Search This Blog

Showing posts with label Advanced Persistent Threat. Show all posts

Another Chinese state-sponsored hacking groups discovered - would be the fourth one to be found


A group of cyber security analyst, Intrusion Truth have found their fourth Chinese state-sponsored hacking operation APT 40.
"APT groups in China have a common blueprint: contract hackers and specialists, front companies, and an intelligence officer," the Intrusion Truth team said. "We know that multiple areas of China each have their own APT."
APT stands for Advanced Persistent Threat and is used to describe government supported and sponsored hacking groups. 

Intrusion Truth has previously exposed three government supported APTs, APT3 (believed to operate out of the Guangdong province), APT10 (Tianjin province), and APT17 (Jinan province),  they have now doxed APT40, China's cyber apparatus in the state of Hainan, an island in the South China Sea.

In a blog post, they said they've discovered 13 companies that serve as a front for APT activists. These companies use offline details, overlapping contacts and no online presence except to recruit cyber experts. 

"Looking beyond the linked contact details though, some of the skills that these adverts are seeking are on the aggressive end of the spectrum," the Intrusion Truth team said.

"While the companies stress that they are committed to information security and cyber-defense, the technical job adverts that they have placed seek skills that would more likely be suitable for red teaming and conducting cyber-attacks," they further said. 

APT40 RECRUITMENT MANAGED BY A PROFESSOR

Intrusion Truth was able to link all these companies mentioned above to a single person, a professor in the Information Security Department at the Hainan University.

One of the 13 companies was even headquartered at the university's library. This professor was also a former member of China's military. 

"[Name redacted by ZDNet] appeared to manage a network security competition at the university and was reportedly seeking novel ways of cracking passwords, offering large amounts of money to those able to do so," the anonymous researchers said.Intrusion Truth are pretty credible and have a good track record, US authorities have investigated  two of their three APT expose. 

DDOS, APT attacks on Corporate and Banks


With spate of Distributed denial of service attacks and APT attacks on Banks and corporates, Anti DDOS mitigation vendors and ISP are joining together to fight the menace of DDOS attacks.

A few vendors work with ISP to mitigate the threat, working on putting up monitoring agents on every ISP(hardware box) which is connected to mitigation cloud.
A Bank official told on conditions of anonymity "ISP quickly responds to DDOS attack and mitigates for the customer. But comes to them with a Fat Proposal. Customers need to pay a standard amount ever year to get a protection.  In addition to this amount, they have to pay extra money every time they get hit.  The billing can run into lakhs for banks/corporate who take DDOS mitigation."
Another bank official confided that they have asked for a standard quote per year(ISPs are yet to respond).

Smaller vendors cannot tackle DDOS attacks. It has to be anti ddos companies with ISP which can handle this.

Some corporate and Banks are going in for a solution - They place their main websites and Mobile portal behind a Cloud Based WAF/Anti DDOS mitigation service. At the corporate end, they have a firewall and IPS making sure that no direct connection from the Internet is possible to their ISP Pipe. Does this solve the problem is yet to be seen.

"Advanced Persistent threat are followed by DDOS attacks, this is done to to erase any tracks of compromise on firewall, router, Intrusion Prevention Systems" says J Prasanna, Director, Cyber Security & Privacy Foundation Pte Ltd, a singapore based Cyber security certification organization.

The corporate/Banks are seeing only the DDOS and putting DDOS mitigation in place. It has to be checked to see if there is any compromise on data, criminal compromise from banks/corporate. The criminals could have gained access to the data or network and remain stealth for a long time", says Mr. Sreeram, Director, AVS Labs Pte Ltd, Singapore(organization which does consulting and services on cyber security).

The main problem for organizations is there are many vulnerabilities on systems which are undetected for a long period of time. The vulnerabilities could remain on the application software code written by software programmers or it could be in operating system, networks and other critical system level application. The black hat hackers(APT attackers) could exploits these vulnerabilities generally called 0-day vulnerability which could be used to enter into the systems.

Most of these organization need a "0-Day Vulnerability Assessment & Penetration Testing" and "APT Analysis" to find any Security breach". Normally not every one can do this because you need the best talents on board like "bounty hunters" who do vulnerability finding for fortune 500 companies. But that is no it - " Most bug bounty hunters cant find beyond web vulnerabilities", These auditors/assessors need the 0 day exploits and also knowledge of how APT attacks work. Most organization which perform regular Vulnerability Assessment and Penetration testing and even who do ISO 270001 certification implementation don't have capability to handle Zero-day or APT assessments.

Is a corporate with ISO 270001 standard implementation safe? A quite survey taken for 25 organizations show that almost all had standards implemented and they all experienced data theft. Some of corporate CISOs don't want to accept APT attacks, most of this information of compromise never reaches the management.

All the attacks happened at technical level, because of poor technical controls or products like antivirus/firewall/intrusion prevention not doing what they said they will do.

Do we still trust the ISO270001 implemented in corporate or the products they are using inside to save our data!