Chinese Hackers

[kyonides]

The following article talks about what happened about 2 weeks ago.

Chinese Hackers Hit Russia in Cyberattack

Dozens of systems used by government bodies and IT companies in Russia have reportedly become the targets of Chinese hackers.

Moscow-based cybersecurity provider Kaspersky Lab, revealed that the backdoor malware used to gain access to the systems was "GrewApacha," a Trojan used since at least 2021 by the Chinese cyber-espionage group known as APT31 (Advanced Peristent Threat 31).

APT31 is believed to have ties to China's civilian spy agency, the Ministry of State Security (MSS). Earlier this year, the United States Justice department indicted several Chinese nationals and one company for allegedly carrying out APT31 operations.

"During these attacks, attackers infected devices using phishing emails with attachments containing malicious shortcut files," read an August 8 report by Kaspersky Lab-managed website SecureList. Kaspersky has dubbed the Russia-centered hacking campaign "EastWind."

Clicking on these files prompts the installation of the malware, which receives commands from the Dropbox cloud storage.

"With the help of this software, the attackers downloaded additional Trojans to the infected computers, in particular, tools used by the APT31 cybergroup, as well as the updated CloudSorcerer backdoor," the report said.

A Trojan is a type of malware disguised as legitimate software to trick users into installing it. Once installed, Trojans can perform malicious actions on the infected system, such as spying on users, stealing data and providing cybercriminals with unauthorized access.

The SecureList report said the method observed in the recent cyberattacks was similar to the one previously used to target a U.S. organization.

A SecureList report released last month called the updated CloudSorcerer malware "a sophisticated toolset targeting Russian government entities."

Its "ability to dynamically adapt its behavior based on the process it is running in, coupled with its use of complex inter-process communication through Windows pipes, further highlights its sophistication."

The Russian and Chinese foreign ministries didn't immediately respond to a written request for comment.

Last year, the intelligence chiefs of the Five Eyes intelligence alliance—the U.S., the U.K., Canada, Australia and New Zealand—warned of the threat posed by China's use of cutting-edge technology to carry out hacking and intellectual property theft on a large scale.

An anonymous source earlier this year leaked evidence of a massive surveillance campaign by I-Soon, an MSS-affiliated Chinese contractor, whose targets ranged from foreign governments, politicians and think tanks to private Chinese citizens.

The Chinese foreign ministry responded to the leak by saying it "firmly opposes and cracks down on all forms of cyber attack in accordance with the law."

But this one is very recent!

China seen using 'white hat' hackers to boost cyberattack capability

China is increasingly suspected of involving "white hat" hackers--who typically identify cybersecurity weaknesses--in cyberattacks. This development is believed to be boosting China's offensive capabilities by utilising its top private hackers, according to a report by Nikkei Asia. The investigation conducted by Nikkei Asia and other organisations, reveals that since the introduction of mandatory vulnerability reporting to the Chinese government in 2021, the number of attacks with suspected Chinese involvement has witnessed a sharp rise.

White hats, who work for security companies or as freelancers, are responsible for bug hunting. They identify vulnerabilities, report them to developers, and receive compensation. Nikkei Asia further reported that developers issue patches and request users to install them to enhance security. In September 2021, concerns emerged in Europe and the US about the exploitation of vulnerabilities before patches could be deployed.

Later that year, Chinese media reported that the Ministry of Information and Technology had suspended Alibaba Group Holding's cloud computing operations from participating in a cybersecurity partnership for six months due to a failure to report issues. In collaboration with cybersecurity firm Trend Micro, Nikkei Asia collected data on 222 software vulnerabilities identified by the US government and others as being exploited by hacker groups believed to be linked to the Chinese government. These groups are suspected of using these vulnerabilities to infiltrate networks.

Katsuyuki Okamoto, a cybersecurity expert at Trend Micro, told Nikkei Asia, "In the past, the main method of cyberattack was phishing, involving tricking victims into downloading malware via email. Now, vulnerability attacks are mainstream." A search on OTX (Open Threat Exchange), a collaborative platform developed by AlienVault (now part of AT&T Cybersecurity) for sharing and accessing threat intelligence, found a total of 1,047 attacks exploiting these vulnerabilities.

Chinese white hats, known for their bug-hunting skills, are highly regarded worldwide. In 2021, when the vulnerability reporting obligation was introduced, there were 16 reported cases. This number surged to 267 in 2022 and nearly doubled again to 502 in 2023. The current year is following a similar trend, with 242 cases reported in the first half.

Taiwan-based cybersecurity firm TeamT5, which examined the leaked files, reports that i-Soon has employed numerous self-identified white hat hackers. However, a significant portion of their work has been commissioned by Chinese state security.

Here's the original article but you'd need to subscribe to Nikkei website in order to read the full text.

[kyonides]

Guess what? We missed a cyber attack last week!

Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control

Details have emerged about a China-nexus threat group's exploitation of a recently disclosed, now-patched security flaw in Cisco switches as a zero-day to seize control of the appliances and evade detection.

The activity, attributed to Velvet Ant, was observed early this year and involved the weaponization of CVE-2024-20399 (CVSS score: 6.0) to deliver bespoke malware and gain extensive control over the compromised system, facilitating both data exfiltration and persistent access.

"The zero-day exploit allows an attacker with valid administrator credentials to the Switch management console to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the Linux underlying operating system," cybersecurity company Sygnia said in a report shared with The Hacker News.

Cybersecurity
Velvet Ant first caught the attention of researchers at the Israeli cybersecurity company in connection with a multi-year campaign that targeted an unnamed organization located in East Asia by leveraging legacy F5 BIG-IP appliances as a vantage point for setting up persistence on the compromised environment.

The threat actor's stealthy exploitation of CVE-2024-20399 came to light early last month, prompting Cisco to issue security updates to release the flaw.

Chinese Hackers
Notable among the tradecraft are the level of sophistication and shape-shifting tactics adopted by the group, initially infiltrating new Windows systems before moving to legacy Windows servers and network devices in an attempt to fly under the radar.

"The transition to operating from internal network devices marks yet another escalation in the evasion techniques used in order to ensure the continuation of the espionage campaign," Sygnia said.

The latest attack chain entails breaking into a Cisco switch appliance using CVE-2024-20399 and conducting reconnaissance activities, subsequently pivoting to more network devices and ultimately executing a backdoor binary by means of a malicious script.

But before you leave, you gotta know that another cyber attack hit the US and undisclosed country.

Chinese hackers exploited bug to compromise internet companies,
cybersecurity firm says

A Chinese hacking group exploited a software bug to compromise several internet companies in the U.S. and abroad, a cybersecurity firm said on Tuesday.

Researchers at the firm, Lumen Technologies (LUMN.N), opens new tab, said in a blog post that the hackers took advantage of a previously unknown vulnerability in Versa Director - a software platform used to manage services for customers of Santa Clara, California-based Versa Networks. It said four U.S. and one non-U.S. victim had been identified. Lumen did not name the victims and did not immediately respond to a request seeking further details.

Versa Networks issued an advisory on Monday acknowledging that the vulnerability had been exploited "in at least one known instance" by an advanced group of hackers, and urged customers to upgrade their software to fix the bug.

Lumen's blog post said that its researchers assessed with "moderate confidence" that the hacking campaign was carried by an alleged Chinese government-backed group nicknamed "Volt Typhoon." The attacks happened as early as June 12, Lumen said.

The Chinese Embassy in Washington did not immediately respond to a request seeking comment, although Beijing routinely denies allegations of its involvement in cyberespionage. U.S. officials did not immediately respond to a request for comment but on Friday the U.S. Cybersecurity and Infrastructure Security Agency added the Versa vulnerability to its list of "known exploited vulnerabilities."

Brandon Wales, the recently departed executive director of CISA, was quoted by the Washington Post on Tuesday saying that China's hacking effort had "dramatically stepped up from where it used to be."

Volt Typhoon has emerged as a group of particular concern to U.S. cybersecurity officials. In April, FBI Director Christopher Wray said China was developing the "ability to physically wreak havoc" on U.S. critical infrastructure and that Volt Typhoon had burrowed into numerous U.S. telecommunications, energy, water and other critical services companies.

[kyonides]

New Cyberattack Targets Chinese-Speaking Businesses with Cobalt Strike Payloads

Chinese-speaking users are the target of a "highly organized and sophisticated attack" campaign that is likely leveraging phishing emails to infect Windows systems with Cobalt Strike payloads.

"The attackers managed to move laterally, establish persistence and remain undetected within the systems for more than two weeks," Securonix researchers Den Iuzvyk and Tim Peck said in a new report.

The covert campaign, codenamed SLOW#TEMPEST and not attributed to any known threat actor, commences with malicious ZIP files that, when unpacked, activates the infection chain, leading to the deployment of the post-exploitation toolkit on compromised systems.

Present with the ZIP archive is a Windows shortcut (LNK) file that disguises itself as a Microsoft Word file, "违规远程控制软件人员名单.docx.lnk," which roughly translates to "List of people who violated the remote control software regulations."

"Given the language used in the lure files, it's likely that specific Chinese related business or government sectors could be targeted as they would both employ individuals who follow 'remote control software regulations,'" the researchers pointed out.
...
"The attackers further enabled themselves to hide in the weeds in compromised systems by manually elevating the privileges of the built-in Guest user account," the researchers said.

"This account, typically disabled and minimally privileged, was transformed into a powerful access point by adding it to the critical administrative group and assigning it a new password. This backdoor allows them to maintain access to the system with minimal detection, as the Guest account is often not monitored as closely as other user accounts."

The unknown threat actor subsequently proceeded to move laterally across the network using Remote Desktop Protocol (RDP) and credentials obtained via the Mimikatz password extraction tool, followed by setting up remote connections back to their command-and-control (C2) server from each of those machines.

The post-exploitation phase is further characterized by the execution of several enumeration commands and the use of the BloodHound tool for active directory (AD) reconnaissance, the results of which were then exfiltrated in the form of a ZIP archive.
...
The connections to China are reinforced by the fact that all of the C2 servers are hosted in China by Shenzhen Tencent Computer Systems Company Limited. On top of that, a majority of the artifacts connected with the campaign have originated from China.

"Although there was no solid evidence linking this attack to any known APT groups, it is likely orchestrated by a seasoned threat actor who had experience using advanced exploitation frameworks such as Cobalt Strike and a wide range of other post-exploitation tools," the researchers concluded.