Search This Blog

Showing posts with label Chinese Hackers. Show all posts

Mozi Botnet Creators Arrested by Chinese Law Enforcement Authorities

 

Cybersecurity researchers from the Chinese information security firm Netlab Qihoo 360 reported that at the beginning of this year the authors of the Mozi IoT botnet were detained by Chinese law enforcement authorities, nearly two years after the malware appeared on the threat landscape in late 2019.

“Mozi uses a P2P [peer-to-peer] network structure, and one of the 'advantages' of a P2P network is that it is robust, so even if some of the nodes go down, the whole network will carry on, and the remaining nodes will still infect other vulnerable devices, that is why we can still see Mozi spreading," said Netlab researchers.

The development takes place within two weeks after Microsoft Security Threat Intelligence Center disclosed the malware's new capabilities allows it to block the web traffic on compromised systems via techniques such as DNS spoofing and HTTP session hijacking aimed at redirecting users to malicious domains. 

At its peak, the malware infected up to 160,000 systems a day and in total managed to compromise more than 1,500,000 different devices, more than half of which (830,000) were located in China, according to a report from Netlab Qihoo 360. 

Mozi, which emerged from the source code of Mirai variants and the Gafgyt malware, has accumulated over 15,800 unique command and control nodes as of April 2020, up from 323 nodes in December 2019, according to a report from Lumen's Black Lotus Labs. By the time the malware was discovered by 360 Netlab researchers, it was actively targeting Netgear, D-Link, and Huawei routers by probing for weak Telnet passwords to compromise them.

Exploiting the use of weak and default remote access passwords as well as through unpatched vulnerabilities, the botnet propagates by infecting routers and digital video recorders to co-opt the devices into an IoT botnet, which could be abused for launching distributed denial-of-service (DDoS) attacks, data exfiltration, and payload execution. 

According to Netlab, the creators of Mozi also packed in additional upgrades, which includes a mining trojan that spreads in a worm-like fashion through weak FTP and SSH passwords, expanding on the botnet's features by following a plug-in like approach to designing custom tag commands for different functional nodes. "This convenience is one of the reasons for the rapid expansion of the Mozi botnet," the researchers said. 

"The Mozi botnet samples have stopped updating for quite some time, but this does not mean that the threat posed by Mozi has ended. Since the parts of the network that are already spread across the Internet have the ability to continue to be infected, new devices are infected every day,” the researchers warned. 

The malware also used the DHT protocol to design a peer-to-peer (P2P) system between all the compromised devices, allowing bots to send updates and operational instructions to each other directly, which also allowed Mozi to continue to perform even without a central command and control (C&C) server.

Microsoft Links SolarWinds Serv-U SSH 0-Day Attack to a Chinese Hacking Group

 

Microsoft Threat Intelligence Center has published technical facts regarding a now-patched, 0-day remote code execution exploit affecting SolarWinds Serv-U managed file transfer service software that it has attributed with "high confidence" to a hacking group functioning out of China.

In early July, Microsoft Offensive Research & Security Engineering team addressed a remote code execution flaw (CVE-2021-35211) that was present in Serv-U's implementation of the Secure Shell (SSH) protocol, which could be exploited by cyber criminals to execute arbitrary code on the compromised system, including the ability to install destructive programs and check out, modify, or delete delicate data. 

"The Serv-U SSH server is subject to a pre-auth remote code execution vulnerability that can be easily and reliably exploited in the default configuration," Microsoft Offensive Research and Security Engineering team explained in a detailed write-up describing the exploit.

"An attacker can exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. When successfully exploited, the vulnerability could then allow the attacker to install or run programs, such as in the case of the targeted attack we previously reported," the researchers added.

Though Microsoft attributed the attacks to DEV-0322, a China-based hacking group citing "observed victimology, tactics, and procedures," the firm has now disclosed the remote, pre-auth vulnerability originated from the manner the Serv-U process managed access violations without terminating the process, thereby making it straightforward to pull off stealthy, dependable exploitation tries. 

"The exploited vulnerability was caused by the way Serv-U initially created an OpenSSL AES128-CTR context. This, in turn, could allow the use of uninitialized data as a function pointer during the decryption of successive SSH messages,” the researchers said. 

"Therefore, an attacker could exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. We also discovered that the attackers were likely using DLLs compiled without address space layout randomization (ASLR) loaded by the Serv-U process to facilitate exploitation," the researchers further explained.

ASLR is a protection mechanism primarily used to protect against buffer overflow attack by randomly arranging the handle room positions where system executables are loaded into memory. 

After a thorough examination of the SolarWinds hack, Microsoft researchers advised the affected organizations to enable ASLR compatibility for all binaries loaded in the Serv-U procedure."ASLR is a critical security mitigation for services which are exposed to untrusted remote inputs, and requires that all binaries in the process are compatible in order to be effective at preventing attackers from using hardcoded addresses in their exploits, as was possible in Serv-U," the researchers concluded.

Last year in December, Microsoft revealed that a different espionage group may have been exploiting the IT infrastructure provider's Orion software to install a persistent backdoor called Supernova on contaminated devices. Cybersecurity firm SecureWorks attributed the intrusions to a China-linked hacking group called Spiral.

ShadowPad Malware is Being Sold Privately to Chinese Espionage

 

Since 2017, five separate Chinese threat groups have used ShadowPad, an infamous Windows backdoor that allows attackers to download additional harmful modules or steal data. In a detailed overview of the malware, SentinelOne researchers Yi-Jhen Hsieh and Joey Chen said that "adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors," adding that "some threat groups stopped developing their own backdoors after they gained access to ShadowPad." 

ShadowPad was released in 2015 as a replacement for PlugX. However, it wasn't until several well-known supply-chain incidents – CCleaner, NetSarang, and ShadowHammer – that it began to gain considerable public attention. Unlike the publicly available PlugX, ShadowPad is only available to a selected group of people. ShadowPad has been called a "masterpiece of privately sold malware in Chinese espionage" by an American cybersecurity firm. 

ShadowPad is a shellcode-based modular backdoor. A layer of an obfuscated shellcode loader is in charge of decrypting and loading a Root plugin during execution. While the Root plugin's chain of operations decrypts, it loads other shellcode-embedded plugins into memory. To date, at least 22 different plugins have been discovered. 

Additional plugins can be remotely uploaded from the C&C server in addition to the ones included, allowing users to dynamically add functionality that isn't present by default. A Delphi-based controller is in charge of the infected machines, which is used for backdoor communications, upgrading the C2 infrastructure, and controlling the plugins.

"While ShadowPad is well-designed and highly likely to be produced by an experienced malware developer, both its functionalities and its anti-forensics capabilities are under active development," the researchers said. 

ShadowPad-related attacks have lately targeted Hong Kong-based firms as well as key infrastructure in India, Pakistan, and other Central Asian countries. The implant is known to be shared by multiple Chinese espionage actors, including Tick, RedEcho, RedFoxtrot, and clusters dubbed Operation Redbonus, Redkanku, and Fishmonger, although being predominantly attributed to APT41. 

"The threat actor behind Fishmonger is now using it and another backdoor called Spyder as their primary backdoors for long-term monitoring, while they distribute other first-stage backdoors for initial infections including FunnySwitch, BIOPASS RAT, and Cobalt Strike," the researchers said. "The victims include universities, governments, media sector companies, technology companies and health organizations conducting COVID-19 research in Hong Kong, Taiwan, India and the U.S."

Chinese Webdav-O Virus Attacked Russian Federal Agencies

 

In 2020, a collection of Chinese state-sponsored threat groups may have been behind a series of targeted attacks on the Russian federal executive authority. The latest study, published by Singapore-based Group-IB, looks into a piece of computer virus known as "Webdav-O" that was discovered in the intrusions, with the cybersecurity firm noticing similarities between the tool and a popular Trojan known as "BlueTraveller," which is linked to a Chinese threat group known as TaskMasters and used in malicious activities with the aim of espionage and plundering confidential documents. 

The report builds on a series of public disclosures in May from Solar JSOC and SentinelOne, both of which revealed a malware called "Mail-O" that was also observed in attacks against Russian federal executive authorities to access the cloud service Mail.ru, with SentinelOne linking it to a variant of another well-known malicious software called "PhantomNet" or "SManager" used by a threat actor dubbed TA428. 

TA428 has been targeting government entities in East Asia since 2013, with a particular focus on those involved in domestic and foreign policy, government information technology, and economic development. Attackers used the Microsoft Equation Editor exploit CVE-2018-0798 to deploy a custom malware called Cotx RAT, according to Proofpoint researchers. This APT gang also employs Poison Ivy payloads, which share command and control (C&C) infrastructure with the newly discovered Cotx attacks.

"Chinese APTs are one of the most numerous and aggressive hacker communities," researchers Anastasia Tikhonova and Dmitry Kupin said. "Hackers mostly target state agencies, industrial facilities, military contractors, and research institutes. The main objective is espionage: attackers gain access to confidential data and attempt to hide their presence for as long as possible."

"The main goal of the hackers was to completely compromise the IT infrastructure and steal confidential information, including documents from closed segments and email correspondence of key federal executive authorities," Solar JSOC noted, adding the "cybercriminals ensured themselves a high level of secrecy through the use of legitimate utilities, undetectable malware, and a deep understanding of the specifics of the work of information protection tools installed in government bodies."

“It is noteworthy that Chinese hacker groups actively exchange tools and infrastructure, but perhaps it is just the case here,” Group-IB points out. The researchers also point out that evidence implies a big hacking force made up of People's Liberation Army intelligence units may be operating out of China, with the numerous Chinese APT groups tracked by threat intelligence agencies being little more than subgroups.

Chinese Hackers Exploit New SolarWinds Zero-Day in Targeted Attacks

 

Microsoft Threat Intelligence Centre (MSTIC) on Tuesday revealed a zero-day remote code execution exploit, being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. Microsoft revealed that the attacks are linked to a China-based threat group tracked as 'DEV-0322.' 

“MSTIC attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures," Microsoft said in an update on Wednesday.

To carry out the attack, threat actors deployed malware in the Orion software sold by the IT management company SolarWinds. According to the local media outlets, the hackers exploited at least 250 federal agencies and top organizations in the US. 

Tracked as CVE-2021-35211, the RCE vulnerability resides in Serv-U's implementation of the Secure Shell (SSH) protocol. While it was previously revealed that the attacks were limited in scope, SolarWinds said it's unaware of the identity of the potentially affected customers. 

“The vulnerability being exploited is CVE-2021-35211, which was recently patched by SolarWinds. We strongly urge all customers to update their instances of Serv-U to the latest available version," Microsoft advised. 

On Tuesday, SolarWinds published a security update for a zero-day vulnerability in Serv-U FTP servers that allow remote code execution when SSH is enabled. According to SolarWinds, this flaw was disclosed by Microsoft, who saw a hacker actively exploiting it to execute commands on vulnerable customer's devices.

"This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure," says a new blog post by the Microsoft Threat Intelligence Center. 

According to Microsoft, the ‘DEV-0322’ hacking group has previously targeted entities in the US Defense Industrial Base Sector and software companies. "The Defense Industrial Base (DIB) Sector is the worldwide industrial complex that enables research and development (R&D), as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements," explains a CISA document describing the DIB sector.

In December 2020, Microsoft revealed that a separate espionage group may have been exploiting the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on compromised systems. The intrusions have since been attributed to a China-linked threat actor called Spiral.

Chinese Hackers Target Taiwanese Telecom Firms

 

The Insikt Group, the intelligence research department of the US network security consulting firm Recorded Future, published a report on Thursday stating that a group suspected of being funded by the Chinese government is targeting Taiwan, Nepal, and the Philippines telecommunications organizations. 

The threat group, which researchers tracks as Threat Activity Group 22 (TAG-22), is targeting telecommunications, academic, research and development, and government organizations in the three countries. Some of the activity appears to be ongoing as of now, researchers said. 

The latest attack play into a larger backdrop of apparent Chinese hackers snooping on global competition in the telecommunications space, which has become an arena of political and economic conflict between China and the United States.

“In particular, the targeting of the ITRI is notable due to its role as a technology research and development institution that has set up and incubated multiple Taiwanese technology firms,” researchers wrote. The organization is focused on technology and sustainability projects that align with Chinese development interests. In recent years, Chinese groups have targeted multiple organizations across Taiwan’s semiconductor industry to obtain source code, software development kits, and chip designs.”

Last year, cybersecurity company CyCraft claimed that there was a two-year-long large-scale hacking operation focusing on Taiwan’s semiconductor industry, and this wave of operations is likely to be initiated by Chinese hackers. CrowdStrike, a US computer security technology company, also mentioned in a report last year that telecommunications is one of the areas most frequently targeted by Chinese hackers in the first half of 2020.

The researchers believe TAG-22 is using backdoors used by other Chinese state-sponsored groups, including Winnti Group and ShadowPad for initial access. It also employs open-source security tools like Cobalt Strike. Outside of the telecommunication industry, the threat group has targeted academia, research and development, and government organizations in Nepal, the Philippines, Taiwan, and Hongkong. 

While researchers primarily identified the group as operating in Asia, its scope of targets is generally broader, they said. That, as per researchers, puts it in line with other major Chinese hacking groups including APT17 and APT41.

Threat Actors Target Mongolian Certificate Authority with Cobalt Strike Binaries

 

Threat actors have breached a server belonging to MonPass, a major certification authority (CA) in Mongolia in East Asia, and have backdoored the company’s official website with Cobalt Strike binaries. The security incident came to light in late March when researchers at Avast identified an installer downloaded from the official website of MonPass. 

On 22 April 2021, Avast informed MonPass regarding the security breach and advised them to patch the compromised server and notify those who downloaded the backdoored client. “Our analysis beginning in April 2021 indicates that a public webserver hosted by MonPass was breached potentially eight separate times: we found eight different webshells and backdoors on this server. We also found that the MonPass client available for download from 8 February 2021 until 3 March 2021 was backdoored,” Avast stated.

However, researchers were unable to attribute the intrusion “with an appropriate level of confidence” to any specific threat actor. “But it’s clear that the attackers clearly intended to spread malware to users in Mongolia by compromising a trustworthy source, which in this case is a CA in Mongolia,” researchers added.

The malicious installer is an unsigned PE file. It starts by downloading the legitimate version of the installer from the MonPass official website. This legitimate version is dropped to the C:\Users\Public\ folder and executed under a new process. This guarantees that the installer behaves as expected, meaning that a regular user is unlikely to notice anything suspicious. 

Avast team also unearthed additional variants on VirusTotal in addition to those found on the compromised MonPass web server. During their analysis of the compromised client and variants, researchers showed that the malware was using steganography to decrypt Cobalt Strike beacon. 

In December 2020, China-based hackers targeted Able Desktop software, a security firm responsible for supplying software to multiple Mongolian government agencies. In the same month, Avast also published details about a Chinese cyber-espionage campaign that targeted government agencies using spear-phishing emails, during which attackers tried to install backdoors and keyloggers on employee workstations.

Just a few weeks after targeting Able Desktop software, Chinese attackers employed a technique similar to the MonPass breach on the website of the Vietnam Government Certification Authority (VGCA): ca.gov.vn. The attackers modified two of the software installers available for download on this website and added a backdoor in order to compromise users of the legitimate application.

The US has linked major cyber attacks against Russia with Chinese hackers

 Solar JSOC spoke about a series of cyber attacks on Russian government systems in 2020. According to the American Company Sentinel Labs, the ThunderCats group, which is associated with China, is behind the attacks

Sentinel Labs, an American cybersecurity company, said that China is involved in a series of targeted hacker attacks on Russian government systems in 2020.

The report was prepared on the basis of a study by Rostelecom-Solar JSOC (a subsidiary of Rostelecom responsible for cybersecurity), conducted jointly with the National Coordination Center for Computer Incidents (NCCCI, established by the FSB). It said that in the past year, attackers attacked the federal executive authorities (FOIV) several times, using phishing and vulnerability of web applications published on the Internet, as well as hacking the infrastructure of contractors.

According to Rostelecom-Solar and the NCCCI, hackers developed malicious software called Mail-O, which used the cloud storages of Yandex and Mail.ru Group to download the collected data. Attackers disguised network activity under the legitimate Yandex Disk and Disk-O utilities. Experts said that they acted in the interests of a foreign state, but did not specify which one.

Analysts at Sentinel Labs studied how Mail-O works, as described by Russian experts, and concluded that ThunderCats hackers (part of the larger hacker group TA428, which is associated with China) were behind the attacks. They suggested that Mail-O is a variant of the more well-known malware PhantomNet or SManager. It was used by attackers from TA428 during cyber attacks on resources in Southeast Asia, including Vietnam.

According to Anastasia Tikhonova, head of the sophisticated cyber threat research department of the Threat Intelligence department of Group-IB, Russian organizations are regularly attacked by pro-government groups from different countries, "including China." It should be noted that the largest number of active pro-government groups (23) are concentrated in China.

In early May, E Hacking News reported that Chinese hackers attacked the Rubin Central Design Bureau for Marine Engineering (СKB Rubin), which designs submarines for the Russian Navy, by sending images of a submarine with malicious code to its CEO. 


China-Based Hackers Luring Indians into Fake Tata Motors Scam

 

On Thursday, cyber-security researchers in India announced the discovery of a malicious free present marketing campaign managed by China-based hackers to gather personal user data. The marketing campaign is pretending to be an offer from Tata Motors, the biggest automobile manufacturing company in India, reports IANS.

The analysis workforce at New Delhi-based CyberPeace Foundation received some malicious links via WhatsApp, related to a free gift offer from Tata Motors, accumulating personal information about customers together with their browser and system information. 

“The campaign is pretended to be an offer from Tata Motors but hosted on the third-party domain instead of the official website of Tata Motors which makes it more suspicious,” the research team stated.

This malicious campaign being operated on a fake website is titled “Tata Motors Cars, Celebrates sales exceeding 30 million”. On the landing page, a congratulations message is displayed with an attractive photo of a Tata Safari car. Users are asked to participate in a quick survey to get a free TATA Safari vehicle. 

“Also, at the bottom of this page, a section comes up which seems to be a Facebook comment section where many users have commented about how the offer is beneficial,” the researchers revealed.

After clicking the OK button, users are given three chances to win the prize. After finishing all the attempts, it says that the user has won “TATA SAFARI”.

“Congratulations! You did it! You won the TATA SAFARI!” Clicking on the ‘OK’ button, it then instructs users to share the campaign with friends on WhatsApp. The user doesn’t actually end up winning the car, the page simply keeps redirecting the user to multiple advertisements webpages. The Foundation recommended that people avoid opening such messages sent via social platforms.

According to the researchers, hackers are using Cloudflare technologies to hide the real IP addresses of the front-end domain names used in the free gifts from Tata Motors campaign. The CyberPeace Foundation, a think tank and non-governmental organization of experts in the field of cybersecurity and policy, has collaborated with Autobot Infosec Private Limited to investigate this realization that these sites are online fraud.

Myanmar President’s Office Hacked for the Second Time

 

A cyber-espionage hacking gang is suspected of breaking into the Myanmar president's office website and injecting a backdoor trojan into a customized Myanmar font package accessible for download on the home page. ESET, a Slovak security firm, discovered the attack on Wednesday, June 02, 2021. 

The software employed in the attack resembles malware strains used in previous spear-phishing efforts intended at Myanmar targets by a Chinese state-sponsored hacker outfit known as Mustang Panda, RedEcho, or Bronze President, according to researchers. 

Mustang Panda is mostly focused on non-governmental organizations (NGOs). It employs Mongolian language decoys and themes, as well as shared malware such as Poison Ivy and PlugX, to attack its targets. Their attack chain looks something like this: 

• A malicious link is disguised using the goo.gl link shortening tool and sent to a Google Drive folder.

• When you click on the Google Drive link, you'll be taken to a zip file that contains a.Ink file disguised as a.pdf file. 

• The user is redirected to a Windows Scripting Component (.wsc) file when they open the file. This file can be found on a malicious microblogging website.
 
• A VBScript and a PowerShell script from the Twitter page are included in the.Ink file to get the fake PDF file. 
 
• A Cobalt Strike (https://know.netenrich.com/threatintel/malware/Cobalt % 20Strike) payload is created by the PowerShell script. 

• The threat actor can operate the system remotely using Cobalt Strike's connection to the command-and-control IP address. 

Mustang Panda has a history of carefully constructed email-based attacks; for this operation, the gang appears to have modified a Myanmar Unicode font package available for download on the Myanmar presidency's website. “In the archive, attackers added a Cobalt Strike loader [named] Acrobat.dll, that loads a Cobalt Strike shellcode,” the ESET team wrote in a Twitter thread. 

This loader, according to researchers, pings a command and control (C&C) server at 95.217.1[.]81. The loader resembled other malware copies that had previously been transmitted as file attachments in spear-phishing efforts directed at Myanmar targets.

The archives show signs of an advanced and stealthy cyber-espionage operation hidden in files named “NUG Meeting Report.zip,” “Proposed Talking Points for ASEAN-Japan Summit.rar,” “MMRS Geneva,” “2021-03-11.lnk,” and “MOHS-3-covid.rar,” even if ESET said it has yet to officially confirm Mustang Panda's involvement beyond a doubt.

This is the second time the Myanmar president's office has been hacked in order to launch a watering hole attack. The first incident occurred between November 2014 and May 2015, when the site was used to disseminate a version of the EvilGrab malware by another alleged Chinese cyber-espionage group.

Chinese hackers attacked a Russian developer of military submarines

Chinese hackers reportedly attacked the Rubin Central Design Bureau for Marine Engineering (СKB Rubin), which designs submarines for the Russian Navy, by sending images of a submarine with malicious code to its CEO. Experts believe the hackers are acting in the interests of the Chinese government.

According to cybersecurity company Cybereason, in April, Chinese hackers attacked the Russian CKB Rubin. The attack began with a fake letter that the hackers sent to the general director of CKB Rubin allegedly on behalf of the JCS “Concern “Sea Underwater Weapon – Gidropribor”, the State Research Centre of the Russian Federation.

The letter contained a malicious attachment in a file with images of an autonomous unmanned underwater vehicle. "It is very likely that hackers attacked Gidropribor or some other institution before that," the author of the Telegram channel Secator believes.

The RoyalRoad malware attachment used in the CKB Rubin attack is one of the tools that guarantees delivery of malicious code to the end system, which is most often used by groups of Asian origin, said Igor Zalewski, head of the Solar JSOC CERT Cyber Incident Investigation Department at Rostelecom-Solar.

Cybereason pointed out that the attack on CKB Rubin has similarities to the work of Tonto and TA428 groups. Both have been previously seen in attacks on Russian organizations associated with science and defense.

It is worth noting that the CKB Rubin traces its history back to 1901. More than 85% of the submarines which were part of the Soviet and Russian Navy at various times were built according to its designs.

According to Igor Zalevsky, the main Rubin's customer is the Ministry of Defense, CKB Rubin deals with critically important and unique information related to the military-industrial complex of the Russian Federation which explains the interest of cyber-criminals.

Experts believe that such attacks will gain momentum because specialized cyber centers are being created due to aggravation of information confrontation between states.

Information security expert Denis Batrankov noted that designers are attacked for the sake of industrial espionage mainly by special services of other states. "The problem is that we all use software, which has many hacking methods that are not yet known. Intelligence agencies are buying new vulnerabilities from the black market for millions of dollars,” added he.


Chinese APT Actors Attack Russian Defense In An Espionage Attack

An earlier anonymous backdoor malware, called PortDoor, is probably being used by Chinese APT (advanced persistent threat) hackers to attack Russian defense system, according to reports. Cybersecurity firm 'Cybereason Nocturnus' looked into hackers specifically targeting Rubin Design Bureau, an organization that builds submarines for Russian Navy Federation. The main target was director general named Igor Vladimirovich, who received a phishing mail, say experts. The attack started with "Royalroad weoponizer" aka RTF exploit builder/8.t Dropper, which, according to cybersecurity experts, is a tool used by Chinese APT's to orchestrate their attacks, like Tick, Tonto Team and TA428. 


RoyalRoad makes weaponized RTF documents that attack vulnerabilities CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802) in Equation Editor of Microsoft. RoyalRoad's use in the attack is the reason why the victim suspects Chinese hackers to be behind the attack. Cybereason analysis said, "the accumulated evidence, such as the infection vector, social-engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware, all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests." 

A Subtle Spying Malware 

Experts found the malware stealing unique PortDoor sample when the corrupt RTF file is opened, which is built cautiously to stealth. It has various functions that include spying, target profiling, delivering additional payloads, process manipulation, privilege escalation, AES- encrypted data exfiltration, static detection antivirus evasion, one-byte XOR encryption and much more. If deployed, backdoor decodes strings with the help of hard-coded 0xfe XOR key in order to get configuration info. It includes C2C server address, target locator, and other trivial information. 

Cybersecurity report said, "the backdoor is able to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports." "Lastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the development of the PortDoor backdoor,” researchers concluded. “We hope that as time goes by, and with more evidence gathered, the attribution could be more concrete."

Thousands of U.S. Organizations Attacked in a Chinese Cyber-Espionage Campaign

 

Microsoft Exchange servers have become the latest victim of Chinese-sponsored cyber-attack. Chinese hackers targeted the Microsoft Exchange Servers earlier this week exploiting the zero-day vulnerabilities. The vulnerabilities in servers allowed the hackers to target thousands of organizations around the globe.

According to the security experts, the group known as ‘Hafnium’ is responsible for targeting Microsoft’s Exchange servers and exploiting more than tens of thousands of email servers. As per a computer security expert, more than 30,000 US organizations, and hundreds of thousands worldwide have been targeted in recent days by an unusually aggressive Chinese cyber-espionage campaign.

Hafnium has targeted several US-based companies in the past including law firms, universities, infectious disease researchers, defense contractors, think tanks, and NGOs.

Brian Kerbs, independent cybersecurity first reported the 30,000 figure on Friday and posted a note on his website reading, this cyber-espionage campaign has exploited recently discovered flaws in Microsoft Exchange servers, stealing email, and corrupting computer servers with tools that allowed threat actors to take control remotely. He reported that insiders said threat actors have ‘seized control’ of thousands of computer systems around the globe using password-protected software tools.

White House spokeswoman Jennifer Psaki stated in a press conference - “We are concerned that there are a large number of victims and are working with our partners to understand the scope of this. Network owners also need to consider whether they have already been compromised and should take appropriate steps.” 

Microsoft Executive Tom Burt said the company had released updates to patch the security vulnerabilities, which apply to on-premises versions of the software rather than cloud-based versions, and requested customers to apply them and also highlighted that threat actors belonged to China but operated through leased virtual private servers in the United States. 

“We know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems”, he wrote in his blog post.

AIVD says they face cyber attacks from Russia and China every day

According to the head of the country's General Intelligence and Security Service, these hackers break into the computers of companies and educational institutions

The head of the General Intelligence and Security Service of the Netherlands (AIVD), Erik Akerboom, said that the country's special services allegedly "every day" catch hackers from China and Russia, who, according to him, break into the computers of companies and educational institutions. At the same time, the head of the AIVD did not provide any evidence.

"Every day we catch hackers from both China and Russia hacking into the computers of companies and educational institutions," the head of AIVD said in an interview with Vu Magazine.

According to Akerboom, the target of these hackers is vital infrastructure, such as drinking water, banks, telecommunications, and energy networks." However, he did not give an example of any specific cyberattack.

In 2018, the Ministry of Defense of the Netherlands said that the country's special services prevented a hacker attack on the Organization for the Prohibition of Chemical Weapons (OPCW), which four Russian citizens allegedly tried to carry out. According to the head of department Ankh Beyleveld, the suspects with diplomatic passports were expelled from the Netherlands on April 13. The Russian Foreign Ministry called such accusations "another staged propaganda" action and said that the unleashed "anti-Russian espionage campaign" causes serious harm to bilateral relations.

Besides, in December 2020, the Netherlands was accused of the espionage of two Russian diplomats, calling them employees of the Foreign Intelligence Service undercover. The Russians were declared persona non grata. In response, Moscow sent two employees of the Dutch Embassy from Russia. The accusations of activities incompatible with the diplomatic status of the Russians were called "unfounded and defamatory".

Recall that recently Washington accused Moscow of large-scale cyber attacks, which were allegedly carried out in order to get intelligence data. The representative of the Russian Ministry of Foreign Affairs, Maria Zakharova, said in response that such statements by the United States about hacker attacks allegedly by Russia have already become routine.

Chinese Hackers Cloned Exploit Tool Belonging to NSA

 

A Chinese hacking group allegedly "cloned" and deployed a zero-day exploit created by the U.S. National Security Agency's Equation Group before Microsoft fixed the Windows vulnerability that was being misused in 2017, as indicated by an analysis published on Monday by Check Point Research. For quite a long while, researchers had presumed the Chinese hacking group known as APT31 or Zirconium had built up an exploit tool to take advantage of a vulnerability tracked as CVE-2017-0005 and found in more seasoned renditions of Windows, like Windows 7 and Windows 8, as indicated by the report. 

The report brings up additional questions about how some of the NSA's most valued cyberweapons have been found or stolen by nation-state hacking groups and then turned on their developers over the years. In May 2019, Symantec published a similar report that found another group of hackers had taken and exploited cyber tools developed by the NSA. Both the Symantec and Check Point research show that the burglary of NSA Equation Group devices by these groups seems to have occurred before the hacking group known as the Shadow Brokers first began publishing the agency's exploits in 2016. 

Security research previously noted that a zero-day exploit was created for CVE-2017-0005, called "Jian," in 2014 and initially deployed it in 2015. The exploit was utilized for a very long time before Microsoft at last issued a patch for it in 2017. Whenever exploited, this bug could permit an attacker to escalate privileges inside an undermined device and afterward acquire full control, the researchers note. Microsoft published its fix for CVE-2017-0005 in March 2017, when the company was forced to issue multiple fixes for the exploits related to the Shadow Brokers "Lost in Translation" leak, Check Point notes. 

A further investigation by Check Point found that Jian was not an original creation, but rather a clone of a zero-day exploit for more seasoned renditions of Windows created by the NSA Equation Group in 2013 and initially called "EpMe" by the agency, as per the new report. 

 In another case documented by Symantec in 2019, APT3 "Buckeye" was connected to assaults utilizing Equation Group tools in 2016, before the Shadow Brokers leak.

New Self-Spreading Golang Worm Dropping XMRig Miner on Servers

 

Security researchers at Intezer have found a new self-spreading worm written in GoLang. The malware variant has been actively targeting both Windows and Linux servers, predominantly since December 2020. Researchers noted that the worm developed by China-based hackers attempts to mine Monero, an open-source cryptocurrency launched in 2014 which gained immense popularity and wide acceptance for its privacy-oriented features.
 
GoLang's rich library ecosystem makes it a top preference for malware developers, who can infiltrate the systems without being detected while working with GoLang's smooth malware creation process. The language makes it easier for hackers to bypass security as the malware written in GoLang is large-sized and scanning large files is beyond the capabilities of most of the antivirus software.

The 'GoLang' malware that has been dropping XMRig cryptocurrency miners on Windows and Linux servers, has worm-like capabilities that let it propagate itself to other systems through brute-forcing. 

The worm attacks application servers, non-HTTP services, and web application frameworks; it has targeted public-facing services rather than "the end-users". MySQL, Tomcat admin panel, and Jenkins are some of its latest victims. Besides, these public-facing services with weak passwords, the malware operators have also tried to compromise Oracle WebLogic Server by exploiting its remote code execution vulnerability – CVE-2020-14882, in an older variant.

Attack Execution 

The worm on the Command and Control (C&C) server was periodically updated by the operators, signifying the current "active" status of the malware. Once the target is being successfully compromised, the attack proceeds with deploying the loader script, a Golang binary worm, and an XMRig Miner – three files hosted on the aforesaid C&C server.

While giving insights into the matter, Chad Anderson, Senior Security Researcher at DomainTools said, “While it’s certainly alarming that there were no detections for this worm’s initial sample, that’s not surprising as Golang malware analysis tooling has still been playing a bit of catch up in the automation space,” 
 
“We would expect that with the rise in cryptocurrency prices over the last few weeks that actors looking to cash in for a few extra dollars would cause a surge in mining malware,” he further added. 
 
“The fact that the worm’s code is nearly identical for both its PE and ELF malware—and the ELF malware going undetected in VirusTotal—demonstrates that Linux threats are still flying under the radar for most security and detection platforms,” the report by Intezer read.

Spear-Phishing Campaigns Targeting Tibet and Taiwan

 

Tibetan community is being targeted by a Spear-phishing campaign; it is suspected that malicious actors behind these operations are the ones formerly involved in campaigns attacking Taiwanese legislators as discovered in May 2020 during an investigation. Reportedly, the group is employing a novel malware variant called MESSAGEMANIFOLD, similar to the one employed in the abovementioned campaigns, further solidifying the links discovered between both the campaigns. 

Several other overlaps have also been noted between both the activities, including the application of the same email themes and identical hosting provider. Furthermore,  both the campaigns made use of Google Drive links for downloading the malware. 

The campaigners are attacking strategic targets that somehow align with the Chinese Government’s affairs. The threat actors used spear-phishing emails with the theme ‘conference invitations’, which included a direct download Google Drive link. According to the researchers two Google Drive links were there, with the name “dalailama-Invitations [.]exe” file. 

About the Attacks

The dropped files (HTTP POST) were being used for the requests to communicate with the control and command server which uses a fixed URL pattern, and for the next stage, malware needs a specific response. Those domains were being used in both campaigns were organized on AS 42159 (Zemlyaniy Dmitro Leonidovich) and AS 42331 (PE Freehost). 

Recent cyberattacks on Taiwanese and Tibetan entities don't come as a surprise, it has been observed that Beijing-based malicious actors actively attack these states in accordance with their state interests. A recent study at IBM disclosed that an email phishing scheme attacking Germany and Italy based COVID-19 vaccine supply chains. Other targets included the Czech Republic and South Korea amid a few more. 

Given the highly customized nature of the attacks against particular targets chosen strategically, the activity could possibly be aligned with Chinese nation-backed attackers; however, as of now, the campaigns could not be affiliated to a recognized cyber threat group. Therefore, experts have recommended employing a trustworthy anti-malware solution. Users are also advised to avoid opening attachments from anonymous sources. 

Chinese State-Sponsored Hackers Exploiting Zerologon Vulnerability

 

Chinese state-sponsored threat actors have been observed exploiting the Zerologon vulnerability in a global campaign targeting businesses from multiple industries in Japan and 17 other regions across the world including the United States and Europe. The attacked industries include engineering, automotive, managed service providers, and pharmaceutical. 

According to the information gathered by Symantec’s Broadcom division, these attacks have been attributed to the Cicada group also known as APT10, Cloud Hopper, or Stone Panda. 
 
The attackers are known for their sophistication, in certain cases, they were recorded to have hidden their suspicious acts effectively and remained undetected while operating for around a complete year. Previously, the state-backed actors have stolen data from militaries, businesses, and intelligence, and seemingly, Japanese subsidiaries are their newly found target. 
 
The links between the attacks and Cicada have been drawn based on the similar obfuscation methods and shellcode on loader DLLs to deliver malicious payloads, being used as noticed in the past along with various other similarities like living-off-the-land tools, backdoor QuasarRAT final payloads commonly employed by the hacking group. 
 
"The initial Cloud Analytics alert allowed our threat hunting team to identify further victims of this activity, build a more complete picture of this campaign, and attribute this activity to Cicada," Symantec said in their report. 
 
"The companies hit are, in the main, large, well-known organizations, many of which have links to Japan or Japanese companies, which is one of the main factors tying the victims together," the report further read. 
 
In September, Iranian-sponsored hacking group MuddyWater (MERCURY and SeedWorm) was seen to be actively exploiting Zerologon vulnerability. Another hacking group that exploited Zerologon was the financially-motivated TA505 threat group, also known as Chimborazo.
 
"The affected companies are from manufacturing, construction, and government-related industries, with top victims having around $143 billion, $33 billion and $2 billion yearly revenue," as per a report published by KELA, an Israel based Cybersecurity organization. 

"[M]ore and more threat actors, Advanced APT group and nation-state actors are considering Japanese organizations as valuable targets and are actively attacking them via opportunistic and targeted attacks," KELA further added.

Microsoft Confirms Cyber-Attacks on Biden and Trump Campaigns

Microsoft reports breaching of email accounts belonging to individuals associated with the Biden and Trump election campaigns by Chinese, Iranian, and Russian state-sponsored hackers. 

Tom Burt, Corporate VP for Customer Security and Trust at Microsoft, revealed the occurrences in a detailed blog post after Reuters announced about a portion of the Russian attacks against the Biden camp. 

"Most of these assaults" were recognized and blocked, which is what he added later and revealed in the blog post with respect to the additional attacks and furthermore affirmed a DNI report from August that asserted that Chinese and Iranian hackers were likewise focusing on the US election process.

 As indicated by Microsoft, the attacks conducted by Russian hackers were connected back to a group that the organization has been tracking under the name of Strontium and the cybersecurity industry as APT28 or Fancy Bear. 

 While Strontium generally carried out the spear-phishing email attacks, as of late, the group has been utilizing 'brute-force' and password spraying techniques as an integral technique to breaching accounts. 

Then again, the attacks by Iranian hackers originated from a group tracked as Phosphorous (APT35, Charming Kitten, and the Ajax Security Group). 

These attacks are a continuation of a campaign that began a year ago, and which Microsoft recognized and cautioned about in October 2019. At that point, Microsoft cautioned that the hackers focused on "a 2020 US presidential campaign" yet didn't name which one. 

Through some open-source detective work, a few individuals from the security community later linked the attacks to the Trump campaign. 

What's more, only a couple of days back Microsoft affirmed that the attacks are indeed focused on the Trump campaign, yet in addition unveiled a new activity identified with the said group. The attacks were likewise identified by Chinese groups. 

While presently there are several hacking groups that are assumed to work under orders and the security of the Chinese government, Microsoft said that the attacks focusing on US campaigns originated from a group known as Zirconium (APT31), which is a similar group that Google spotted not long ago, in June. 

Microsoft says it detected thousands of attacks coordinated by this group between March 2020 and September 2020, with the hackers accessing almost some 150 accounts during that time period.


Chinese hackers targeted about five Russian developers of banking software

Chinese hacker group Winnti attacked at least five Russian developers of banking software, as well as a construction company. According to Positive Technologies, the names of banks and developers are not disclosed.

Positive Technologies noted that the implantation of special malicious code by hackers at the development stage potentially allows them to get access to Bank data. After the code is implemented onto the infected machine, a full-fledged backdoor is loaded to investigate the network and steal the necessary data.

Andrey Arsentiev, head of analytics and special projects at InfoWatch, explained that previously Winnti hacked industrial and high-tech companies from Taiwan and Europe through attacks on the software supply chain, but now, apparently, it has decided to switch to Russian companies.

According to him, there is a rather complex software supply chain in the financial sector, so Winnti may be interested not only in obtaining direct financial benefits but also in corporate espionage. As for the construction industry, Chinese hackers may be aimed at obtaining trade secrets, which in turn may be related to the plans of Chinese companies to expand into the Russian market. Mr. Arsentiev came to the conclusion that, in this way, hacker attacks would allow studying the strategy of potential competitors

Nikolay Murashov, deputy director of the National Coordination Center for Computer Incidents, said that organizations involved in software development and system integration accounted for about a third of all targeted attacks in the Russian Federation in recent years.

According to Mikhail Kondrashin, technical director of Trend Micro, attacks specifically on software developers for banks open up endless opportunities for subsequent attacks. The appearance of such attacks actually changes the rules of information security in the field of development: it is no longer just about developing secure code, but rather protecting the infrastructure itself.