Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Taiwan. Show all posts

New Malware 'WordDrone' Targets Taiwan's Drone Industry

 



Reported by: Acronis (TRU) just published a comprehensive investigation that reveals a highly sophisticated malware operation targeting Taiwan's growing drone industry. Dubbed "WordDrone," the malware deploys a version of Microsoft Word from the 1990s to install a persistent backdoor-the kind of threat that puts the security of companies in Taiwan's growing drone industry in real jeopardy. At this stage, one suspects that strategic military and technological positions of Taiwan provide the rationale behind this breach designed to extract critical information. It is during times when investments by the government in drone technology are accelerating.


How WordDrone Operates

A new malware uses the side-loading technique by which it involves a vulnerable version of Microsoft Word 2010. Using a compromised version of Word, attackers loaded three files on the target system: a legitimate copy of the Microsoft Word application, known as winword, a malicious DLL file named wwlib.dll, and an encrypted additional file with a random name.

Then, an unconscious download of the malicious DLL by running the benign Microsoft Word file becomes a delivery method to decrypt and run the real payload of malware. This technique is the exploitation of the weakness within how older versions of Microsoft Word treat DLL files: the malicious DLL can actually masquerade as part of Microsoft Office. Such an approach will make WordDrone virtually impossible for any traditional security tool to detect and block since the files that are infected look legitimate to most detection systems.


Detection Evasion Advanced Tactics

Moreover, many of the malicious DLL files are digitally signed using highly recently expired certificates. This kind of approach, a disguise for legitimacy, many security systems employ to verify software, makes detection much more difficult. This strategy gives WordDrone an advantage bypassing defences based on trusting signed binaries, which makes it rather difficult to detect.

After running it, the threat performs a stage of well-crafted operations. The payload begins with a shellcode stub that unpacks and injects an "install.dll" component creating persistence on the affected system. The install.dll file allows malware to be present even after reboots by various techniques: it can install malware as a background service, schedule it as a recurring task, or inject the next phase of malware execution, and does not need permanent installation.


Persistence and Defense Evasion Techniques

It applies advanced techniques in a way that it stays non-observable and keeps running. Its techniques begin with NTDLL unhooking, which disables the setting of security hooks by monitoring software and re-loads a fresh instance of the NTDLL library so that security tools cannot intervene with that. In addition to that, it keeps the EDR quiet. This scan for active security processes sets up blocking rules within Windows Firewall to dampen the functions of identified security tools, effectively disabling detection capabilities that may raise defences against its presence.


Command-and-Control (C2) Communication for Remote Control

Another advanced feature about WordDrone is the ability to communicate with a C2 server, meaning the attackers can control the malware even after it is installed. The communication schedule is hardcoded within the malware by implementing a bit array that states some active hours in a week. The malware requests from the C2 server additional details or more malicious files during active hours based on such a routine.

WordDrone can function over several communication protocols including TCP, TLS, HTTP, HTTPS, and WebSocket, which all make identification and analysis much more difficult of the malware's network activities. Its use of a custom binary format for its communication makes it even more challenging to intercept or to interpret its network traffic for cybersecurity teams.


Possible Supply Chain Attack and Initial Infection Vector

The entry point of the WordDrone malware is not clear. Initial analysis, however, showed malicious files under a well-known Taiwanese ERP software's folder. That makes it likely that the attackers have also compromised the ERP software as part of a supply chain attack, possibly exposing other organisations that make use of the software in different marketplaces.

The attack by WordDrone on the Taiwanese drone industry is an example of vulnerabilities that sectors of strategic importance have to face. Ongoing vigilance from cybersecurity experts gives caution, as defence and technology-related organisations try to win the technological battle with such persistent threats.


'TIDrone' Cybercriminals Target Taiwan's Drone Makers

 

A previously unknown threat actor with possible ties to Chinese-speaking groups has primarily targeted drone makers in Taiwan as part of a cyber attack operation that started in 2024. Trend Micro is tracking the adversary under the codename TIDRONE, claiming that the activity is espionage-driven due to the emphasis on military-related company chains. 

The specific initial access vector used to penetrate targets is currently unknown, although Trend Micro's study revealed the spread of unique malware such as CXCLNT and CLNTEND using remote desktop tools such as UltraVNC. An interesting feature identified across multiple victims is the use of the same enterprise resource planning (ERP) software, increasing the likelihood of a supply chain attack. 

After that, the attack chains move through three distinct phases that are intended to make it easier to escalate privileges through the use of credential dumping, security evasion by turning off antivirus software that is installed on the hosts, and User Account Control (UAC) bypass. 

Both backdoors are activated by sideloading a rogue DLL using the Microsoft Word application, allowing attackers to collect a wide range of confidential data. CXCLNT includes basic upload and download file capabilities, as well as facilities for removing traces, acquiring victim data such as file listings and device names, and downloading next-stage portable executable (PE) and DLL files for execution. 

CLNTEND, detected in April 2024, is a remote access tool (RAT) that supports a broader range of network communication protocols, including TCP, HTTP, HTTPS, TLS, and SMB (port 445).

"The consistency in file compilation times and the threat actor's operation time with other Chinese espionage-related activities supports the assessment that this campaign is likely being carried out by an as-yet unidentified Chinese-speaking threat group," security researchers Pierre Lee and Vickie Su stated.

Hackers Spread Disinformation to undermine Taiwan’s Military


 

Foreign hackers are increasingly targeting Taiwan by hijacking social media accounts to spread disinformation aimed at undermining the country's military, according to a statement released by the Ministry of Justice Investigation Bureau (MJIB) yesterday.

The hackers, believed to be operating from abroad, are using compromised Internet-connected devices, including surveillance cameras and facial recognition systems, to gain unauthorised access to social media accounts on popular platforms like Dcard and PTT (Professional Technology Temple). By infiltrating these forums, they have been able to post false information that seeks to damage the reputation of Taiwan’s armed forces.

One of the key tactics employed by these cybercriminals is impersonating Taiwanese air force personnel. They have posted misleading content claiming that many military pilots are dissatisfied with their pay and working conditions. Some posts suggest that pilots would rather incur tremendous financial losses than renew their contracts, while others falsely claim that military members are leaving their posts to pursue civilian careers for better work-life balance.

On PTT, an account named “ss900287” further amplified these messages by sharing a link to a photograph that supposedly showed a list of retired military pilots applying for jobs with China Airlines. This, however, is another example of the misinformation being spread to create doubt and discontent among the public regarding Taiwan’s military.

Rise in False Posts Across Social Media

Despite the efforts of the Air Force Command to counteract these false narratives, there has been a noticeable increase in similar disinformation across more than 170 suspicious Facebook groups, including names such as “The Strait Today,” “Commentary by the Commander,” and “You Ban, Me Mad.” These groups are suspected of being part of the coordinated effort to spread misleading content.

Advanced Techniques to Evade Detection

According to the MJIB, the hackers have been able to maintain their disinformation campaign by exploiting vulnerabilities in facial recognition systems, digital cameras, and other networked devices. By stealing personal data and taking over social media accounts, they have managed to pose as legitimate users, making their disinformation appear more credible.

To avoid detection, the hackers have employed sophisticated methods such as data de-identification and rerouting their activities through multiple channels, which has made it difficult to trace their identities and locations. In response, the MJIB has notified social media platforms, requesting that they take action against the groups and users involved in these activities.

The MJIB is advising Taiwanese citizens to gear up the security of their Internet-connected devices. This includes setting strong, unique passwords and regularly updating them to minimise the risk of cyberattacks.

In a related development, fishermen in Penghu County have reported sightings of Chinese fishing boats using fake Taiwanese radar transponder codes in waters near Cimei Township. While these vessels initially appeared to be Taiwanese on radar, visual inspections confirmed their Chinese origin. The Coast Guard Administration has stated that any illegal vessels identified will be expelled from Taiwanese waters.

The reason behind the Chinese fishing boats disguising their transponder codes remains unclear, but it has raised concerns about the potential for further deceptive activities in the region.




Taiwanese Government Sites Suffered DDoS Attacks Following Nancy Pelosi Visit

 

Multiple Taiwanese government sites were disrupted by distributed denial-of-service (DDoS) attacks following the much-publicized arrival of U.S. House Speaker Nancy Pelosi who became the first high-ranking U.S. official in 25 years to visit the democratic island nation. 

Pelosi reportedly met Taiwanese President Tsai Ing-wen and reiterated America’s support for the country of 24 million. 

The cyber attacks caused intermittent outages across the government English portal, some websites of the presidential office, foreign ministry, and defense ministry. 

According to Taiwan's foreign ministry, the attacks on its website and the government's English portal were linked to Chinese and Russian IP addresses that tried to access the websites up to 8.5 million times per minute. 

A separate statement from a Tsai spokesperson on Facebook said the attack had funneled 200 times more traffic than usual to the site. However, it was back up and running just 20 minutes later, it added. 

“While the PRC is more than capable of this type of attack, DDoS is fairly unsophisticated and somewhat brutish, and it's not a tool they are known to deploy,” explained Casey Ellis, founder, and CTO at Bugcrowd. China has an enormous population of very clever technologists, large security research and hacking community, and a large government-sponsored team with offensive capability ranging from information warfare to targeted exploit development and R&D.” 

Experts believe that the attacks were likely launched by Chinese activist hackers rather than the Chinese government as retaliation for the visit of Nancy Pelosi. 

Taiwan has accused China of ramping up cyber assaults since the 2016 election of President Tsai Ing-wen, who views the island as a sovereign nation and not a part of China. In 2020, Taiwanese authorities said China-linked hackers breached at least 10 Taiwan government agencies and secured access to nearly 6,000 email accounts in an attempt to exfiltrate data. 

Earlier this year in February, Chinese APT group APT10 (aka Stone Panda, Bronze Riverside) targeted Taiwan’s financial trading sector with a supply chain attack. The malicious campaign was launched by the threat actors in November 2021, but it hit a peak between February 10 and 13 2022, Taiwanese cybersecurity firm CyCraft reported.

New DeadBolt Ransomware Attacks Have Been Reported by QNAP

 

QNAP, Taiwanese network-attached storage (NAS) device vendor, has issued a warning to its clients about a fresh wave of Deadbolt ransomware assaults. "According to the QNAP Product Security Incident Response Team (QNAP PSIRT) investigation, the attack targeted NAS systems running QTS 4.3.6 and QTS 4.4.1, with the most affected models being the TS-x51 and TS-x53 series," the NAS manufacturer claimed. 

This is the third time since the beginning of the year that QNAP machines have been infected with the DeadBolt ransomware. "QNAP strongly advises all NAS customers to check and update QTS to the most recent version as soon as possible, and to avoid exposing its NAS to the internet," the company said in its advisory. 

As many as 4,988 DeadBolt-infected QNAP devices were discovered in late January, requiring the business to issue a forced firmware update. In mid-March, there was a second spike in new infections. Asustor, a storage solutions provider, issued a warning to its clients in February about a wave of Deadbolt ransomware assaults aimed at its NAS devices. QNAP devices were attacked in a new wave of DeadBolt ransomware attacks, according to Censys, an Internet search engine. 

QNAP patched several vulnerabilities in early May, including a major security flaw known as CVE-2022-27588 (CVSS 9.8) that might let a remote attacker execute arbitrary instructions on susceptible QVR devices. 

QNAP QVR is a video surveillance solution from a Taiwanese company that runs on its NAS devices without the need for additional software. DeadBolt assaults are also noteworthy for reportedly exploiting zero-day vulnerabilities in software to obtain remote access and encrypt systems.

According to a new report published by Group-IB, exploiting security vulnerabilities in public-facing applications has emerged as the third most common vector for gaining initial access, accounting for 21% of all ransomware attacks examined by the firm in 2021. However, QNAP owners infected with the DeadBolt ransomware will have to pay the ransom to receive a valid decryption key.

Chinese APT Actor Tracked as 'Antlion' Targeting Companies in Taiwan

 

It has been almost 18 months since the Chinese state-backed advanced persistent threat (APT) actor tracked as ‘Antlion’ has been attacking financial institutions and manufacturing companies in Taiwan state in a persistent campaign. The researchers at Symantec noted that the threat actors deployed a new custom backdoor named 'xPack' on compromised networks, which gave malicious actors wide access into the victim’s system.

The backdoor was designed to run WMI commands remotely, while it has also been seen that the attackers leveraged EternalBlue exploits in the backdoor. The attackers also interact with SMB shares, and it is also possible that the actors used mounted shares over SMB to transfer data to the command and control (C2) server. 

Furthermore, the attackers have successfully browsed the web through the backdoor, likely using it as a proxy to mask their IP address. Researchers believe that the malware was used in a campaign against Taiwan and had allowed the adversaries to run stealthy cyber-espionage operations. 

While dissecting such an attack, it could be seen that the malicious actors spent 175 days on the compromised network. However, the Symantec cyberthreat unit is studying two other incidents of such kind to determine how the adversary went undetected on the network for as long as 250 days. 

The researcher said that the new custom malware helped threat actors achieve this level of furtiveness; Symantec researchers have also deducted the following custom tools that help xPack in this operation. 

• EHAGBPSL – Custom C++ loader 
• CheckID – Custom C++ loader based on a similar tool used by the BlackHole RAT 
• JpgRun – Custom C++ loader 
• NetSessionEnum – Custom SMB session enumeration tool 
• Kerberos golden ticket tool based on the Mimikatz credentials stealer 
• ENCODE MMC – Custom bind/reverse file transfer tool 

"There is also evidence that the attackers likely automated the data collection process via batch scripts, while there is also evidence of instances where data was likely staged for further exfiltration, though it was not actually observed being exfiltrated from the network," explains Symantec.

Taiwanese Government Suffers 5 Million Cyber Attacks Per Day

 

The Taiwanese government faces Five Million cyberattacks per day. Nearly half of them are believed to be originated from China. 

Cyber security department director Chien Hung-Wei told parliament representatives on Wednesday that government infrastructure faces “five million attacks and scans a day”. Security experts are working tirelessly to strengthen defensive measures and collect relevant data for examination in a bid to stop the assaults.

Taiwan’s defence ministry warns of an increase in the attacks carried by China-linked actors against its systems. The ministry accused China of ramping up since the 2016 election of President Tsai Ing-wen, who always claimed the independence of the island from Beijing. On the other end, Beijing considers the island as part of its own territory and does not exclude its military occupation in the future. 

According to the report shared by Taiwan’s defence ministry, the ministry of information security and protection centre handled around 1.4 billion “anomalies” from 2019 to August 2021 to prevent potential hacking. Last year in August 2020, Chinese attackers secured access to around 6,000 email accounts belonging to at least 10 Taiwan government agencies. 

Since 2018, the China-linked cyber espionage groups tracked as Blacktech and Taidoor have been targeting government agencies and information service providers. All these cyber assaults are part of a cyber espionage campaign, Taiwan Bureau Cyber Security Investigation Office reported. The Chinese government has increased diplomatic and economic pressure on Taiwan over the years, it also showed the muscles increasing military drills near the country in recent weeks. 

Many defence experts believe that the Chinese cyber warfare department is at least a decade ahead in terms of cyber capabilities and is aiming towards the goal of instantly disrupting or at least weakening the enemy’s computer networks so as to paralyze their decision-making capability at the very commencement of hostilities.

According to a paper titled China’s Cyber Warfare Capability and India’s Concerns, published in the Journal of Defence Studies, the author revealed that Chinese government is training its military personnel in Information Warfare. In 2013, a security firm Mandiant published a detailed report attributing a Chinese Military Unit to cyber espionage. This was perhaps the first time that such technical evidence and analysis linking activities to a government entity had been made public.

QNAP Patched a Flaw that Allowed Attackers to Remotely Execute Malicious Commands

 

QNAP, a Taiwanese NAS manufacturer, has issued security updates for numerous vulnerabilities that might allow attackers to remotely inject and execute malicious code and commands on susceptible NAS systems. File sharing, virtualization, storage management, and surveillance applications all employ network-attached storage (NAS) appliances. The headquarters of QNAP is located in the Xizhi District of New Taipei City, Taiwan. QNAP began as a department of the IEI Integration Corporation, a Taiwan-based industrial computer services provider. 

Three high-severity stored cross-site scripting (XSS) vulnerabilities (recorded as CVE-2021-34354, CVE-2021-34356, and CVE-2021-34355) affect devices running unpatched Photo Station software (releases before 5.4.10, 5.7.13, or 6.0.18), according to QNAP.

In addition, QNAP fixed a stored XSS Image2PDF problem that affected devices running software versions prior to Image2PDF 2.1.5. Threat actors can use stored XSS attacks to inject malicious code remotely and store it on the targeted servers indefinitely after successful exploitation.

Stored attacks are ones in which the injected script is kept on the target servers indefinitely, such as in a database, a chat forum, a visitor log, a comment field, and so on. When the victim requests information from the server, the malicious script is downloaded. 

A command injection bug (CVE-2021-34352) affecting some QNAP end-of-life (EOL) devices running the QVR IP video surveillance software was also fixed, allowing attackers to run arbitrary operations. Successful attacks leveraging the CVE-2021-34352 bug could result in NAS devices being completely taken over.

In April, QNAP NAS operating systems QTS and QuTS Hero were patched for a command injection vulnerability (CVE-2020-2509). The other critical flaw (CVE-2020-36195), which affected any QNAP NAS devices running Multimedia Console or the Media Streaming add-on, was also patched in the same batch of firmware upgrades.

 “Both vulnerabilities are simple to exploit if you know the exact technical details,” said Yaniv Puyeski, a security researcher of SAM Seamless Network. 

 The significant, pre-authenticated flaws, which require only network access to the susceptible services, highlight an insecure, all-too-common way of using the devices, according to Puyeski. “Unfortunately, a lot of QNAP owners expose their device to the internet through port forwarding which puts them at very high risk to be hacked,” he explained.

Vulnerabilities Found In Moxa Railway Devices, Can Cause Disruption

 

Railway and other wireless communication devices developed by Moxa have been affected by 6p vulnerabilities. Moxa is a Taiwan based industrial networking and automation firm. Earlier this week, cybersecurity firm SEC (owned by Atos) revealed that an expert at SEC found two new flaws in Moxa devices along with various out of date third party software components filled with flaws. 

As per the experts, Moxa devices are infected with a Command injection vulnerability that can be abused by an authenticated actor to hack the device's OS (operating system) (CVE-2021-39279), along with a reflected XSS (cross site scripting) flaw which can be exploited using a special configuration file (CVE-2021-39278). Besides this, the products are affected by an estimated 60 other vulnerabilities in third party softwares like GNU C Library, Dropbear SSH software, BusyBox client, Open SSL, and Linux Kernel. Moxa has released two different reports for the Vulnerabilities. 

The Security Week reports "one of them describes the impact on TAP-323, WAC-1001 and WAC-2004 series devices, which are designed for railways. The TAP-323 device is a trackside wireless access point designed for train-to-ground wireless communications, while the WAC devices are described as rail wireless access controllers." It is also building patches for the Tap-323 and WAC-1001 products, however, WAC-2004 series devices are discontinued and the seller has asked customers to take precautions for reducing the risk of exploitation. 

According to Thomas Weber, the researcher at SEC who found about the vulnerability in Moxa, currently no analysis has been done to check whether the XSS and command injection flaws can be constrained, however, it might be possible. A hacker would have to fool an authenticated user into opening a link which would enable the XSS to steal necessary information to get verified on system and exploit the command injection. 

Experts are not sure about the damage that an attacker can cause, but it all depends on the critical messages sent through the devices. "If an attacker gains access to the web-based management interface of the affected devices and they obtain login credentials — the login credentials could be obtained through various methods — they would be able to take over the whole device with persistent access," says the security week.

Chinese Hackers Target Taiwanese Telecom Firms

 

The Insikt Group, the intelligence research department of the US network security consulting firm Recorded Future, published a report on Thursday stating that a group suspected of being funded by the Chinese government is targeting Taiwan, Nepal, and the Philippines telecommunications organizations. 

The threat group, which researchers tracks as Threat Activity Group 22 (TAG-22), is targeting telecommunications, academic, research and development, and government organizations in the three countries. Some of the activity appears to be ongoing as of now, researchers said. 

The latest attack play into a larger backdrop of apparent Chinese hackers snooping on global competition in the telecommunications space, which has become an arena of political and economic conflict between China and the United States.

“In particular, the targeting of the ITRI is notable due to its role as a technology research and development institution that has set up and incubated multiple Taiwanese technology firms,” researchers wrote. The organization is focused on technology and sustainability projects that align with Chinese development interests. In recent years, Chinese groups have targeted multiple organizations across Taiwan’s semiconductor industry to obtain source code, software development kits, and chip designs.”

Last year, cybersecurity company CyCraft claimed that there was a two-year-long large-scale hacking operation focusing on Taiwan’s semiconductor industry, and this wave of operations is likely to be initiated by Chinese hackers. CrowdStrike, a US computer security technology company, also mentioned in a report last year that telecommunications is one of the areas most frequently targeted by Chinese hackers in the first half of 2020.

The researchers believe TAG-22 is using backdoors used by other Chinese state-sponsored groups, including Winnti Group and ShadowPad for initial access. It also employs open-source security tools like Cobalt Strike. Outside of the telecommunication industry, the threat group has targeted academia, research and development, and government organizations in Nepal, the Philippines, Taiwan, and Hongkong. 

While researchers primarily identified the group as operating in Asia, its scope of targets is generally broader, they said. That, as per researchers, puts it in line with other major Chinese hacking groups including APT17 and APT41.

South Korea And Taiwan: McDonald Hit by a Data Breach

 

After unauthenticated activity on their system, the personal data of some consumers in South Korea and Taiwan were disclosed as McDonald's became the latest data breach affected firm. 

The attackers have obtained e-mails, telephone numbers, and delivery details, but consumer payment information was not included in the breach, the company claimed. On Friday, McDonald's also said that the event was swiftly recognized and managed as a comprehensive study was undertaken. 

The investigation discovered that the information from companies was breached in countries namely the U.S., South Korea, and Taiwan. 

McDonald's said the failure revealed certain corporate contact information for the US staff and franchisees and some information about locations such as seating capacity and the square footage of play areas in a message to U.S. employees. No customer information has been infringed in the US and the information regarding the employees in the United States that was exposed was not sensitive. The corporation urged employees and franchisees to keep an eye on phishing e-mails and request information from them. 

McDonald's said attackers obtained emails of consumers in South Korea and Taiwan along with their shipping numbers and addresses. McDonald's reported that hackers also took staff information of customers from Taiwan, particularly their names and contact information.

The F&B chain has indicated that its South Korea and Taiwan businesses have notified Asian regulators of the infringement and would also contact clients and staff. The officials said that its departments would also communicate probable unlawful access to the data to some South African and Russian staff. These countries were also flagged by the investigation. 

McDonald's asserted that the businesses at its restaurants were not impacted by the infringement and that there was no ransomware attack in which hackers asked for ransom to return data and transactions control to enterprises. McDonald's has declared that no ransom has been requested nor have they paid the hackers. 

McDonald's noted that its cybersecurity defense investment has expanded in recent years and that these mechanisms have helped them respond to the recent incident. Shortly after the breach was detected, the corporation announced it would shut hackers' access to data off. 

“McDonald’s will leverage the findings from the investigation as well as input from security resources to identify ways to further enhance our existing security measures,” the company said.