Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Taiwan. Show all posts
WordDrone
DLL malware Microsoft Word Supply Chain Attack Taiwan WordDrone

New Malware 'WordDrone' Targets Taiwan's Drone Industry

 



Reported by: Acronis (TRU) just published a comprehensive investigation that reveals a highly sophisticated malware operation targeting Taiwan's growing drone industry. Dubbed "WordDrone," the malware deploys a version of Microsoft Word from the 1990s to install a persistent backdoor-the kind of threat that puts the security of companies in Taiwan's growing drone industry in real jeopardy. At this stage, one suspects that strategic military and technological positions of Taiwan provide the rationale behind this breach designed to extract critical information. It is during times when investments by the government in drone technology are accelerating.


How WordDrone Operates

A new malware uses the side-loading technique by which it involves a vulnerable version of Microsoft Word 2010. Using a compromised version of Word, attackers loaded three files on the target system: a legitimate copy of the Microsoft Word application, known as winword, a malicious DLL file named wwlib.dll, and an encrypted additional file with a random name.

Then, an unconscious download of the malicious DLL by running the benign Microsoft Word file becomes a delivery method to decrypt and run the real payload of malware. This technique is the exploitation of the weakness within how older versions of Microsoft Word treat DLL files: the malicious DLL can actually masquerade as part of Microsoft Office. Such an approach will make WordDrone virtually impossible for any traditional security tool to detect and block since the files that are infected look legitimate to most detection systems.


Detection Evasion Advanced Tactics

Moreover, many of the malicious DLL files are digitally signed using highly recently expired certificates. This kind of approach, a disguise for legitimacy, many security systems employ to verify software, makes detection much more difficult. This strategy gives WordDrone an advantage bypassing defences based on trusting signed binaries, which makes it rather difficult to detect.

After running it, the threat performs a stage of well-crafted operations. The payload begins with a shellcode stub that unpacks and injects an "install.dll" component creating persistence on the affected system. The install.dll file allows malware to be present even after reboots by various techniques: it can install malware as a background service, schedule it as a recurring task, or inject the next phase of malware execution, and does not need permanent installation.


Persistence and Defense Evasion Techniques

It applies advanced techniques in a way that it stays non-observable and keeps running. Its techniques begin with NTDLL unhooking, which disables the setting of security hooks by monitoring software and re-loads a fresh instance of the NTDLL library so that security tools cannot intervene with that. In addition to that, it keeps the EDR quiet. This scan for active security processes sets up blocking rules within Windows Firewall to dampen the functions of identified security tools, effectively disabling detection capabilities that may raise defences against its presence.


Command-and-Control (C2) Communication for Remote Control

Another advanced feature about WordDrone is the ability to communicate with a C2 server, meaning the attackers can control the malware even after it is installed. The communication schedule is hardcoded within the malware by implementing a bit array that states some active hours in a week. The malware requests from the C2 server additional details or more malicious files during active hours based on such a routine.

WordDrone can function over several communication protocols including TCP, TLS, HTTP, HTTPS, and WebSocket, which all make identification and analysis much more difficult of the malware's network activities. Its use of a custom binary format for its communication makes it even more challenging to intercept or to interpret its network traffic for cybersecurity teams.


Possible Supply Chain Attack and Initial Infection Vector

The entry point of the WordDrone malware is not clear. Initial analysis, however, showed malicious files under a well-known Taiwanese ERP software's folder. That makes it likely that the attackers have also compromised the ERP software as part of a supply chain attack, possibly exposing other organisations that make use of the software in different marketplaces.

The attack by WordDrone on the Taiwanese drone industry is an example of vulnerabilities that sectors of strategic importance have to face. Ongoing vigilance from cybersecurity experts gives caution, as defence and technology-related organisations try to win the technological battle with such persistent threats.


Read more »
Threat Landscape
Chinese Actors Cyber Attacks Drone Makers Taiwan Threat Landscape

'TIDrone' Cybercriminals Target Taiwan's Drone Makers

 

A previously unknown threat actor with possible ties to Chinese-speaking groups has primarily targeted drone makers in Taiwan as part of a cyber attack operation that started in 2024. Trend Micro is tracking the adversary under the codename TIDRONE, claiming that the activity is espionage-driven due to the emphasis on military-related company chains. 

The specific initial access vector used to penetrate targets is currently unknown, although Trend Micro's study revealed the spread of unique malware such as CXCLNT and CLNTEND using remote desktop tools such as UltraVNC. An interesting feature identified across multiple victims is the use of the same enterprise resource planning (ERP) software, increasing the likelihood of a supply chain attack. 

After that, the attack chains move through three distinct phases that are intended to make it easier to escalate privileges through the use of credential dumping, security evasion by turning off antivirus software that is installed on the hosts, and User Account Control (UAC) bypass. 

Both backdoors are activated by sideloading a rogue DLL using the Microsoft Word application, allowing attackers to collect a wide range of confidential data. CXCLNT includes basic upload and download file capabilities, as well as facilities for removing traces, acquiring victim data such as file listings and device names, and downloading next-stage portable executable (PE) and DLL files for execution. 

CLNTEND, detected in April 2024, is a remote access tool (RAT) that supports a broader range of network communication protocols, including TCP, HTTP, HTTPS, TLS, and SMB (port 445).

"The consistency in file compilation times and the threat actor's operation time with other Chinese espionage-related activities supports the assessment that this campaign is likely being carried out by an as-yet unidentified Chinese-speaking threat group," security researchers Pierre Lee and Vickie Su stated.
Read more »
Taiwan
Air Force Cyber Attacks disinformation campaign Hackers Personal Data Taiwan

Hackers Spread Disinformation to undermine Taiwan’s Military


 

Foreign hackers are increasingly targeting Taiwan by hijacking social media accounts to spread disinformation aimed at undermining the country's military, according to a statement released by the Ministry of Justice Investigation Bureau (MJIB) yesterday.

The hackers, believed to be operating from abroad, are using compromised Internet-connected devices, including surveillance cameras and facial recognition systems, to gain unauthorised access to social media accounts on popular platforms like Dcard and PTT (Professional Technology Temple). By infiltrating these forums, they have been able to post false information that seeks to damage the reputation of Taiwan’s armed forces.

One of the key tactics employed by these cybercriminals is impersonating Taiwanese air force personnel. They have posted misleading content claiming that many military pilots are dissatisfied with their pay and working conditions. Some posts suggest that pilots would rather incur tremendous financial losses than renew their contracts, while others falsely claim that military members are leaving their posts to pursue civilian careers for better work-life balance.

On PTT, an account named “ss900287” further amplified these messages by sharing a link to a photograph that supposedly showed a list of retired military pilots applying for jobs with China Airlines. This, however, is another example of the misinformation being spread to create doubt and discontent among the public regarding Taiwan’s military.

Rise in False Posts Across Social Media

Despite the efforts of the Air Force Command to counteract these false narratives, there has been a noticeable increase in similar disinformation across more than 170 suspicious Facebook groups, including names such as “The Strait Today,” “Commentary by the Commander,” and “You Ban, Me Mad.” These groups are suspected of being part of the coordinated effort to spread misleading content.

Advanced Techniques to Evade Detection

According to the MJIB, the hackers have been able to maintain their disinformation campaign by exploiting vulnerabilities in facial recognition systems, digital cameras, and other networked devices. By stealing personal data and taking over social media accounts, they have managed to pose as legitimate users, making their disinformation appear more credible.

To avoid detection, the hackers have employed sophisticated methods such as data de-identification and rerouting their activities through multiple channels, which has made it difficult to trace their identities and locations. In response, the MJIB has notified social media platforms, requesting that they take action against the groups and users involved in these activities.

The MJIB is advising Taiwanese citizens to gear up the security of their Internet-connected devices. This includes setting strong, unique passwords and regularly updating them to minimise the risk of cyberattacks.

In a related development, fishermen in Penghu County have reported sightings of Chinese fishing boats using fake Taiwanese radar transponder codes in waters near Cimei Township. While these vessels initially appeared to be Taiwanese on radar, visual inspections confirmed their Chinese origin. The Coast Guard Administration has stated that any illegal vessels identified will be expelled from Taiwanese waters.

The reason behind the Chinese fishing boats disguising their transponder codes remains unclear, but it has raised concerns about the potential for further deceptive activities in the region.




Read more »
United States
Cyber Attacks DDOS Attack Government Sites Taiwan United States

Taiwanese Government Sites Suffered DDoS Attacks Following Nancy Pelosi Visit

 

Multiple Taiwanese government sites were disrupted by distributed denial-of-service (DDoS) attacks following the much-publicized arrival of U.S. House Speaker Nancy Pelosi who became the first high-ranking U.S. official in 25 years to visit the democratic island nation. 

Pelosi reportedly met Taiwanese President Tsai Ing-wen and reiterated America’s support for the country of 24 million. 

The cyber attacks caused intermittent outages across the government English portal, some websites of the presidential office, foreign ministry, and defense ministry. 

According to Taiwan's foreign ministry, the attacks on its website and the government's English portal were linked to Chinese and Russian IP addresses that tried to access the websites up to 8.5 million times per minute. 

A separate statement from a Tsai spokesperson on Facebook said the attack had funneled 200 times more traffic than usual to the site. However, it was back up and running just 20 minutes later, it added. 

“While the PRC is more than capable of this type of attack, DDoS is fairly unsophisticated and somewhat brutish, and it's not a tool they are known to deploy,” explained Casey Ellis, founder, and CTO at Bugcrowd. China has an enormous population of very clever technologists, large security research and hacking community, and a large government-sponsored team with offensive capability ranging from information warfare to targeted exploit development and R&D.” 

Experts believe that the attacks were likely launched by Chinese activist hackers rather than the Chinese government as retaliation for the visit of Nancy Pelosi. 

Taiwan has accused China of ramping up cyber assaults since the 2016 election of President Tsai Ing-wen, who views the island as a sovereign nation and not a part of China. In 2020, Taiwanese authorities said China-linked hackers breached at least 10 Taiwan government agencies and secured access to nearly 6,000 email accounts in an attempt to exfiltrate data. 

Earlier this year in February, Chinese APT group APT10 (aka Stone Panda, Bronze Riverside) targeted Taiwan’s financial trading sector with a supply chain attack. The malicious campaign was launched by the threat actors in November 2021, but it hit a peak between February 10 and 13 2022, Taiwanese cybersecurity firm CyCraft reported.
Read more »
zero Day vulnerability
Cyber Security NAS QNAP remote access Security flaw Taiwan zero Day vulnerability

New DeadBolt Ransomware Attacks Have Been Reported by QNAP

 

QNAP, Taiwanese network-attached storage (NAS) device vendor, has issued a warning to its clients about a fresh wave of Deadbolt ransomware assaults. "According to the QNAP Product Security Incident Response Team (QNAP PSIRT) investigation, the attack targeted NAS systems running QTS 4.3.6 and QTS 4.4.1, with the most affected models being the TS-x51 and TS-x53 series," the NAS manufacturer claimed. 

This is the third time since the beginning of the year that QNAP machines have been infected with the DeadBolt ransomware. "QNAP strongly advises all NAS customers to check and update QTS to the most recent version as soon as possible, and to avoid exposing its NAS to the internet," the company said in its advisory. 

As many as 4,988 DeadBolt-infected QNAP devices were discovered in late January, requiring the business to issue a forced firmware update. In mid-March, there was a second spike in new infections. Asustor, a storage solutions provider, issued a warning to its clients in February about a wave of Deadbolt ransomware assaults aimed at its NAS devices. QNAP devices were attacked in a new wave of DeadBolt ransomware attacks, according to Censys, an Internet search engine. 

QNAP patched several vulnerabilities in early May, including a major security flaw known as CVE-2022-27588 (CVSS 9.8) that might let a remote attacker execute arbitrary instructions on susceptible QVR devices. 

QNAP QVR is a video surveillance solution from a Taiwanese company that runs on its NAS devices without the need for additional software. DeadBolt assaults are also noteworthy for reportedly exploiting zero-day vulnerabilities in software to obtain remote access and encrypt systems.

According to a new report published by Group-IB, exploiting security vulnerabilities in public-facing applications has emerged as the third most common vector for gaining initial access, accounting for 21% of all ransomware attacks examined by the firm in 2021. However, QNAP owners infected with the DeadBolt ransomware will have to pay the ransom to receive a valid decryption key.
Read more »
Taiwan
APT China Data Breach Data threats Symantec Taiwan

Chinese APT Actor Tracked as 'Antlion' Targeting Companies in Taiwan

 

It has been almost 18 months since the Chinese state-backed advanced persistent threat (APT) actor tracked as ‘Antlion’ has been attacking financial institutions and manufacturing companies in Taiwan state in a persistent campaign. The researchers at Symantec noted that the threat actors deployed a new custom backdoor named 'xPack' on compromised networks, which gave malicious actors wide access into the victim’s system.

The backdoor was designed to run WMI commands remotely, while it has also been seen that the attackers leveraged EternalBlue exploits in the backdoor. The attackers also interact with SMB shares, and it is also possible that the actors used mounted shares over SMB to transfer data to the command and control (C2) server. 

Furthermore, the attackers have successfully browsed the web through the backdoor, likely using it as a proxy to mask their IP address. Researchers believe that the malware was used in a campaign against Taiwan and had allowed the adversaries to run stealthy cyber-espionage operations. 

While dissecting such an attack, it could be seen that the malicious actors spent 175 days on the compromised network. However, the Symantec cyberthreat unit is studying two other incidents of such kind to determine how the adversary went undetected on the network for as long as 250 days. 

The researcher said that the new custom malware helped threat actors achieve this level of furtiveness; Symantec researchers have also deducted the following custom tools that help xPack in this operation. 

• EHAGBPSL – Custom C++ loader 
• CheckID – Custom C++ loader based on a similar tool used by the BlackHole RAT 
• JpgRun – Custom C++ loader 
• NetSessionEnum – Custom SMB session enumeration tool 
• Kerberos golden ticket tool based on the Mimikatz credentials stealer 
• ENCODE MMC – Custom bind/reverse file transfer tool 

"There is also evidence that the attackers likely automated the data collection process via batch scripts, while there is also evidence of instances where data was likely staged for further exfiltration, though it was not actually observed being exfiltrated from the network," explains Symantec.
Read more »
Taiwan
Chinese Hackers Cyber Attacks Cyber Espionage Campaign Taiwan

Taiwanese Government Suffers 5 Million Cyber Attacks Per Day

 

The Taiwanese government faces Five Million cyberattacks per day. Nearly half of them are believed to be originated from China. 

Cyber security department director Chien Hung-Wei told parliament representatives on Wednesday that government infrastructure faces “five million attacks and scans a day”. Security experts are working tirelessly to strengthen defensive measures and collect relevant data for examination in a bid to stop the assaults.

Taiwan’s defence ministry warns of an increase in the attacks carried by China-linked actors against its systems. The ministry accused China of ramping up since the 2016 election of President Tsai Ing-wen, who always claimed the independence of the island from Beijing. On the other end, Beijing considers the island as part of its own territory and does not exclude its military occupation in the future. 

According to the report shared by Taiwan’s defence ministry, the ministry of information security and protection centre handled around 1.4 billion “anomalies” from 2019 to August 2021 to prevent potential hacking. Last year in August 2020, Chinese attackers secured access to around 6,000 email accounts belonging to at least 10 Taiwan government agencies. 

Since 2018, the China-linked cyber espionage groups tracked as Blacktech and Taidoor have been targeting government agencies and information service providers. All these cyber assaults are part of a cyber espionage campaign, Taiwan Bureau Cyber Security Investigation Office reported. The Chinese government has increased diplomatic and economic pressure on Taiwan over the years, it also showed the muscles increasing military drills near the country in recent weeks. 

Many defence experts believe that the Chinese cyber warfare department is at least a decade ahead in terms of cyber capabilities and is aiming towards the goal of instantly disrupting or at least weakening the enemy’s computer networks so as to paralyze their decision-making capability at the very commencement of hostilities.

According to a paper titled China’s Cyber Warfare Capability and India’s Concerns, published in the Journal of Defence Studies, the author revealed that Chinese government is training its military personnel in Information Warfare. In 2013, a security firm Mandiant published a detailed report attributing a Chinese Military Unit to cyber espionage. This was perhaps the first time that such technical evidence and analysis linking activities to a government entity had been made public.
Read more »
XSS Attacks
attackers Cyber Security Malicious Codes Taiwan XSS Attacks

QNAP Patched a Flaw that Allowed Attackers to Remotely Execute Malicious Commands

 

QNAP, a Taiwanese NAS manufacturer, has issued security updates for numerous vulnerabilities that might allow attackers to remotely inject and execute malicious code and commands on susceptible NAS systems. File sharing, virtualization, storage management, and surveillance applications all employ network-attached storage (NAS) appliances. The headquarters of QNAP is located in the Xizhi District of New Taipei City, Taiwan. QNAP began as a department of the IEI Integration Corporation, a Taiwan-based industrial computer services provider. 

Three high-severity stored cross-site scripting (XSS) vulnerabilities (recorded as CVE-2021-34354, CVE-2021-34356, and CVE-2021-34355) affect devices running unpatched Photo Station software (releases before 5.4.10, 5.7.13, or 6.0.18), according to QNAP.

In addition, QNAP fixed a stored XSS Image2PDF problem that affected devices running software versions prior to Image2PDF 2.1.5. Threat actors can use stored XSS attacks to inject malicious code remotely and store it on the targeted servers indefinitely after successful exploitation.

Stored attacks are ones in which the injected script is kept on the target servers indefinitely, such as in a database, a chat forum, a visitor log, a comment field, and so on. When the victim requests information from the server, the malicious script is downloaded. 

A command injection bug (CVE-2021-34352) affecting some QNAP end-of-life (EOL) devices running the QVR IP video surveillance software was also fixed, allowing attackers to run arbitrary operations. Successful attacks leveraging the CVE-2021-34352 bug could result in NAS devices being completely taken over.

In April, QNAP NAS operating systems QTS and QuTS Hero were patched for a command injection vulnerability (CVE-2020-2509). The other critical flaw (CVE-2020-36195), which affected any QNAP NAS devices running Multimedia Console or the Media Streaming add-on, was also patched in the same batch of firmware upgrades.

 “Both vulnerabilities are simple to exploit if you know the exact technical details,” said Yaniv Puyeski, a security researcher of SAM Seamless Network. 

 The significant, pre-authenticated flaws, which require only network access to the susceptible services, highlight an insecure, all-too-common way of using the devices, according to Puyeski. “Unfortunately, a lot of QNAP owners expose their device to the internet through port forwarding which puts them at very high risk to be hacked,” he explained.
Read more »
Subscribe to: Posts (Atom)