberCrime Data Breach F5 Devices OPSEC PlugX Velvet Ant

China-Linked Hackers Breach East Asian Firm for 3 Years via F5 Devices

 


The suspected China-based cyber espionage actor has been attributed with a prolonged cyber espionage attack that lasted approximately three years against an unnamed organization based in East Asia, in which the adversary allegedly established persistence using legacy F5 BIG-IP appliances, which served as a command-and-control system for the adversary, to evade defences. As a result of the cyber intrusion in late 2023, cybersecurity company Sygnia has been tracking the activity under Velvet Ant. 

Based on their observations, Velvet Ant has been characterized by being capable of pivoting and adapting their tactics to counter repeated attempts at eradication. Sygnia researchers explained in a blog post on June 17 that F5 Big-IP load balancer appliances are often placed at the perimeter of a network or between the segments of it, which are often trusted. 

To gain access to sensitive data, Velvet Ant was seen utilizing different tools and techniques, including the PlugX remote access trojan (RAT), which is a dormant persistence mechanism that can be deployed in unmonitored systems. As well as hijacking DLL search order, sideloading, phantom DLL loading, as well as tampering with the installed security software, the threat actor is believed to have used DLL search order hijacking, sideloading, and phantom DLL loading to install the PlugX malware. The hacking group had a high level of awareness of operational security (OPSEC) by not installing the malware on a workstation that had been configured to disable security software, showing a high level of operational security (OPSEC) awareness. 

Furthermore, Velvet Ant made use of the open-source software Impacket for remote code execution and lateral tool transfer on compromised machines, as well as the creation of firewall rules to allow the command-and-control server (C&C) to be accessed. When Sygnia identified the threat actor as having been eliminated from the victim's network, it was observed that it was infecting new machines with PlugX samples that were reconfigured to use the internal server as a command and control server and channelling external communication to the malware through the internal server. 

Researchers said attackers can gain considerable control over network traffic if they manage to compromise a device of this kind without raising suspicions.  The researchers said Velvet Ant used a variety of traditional Chinese state-sponsored threat actors' tools and techniques that they were typically associated with. There were several characteristics of the attacks, for example, a clear understanding of what they were about, a focus on network devices, exploiting vulnerabilities, and a toolkit that included Rootkits, Plugs, and the ShadowPad family of malware. 

They also included the use of side-loading methods employing DLLs. It has been suggested by researchers that Velvet Ant can sneak into sensitive data as a result of its cleverness and slippery nature. The threat actor quickly pivoted from one foothold to another after it was discovered and remedied, demonstrating agility and adaptability in evading detection as soon as the existing foothold was eliminated. A detailed understanding of the victim's network infrastructure was also demonstrated by the threat actor, as he exploited various entry points across the victim's network infrastructure, demonstrating that he possessed a comprehensive knowledge of the target." 

Sygnia uncovered a modified version of PlugX during their investigation in which malicious traffic was blended with legitimate network activity to avoid detection. In addition to this variant, another variant with an external command-and-control server for exfiltration was also deployed alongside this version, which targeted only endpoints with direct internet access in addition to other endpoints with network access. Concerning the second variant, it exploited a vulnerability in outdated F5 BIG-IP devices and used a reverse SSH tunnel to maintain communication with an external server, which lacked direct web connectivity, by exploiting vulnerabilities in obsolete F5 BIG-IP devices. 

F5 devices, which had been compromised, were examined forensically and revealed to contain a variety of tools, such as PMCD, which communicated periodically with the threat actor's command-and-control server through PMCD, network packet capture tools, and a SOCKS tunnelling tool called EarthWorm, which has been associated with espionage groups such as Gelsemium and Lucky Mouse in the past. It is still unclear how the attacker was able to gain access to the restricted system, whether through spear-phishing or using security vulnerabilities in internet-exposed devices. 

Following the growth of several China-linked espionage operations, such as Unfading Sea Haze, Operation Diplomatic Specter, and Operation Crimson Palace, all of which focused on sensitive intelligence across Asia, this incident comes as no surprise. The compromised F5 BIG-IP appliances used by the victim organization for firewall, web application firewall (WAF), load balancing, and local traffic management services were directly exposed to the internet and likely hacked through the exploitation of known vulnerabilities. On one of the compromised F5 appliances, the threat actor deployed several tools, including VelvetSting (for receiving commands from the command-and-control server), VelvetTap (to capture network packets), Samrid (the open-source Socks proxy tunneller EarthWorm), and Esrde (with capabilities similar to VelvetSting). Given the targeted organization, the deployment of ShadowPad and PlugX malware, and the use of DLL sideloading techniques, Sygnia assesses that Velvet Ant is a state-sponsored threat actor operating out of China.
Read more »
Subscribe to: Posts (Atom)