Chinese

now browsing by tag

 
 

Chinese #hacking group #returns with new #tactics for #espionage #campaign

Source: National Cyber Security – Produced By Gregory Evans

Chinese #hacking group #returns with new #tactics for #espionage #campaign

A Chinese hacking operation is back with new malware attack techniques and has switched its focus to conducting espionage on western corporations, having previously targeted organisations and individuals in Taiwan, Tibet, and the Philippines.

Dubbed KeyBoy, the advanced persistent threat actor has been operating out of China since at least 2013 and in that time has mainly focused its campaigns against targets in South East Asia region.

The last publicly known actively by KeyBoy saw it target the Tibetan Parliament between August and October 2016, according to researchers, but following that the group appeared to cease activity — or at least managed to get off the radar.

But now the group has reemerged and is targeting western organisations with malware which allows them to secretly perform malicious activities on infected computers. They include taking screenshots, key-logging, browsing and downloading files, gathering extended system information about the machine, and shutting down the infected machine.

KeyBoy’s latest activity has been uncovered by security analysts at PwC, who’ve analysed the new payload and found it includes new infection techniques replacing legitimate Windows binaries with a copy of the malware.

Like similar espionage campaigns by other hacking operations, the campaign begins with emails containing a malicious document – in the case analysed by PwC, the lure was a Microsoft Word document named ‘ Q4 Work Plan.docx’.

But rather than delivering macros or an exploit, the lure uses the Dynamic Data Exchange (DDE) protocol to fetch and download a remote payload. Microsoft has previously described DDE as a feature, not a flaw.

In this case, Word tells the user there’s been an error and the document needs updating – if this instruction is run, a remote fake DLL payload is run, which in turn serves up a dropper for the malware.

Once the process has been run and the malware is installed, the initial DLL is deleted, leaving no trace of the malicious fake. As the malware also disables Windows File Protection and related popups, it therefore isn’t immediately obvious to system administrators that a legitimate DLL was replaced.

Once inside the target system, the attackers are free to conduct espionage campaigns as they please – although PwC researchers have listed possible indicators of compromisewhich organisations can use to discover if there are traces of KeyBoy in the network.

Similar techniques and attack capabilities have been observed in past KeyBoy campaigns, leading researchers to conclude that this campaign is by the same group.

Researchers have yet to uncover which specific organisations or sectors KeyBoy is targeting with its latest campaign, but say that the group has now turned its attention to conducting corporate espionage on organisations in the west.

Aside from knowing that they’re based in China, it’s not yet been possible to uncover the KeyBoy hacker group or identify their ultimate motives. While it has some of the hallmarks of a state-backed operation, previous research into the group says any type of criminal gangcould operate this style of campaign.

 

The post Chinese #hacking group #returns with new #tactics for #espionage #campaign appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Chinese #Hacking Efforts More #Strategic, Less #Noisy

Source: National Cyber Security – Produced By Gregory Evans

Chinese #Hacking Efforts More #Strategic, Less #Noisy

Chinese hackers, once some of the most careless and noisy hackers around, have become very careful and much more strategic at choosing the targets they go after.

The prototype of the Chinese hacker is well documented in the cyber-security industry. Chinese actors hack whatever they can, grab whatever they can, and sift through the data after the fact.

They also don’t care about stealth, rarely hide their tracks, and operate based on a set of general instructions that trickle down through a convoluted network of state agencies and private companies.

Nation-state cyber operations have been going on since the mid-90s, but it was only after the appearance of Chinese actors in the early 2000s that people started to pay more attention to the world of cyber-espionage.

While Russian and US groups were focusing on carrying out secret operations, putting most of their efforts in remaining hidden, Chinese hackers came like a flood and drove a truck through the front door with no regard to getting detected.

In fact, the term APT (advanced persistent threat) that is now used to describe hacker groups believed to be operating at orders and under the protection of local governments, initially stood for Asia-Pacific Threat, mainly because of the onslaught of Chinese hacks at the start of the 2000s.

US-China pact had a temporary effect on Chinese hacking operations

Their clumsiness and noisy actions eventually landed China at odds with the US, and political tensions rose so much that in the autumn of 2015, Chinese and US authorities had to meet and sign a mutual pact where neither government would “conduct or knowingly support cyber-enabled theft of intellectual property.”

The pact effectively limited nation-state hacking between the two countries to intelligence gathering operations only.

This agreement had an immediate result and after six months, cyber-security firm FireEye noted that the pact and a series of military reforms had visibly slowed down’s China’s cyber-espionage operations.

In reality, Chinese hackers didn’t stop hacking, but just started choosing their targets more carefully.

Chinese hackers become more careful

Instead of driving a truck through the front door, Chinese hacker groups started to pick locks and operate in the shadows.

For example, the clever hack and poisoning of the CCleaner app is believed to have been carried out by a Chinese APT codenamed Axiom. And let’s not forget the well-planned hacks of cloud providers so Chinese hackers could silently reach into organizations’ internal networks.

“There was indeed a decrease in activity of Chinese APTs following the pact,” Tom Hegel, Senior Threat Researcher at 401TRG, told Bleeping Computer.

“They became more strategic and operate with improved tactics since then,” Hegel added. “They were once very noisy with little care for operational security. These days it’s more strategically controlled.”

Three reports detail new Chinese hacking operations

This is why it’s so rare and most likely a coincidence that we’ve seen three reports released in the past two weeks describing various cyber operations, all linked to China.

“I personally wouldn’t say these reports are a resurgence [of Chinese hacking activity], but rather a continued increase in public reporting and identification,” Hegel said.

The first of these three new reports detailing Chinese APT activity was published last week by RiskIQ. The report details a new remote access trojan named htpRAT that was used against various targets in Laos.

The RAT comes with the ability to log keystrokes, take screenshots, record audio and video from a webcam or computer microphone, install and uninstall programs and manage files. Infrastructure reuse links the group behind this malware with PlugX, the decade-old favorite malware of multiple Chinese APTs.

A second report was released yesterday by Pwc’s cyber-security division. The report highlights new activity from a Chinese APT known as KeyBoy [1, 2], previously dormant for around four years.

The report also highlights a new RAT that can take screenshots, exfiltrate files, and download and run other malware. While previously the group targeted Taiwan, Tibet, and the Philippines, the group is now going after Western organizations. Parys says the group appears to currently be interested in corporate espionage.

Last but not least we have Check Point’s revised report on the IoT_Reaper botnet. New evidence reveals that command and control domains used by Reaper botnet were registered with an email address that is connected to the Black Vine Chinese APT, the group that breached health insurance provider Anthem in 2015.

It’s still a mystery why a cyber-espionage group would be building an IoT botnet. Some could say the group is creating a tool that could be used to launch DDoS attacks against targets the Chinese government would like to silence. Another theory is that Black Vine would use the botnet as a layer of proxies to hide future operations.

All in all, we’re seeing both a curb and maturation of Chinese hacking efforts, some of which can be attributed to the military reforms enforced by President Xi Jinping after he took power in 2012 when he said that government and military elements should stop using state resources for their own agendas.

The post Chinese #Hacking Efforts More #Strategic, Less #Noisy appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Chinese Bitcoin exchange denies hacking rumors after theft of $2.5M

Source: National Cyber Security – Produced By Gregory Evans

A Chinese Bitcoin trading exchange has denied rumors that it suffered a hacking attack after its users lost a total of $2.5 million in Bitcoins to unknown actors. On 4 October 2017, OKex, a cryptocurrency exchange which functions as part of the Chinese Bitcoin company OKcoin, acknowledged that several of…

The post Chinese Bitcoin exchange denies hacking rumors after theft of $2.5M appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

The CCleaner Attack Linked to State-sponsored Chinese Hackers

Source: National Cyber Security – Produced By Gregory Evans

Security researchers revealed that the CCleaner chain attack, which resulted in millions of users downloading a backdoored version of the CCleaner PC software utility, was linked to state-sponsored Chinese hackers. The attack started in July with compromising a CCleaner server, which let attackers inject backdoor code in two versions of…

The post The CCleaner Attack Linked to State-sponsored Chinese Hackers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Chinese National Arrested in Los Angeles for Hacking Charge in US

Source: National Cyber Security – Produced By Gregory Evans

Charges are filed by the FBI against one Chinese malware broker known as Yu Pingan, claiming that he provides malware to hackers, including Sakula Trojan, for breaching numerous computer networks that belongs to the companies in US. The FBI charges that Yu Pingan, known also as “GoldSun”, has conspired with…

The post Chinese National Arrested in Los Angeles for Hacking Charge in US appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

CHINESE HACKERS ATTACK GURUGRAM COMPANY

Source: National Cyber Security – Produced By Gregory Evans

The Millennium City witnessed its first case of Ransomware attacks by Chinese hackers with two cases coming to light recently. A city-based clothing company has reported to the Gurugram police that the hackers had demanded Rs 25 lakh from them as ransom. The other case involved a ransom demand of…

The post CHINESE HACKERS ATTACK GURUGRAM COMPANY appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Behind the veil of Chinese white-hat hackers

Source: National Cyber Security – Produced By Gregory Evans

Behind the veil of Chinese white-hat hackers

Rebellious, talented and law-abiding twenty-somethings serve as main force in today’s cyber security vigilantism Countless children dream of becoming a superhero. For many, the dream gradually fades. But others are actually realizing their dreams through invisible battles of good versus evil in the virtual world. “The word ‘hacker’ has been defamed. It only reminds people […]

The post Behind the veil of Chinese white-hat hackers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Chinese cyber security law may make it difficult to manage risks, says Asia financial body

cybersecurity1-624x351

Source: National Cyber Security – Produced By Gregory Evans

Chinese cyber security law may make it difficult to manage risks, says Asia financial body

The chief of one of Asia’s most prominent financial trade bodies on Tuesday said new cyber security rules in China could make it harder for foreign companies operating in the country to manage risk as cyber threats become increasingly cross-border.

The post Chinese cyber security law may make it difficult to manage risks, says Asia financial body appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Chinese hackers ‘targeted US aircraft carrier patrolling in South China Sea’ as legal battle raged over who should control the waters

062e2fb20000044d-3858892-image-a-35_1477044919174

Source: National Cyber Security – Produced By Gregory Evans

Chinese hackers ‘targeted US aircraft carrier patrolling in South China Sea’ as legal battle raged over who should control the waters

Chinese hackers tried to steal information from a US aircraft carrier patrolling in the South China Sea when the country was under pressure to withdraw its claim over the waters.
USS Ronald Reagan, a nuclear-powered aircraft carrier, was on patrol

The post Chinese hackers ‘targeted US aircraft carrier patrolling in South China Sea’ as legal battle raged over who should control the waters appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Tesla Fixes Bugs After Chinese Hackers Show They Can Open Trunk, Apply Brakes

tesla-model-s-p90d

Source: National Cyber Security – Produced By Gregory Evans

Tesla Fixes Bugs After Chinese Hackers Show They Can Open Trunk, Apply Brakes

Tesla has rolled out a security patch for its electric cars after Chinese security researchers uncovered vulnerabilities they said allowed them to remotely attack a Tesla Model S sedan.
In a demonstration video, the researchers remotely engaged the brake on

The post Tesla Fixes Bugs After Chinese Hackers Show They Can Open Trunk, Apply Brakes appeared first on National Cyber Security.

View full post on National Cyber Security