Search This Blog

Showing posts with label Fox-IT. Show all posts

Chinese Threat Group Chimera Attacks Airline Industry

 

For the last few years, a Chinese threat group under the name Chimera has been targeting the airline industry with the intention of amassing passenger data, and later to monitor their movement and track the persons, selectively. However, the operations of Chimera have been under the radar of the cybersecurity organizations for a while and experts suspect the threat actors behind Chimera to be working in alignment with the interests of the Chinese state. The Cyber Security Organization CyCraft first described the actions of the group in a paper written and presented at the Black Hat Conference in 2020. Chimera has also been suspected to coordinate attacks against the Taiwanese superconductor industry as mentioned in the paper written report. 

In a recent study released last week by the NCC Group and its affiliate Fox-IT, the two companies said that the intrusions of the group were larger than what was originally believed- even targeting the airline sector besides the superconductor industry. This spanning was not limited to Asia but was done for assorted geographical areas as well. They also cited that in several cases, actors had been cloaking within networks for more than three years before they were identified. 

The attack on the superconductor industry of Taiwan was targeted at stealing intellectual property, although the target was different in the case of the airline industry. The companies further alleged that the actors wanted to gather Passenger Name Record (PNR) for which they were targeting the victims. With further investigation, the companies observed that the assorted custom DLL files were continuously used to extract PNR information from the memory structures where the main data is generally stored. 

"NCC Group and Fox-IT observed this threat actor during various incident response engagements performed between October 2019 until April 2020," added the two companies. 

The report provided by NCC and its affiliate Fox-IT states the modus operandi of the actors whose first step is to collect data like the user login credentials which would be leaked in the public domain or the dark web after the data breach has occurred at other companies. This collected data is later used by the actors for ‘credential stuffing’ and ‘password spraying’ attacks against the target’s personnel accounts, as the email account.

Technology and Software Giants, Microsoft and Google face Threat by Chimer Gang Attack

 


The world's biggest technology and software giants, namely Microsoft, and Google are being threatened by a new group of cybercriminals who are targeting their cloud services. Working in coordination with their Chinese interests, the threat actors are attacking a wide range of organizations with the intent of exfiltrating data. 

The security researcher, NCC Group and Fox-IT, taking account of this incident said that these attackers have a “wide set of interest” and their target data ranges from the intellectual property belonging to the victims in the semiconductor Industry to the commuter data from the airways industry. 

The actors that are targeting these giants are referred to as Chimer by CyCraft. This group named Chimera is not new for the cyber industry, instead, they have been engaged in such incidents from the year 2019 till the year 2020. However, on every such occasion, they have managed to escape the situation without garnering much attention. “Our threat intelligence analysts noticed a clear overlap between the various cases in infrastructure and capabilities, and as a result we assess with moderate confidence that one group was carrying out the intrusions across multiple victims operating in Chinese interests”, added the team of researchers.

The team of researchers briefly explained the scheme of attackers while targeting such organizations. These actors commence their threat process by accessing the username and passwords from the victim’s previous data breaches. They then use the credentials of the victims in credential stuffing or password spray attacks against assorted remote services. Moving ahead, as they obtain the valid accounts of the victims, they use it to access the victim’s VPN, Citrix, or any other remote service with this network access. After entering their network, the actors try to accept all the permissions and get the list of other accounts with the admin privileges. Now they target other accounts from the list and then try their password spraying attack on these accounts. They do this until any other account is compromised by their attack. Lastly, they use this account to load a Cobalt Strike beacon into the memory which later can be used for remote access and command and control (C2). 

Following the incident, the security researchers affirmed that they have contained and eradicated the threat from their clients’ network. They further added that “NCC Group and Fox-IT aim to provide the wider community with information and intelligence that can be used to hunt for this threat in historic data and improve detections for intrusions by this intrusion set”.