Search This Blog

Showing posts with label CrowdStrike. Show all posts

Widespread Cyber Espionage Attacks Use New Chinese Spyware

 

According to new research, a threat actor believed to be of Chinese origin was linked to a series of ten attacks from January to July 2021 that involved the deployment of a remote access trojan (RAT) on infected computers and targeted Mongolia, Russia, Belarus, Canada, and the United States. The breaches have been linked to APT31 (FireEye), an advanced persistent threat that has been dubbed Zirconium (Microsoft), Judgement Panda (CrowdStrike), and Bronze Vinewood (Secureworks) by the cybersecurity community. 

BRONZE VINEWOOD has hidden malicious activity within legal network traffic by using prominent social media and code repository sites. Previous BRONZE VINEWOOD campaigns leveraging DLL search-order hijacking to distribute the HanaLoader downloader malware and other malicious payloads have also been uncovered by Secureworks Counter Threat Unit (CTU) researchers. 

According to researchers, the group is thought to be a Chinese state-sponsored cyberespionage actor attempting to acquire intelligence to aid the Chinese government and state-owned firms. 

In the attacks, a new malware dropper was utilized, which included a downloader for next-stage encrypted payloads from a remote command-and-control server, as well as the ability to decode and execute the malware. The malicious code can download further malware, putting vulnerable victims at risk even more, as well as perform file operations, exfiltrate sensitive data, and even remove itself from the compromised machine. 

Positive Technologies researchers Denis Kuvshinov and Daniil Koloskov discovered the self-delete command fascinating since it employed a bat file to wipe all of the registry keys and files created as a result of running the command. 

The malware's similarities to a trojan known as DropboxAES RAT, which was used by the same threat group last year and relied on Dropbox for command-and-control (C2) communications, are also worth noting, with numerous overlaps found in the techniques and mechanisms used to inject the attack code, achieve persistence, and delete the espionage tool.

Despite the fact that BRONZE VINEWOOD calls the software DropboxAES RAT, CTU researchers discovered that it does not use the Advanced Encryption Standard (AES). Instead, it uses the ChaCha20 stream cypher to encrypt and decrypt data. When encrypting data, older versions of the malware may have used AES encryption. 

"The revealed similarities with earlier versions of malicious samples described by researchers, such as in 2020, suggest that the group is expanding the geography of its interests to countries where its growing activity can be detected, Russia in particular," the researchers concluded.

Sprite Spider Emerging as One of The Most Destructive Ransomware Threat Actors

 

Recently, two CrowdStrike cybersecurity leads during a Cyber Threat Intelligence Summit at the SANS  Senior Security Researcher Sergei Frankoff, and Senior Intelligence Analyst Eric Loui, shared detailed information on the ‘Spirit Spider’, an emerging leading ransomware actor. Like other ransomware attacks, the malicious crew behind Sprite Spider attacks has rapidly increased in terms of sophistication and damage capabilities since 2015. At present, Sprite Spider has become one of the most dangerous ransomware malicious actors of 2021. 

Although, this ransomware ‘Sprite Spider’, did not come as a surprise for many world-leading IT firms, like other organized ransomware groups which are filled with threat actors who are often fruitfully employed by nation-state cybercriminals. 

The journey of Sprite Spider


To have come so far to make headlines, it must have gotten started somewhere, but when and where? It was back in 2015 when the ransomware was employed as a banking Trojan called Shifu, and then in 2017, a malware loader called Vatet. The gang had deployed a remote access Trojan called PyXie, in 2018, and in 2019, the attackers’ deployed ransomware called DEFRAY777. 

Crowdstrike researchers linked Shifu, Wyatt, and Pixi to the DEFRAY777 ransomware attacks. At this point they realized that all the activities from these components were linked to a single-malicious group, operating stealthily behind the scenes. 

The threat actors can often avoid detection mainly because the malicious code is secretly hidden in open-source projects such as Notepad++, which technically is invisible and hence visibly harmless. The only thing the Sprite Spider writes to disk is ‘Vatet’, which makes it even more difficult for the intelligence to identify it during an attack. 

“I think we’ve seen a number of nation-states engage in these types of attacks to generate revenue, specifically North Korea,” CrowdStrike’s senior vice president of intelligence Adam Meyers tells CSO. He added that “Iran and China are also getting in on the ransomware game. It’s not necessarily the nation-state that is conducting the attack, but [the cybercriminals] are using the skills they learned [by working for nation-state attackers] to make a little extra money on the side. The individuals engaged by the nation-state are conducting ransomware attacks on a moonlight shift.” 

Mark Weatherford, chief strategy officer at the National Cybersecurity Center and a former DHS cybersecurity official in the Obama administration, said “I think it will take an international effort to address the growing ransomware scourge. Until there is more of an international policy discussion, I think we’re going to see these things grow. What we need is an international combined effort from nations around the world to say that this is no longer acceptable.” He tells CSO.

Russian Hacking Trouble for the Cyber World



According to data analysis by computer security company CrowdStrike, Russian hacking attack team spares only 19 minutes to the victim to respond to the attack. The next fastest group were North-Koreans who took two hours to jump to the next server to spread the attack,the third on the list comes Chinese attackers who on average gives four hours to the victim to foil their target attack.

Statistically the calculated time is coined as  “dubbed time“ and is the time attacker takes to jump from one network to another to spread the attack. Introducing the concept, CrowdStrike wrote in its report “shows how much time defenders have on average to detect an initial intrusion, investigate it and eject the attacker before sensitive data can be stolen or destroyed.”

According to the author, Pete Singer, the new analysis is eye-opening, "These stats are driven by a whole variety of factors, among them the skills and capability, the relative risk each is making in their likelihood of getting caught and the consequences. No matter how you look at it, an average of 18 minutes is quite amazing given the scale."

The Russians hackers have attacked many defense and military establishments throughout Europe and NATO since last year. Russian hackers were alleged to attack PyeongChang Winter Olympic Games in 2018.

Chris Krebs, DHS Cybersecurity and Infrastructure Security Agency Director, told defenseone.com recently, “We are doubling down on election security in advance of the 2020 election. Despite what some of the reporting might be, election security and countering foreign influence efforts aren’t going anywhere.”

According to a research from Arizona state University, researchers revealed that the exploiting a known vulnerability depended greatly on the country of the attacker.For Instance, the researchers looked at the Dark Web chat rooms , If attackers were discussing  vulnerabilities in National Database and If the hackers discussing the bug were Chinese, the chances to exploit the vulnerability in question was nine percent, But if the conversation was between Russians, then the probability of exploiting vulnerability is forty percent.