Chinese Cyber Espionage Techniques to Watch

‘The government of China has become considerably more proficient in exploiting zero-day vulnerabilities to achieve their espionage goals in the past five years, posing an alarming persistent threat to organizations throughout the world. Now, the country's nation-state actors are increasingly exploiting novel vulnerabilities in public-facing devices, notably edge appliances. In fact, an estimated 85% of known zero-day vulnerabilities exploited by Chinese state-sponsored groups since 2021 have targeted public-facing appliances, including firewalls, enterprise VPNs, hypervisors, load balancers, and email security tools, according a recent report published by Insikt Group, the threat intelligence research arm of Recorded Future. Their success is underpinned by threat sharing and support apparatus, according to Insikt. "The observed sharing of malware and exploit capabilities across Chinese state-sponsored actors is likely enabled by both upstream capability developers and wider domestic policy around software vulnerability discovery and weaponization," the report stated.’ https://lnkd.in/gAx3vBiw

CHINESE TAKEAWAY: The attackers exploit vulnerable internet-facing servers and use spear-phishing emails to deploy custom backdoors for #cyberespionage. Earth "Krahang" (a type of nocturnal ghost, a female spirit of Thai village folklore) builds VPN servers on compromised systems and performs brute-forcing to crack passwords for valuable email accounts. The threat actors employ open-source tools to scan public-facing servers for specific vulnerabilities. Most of the emails contain malicious attachments that drop backdoors to the victims' computers, spreading the infection and achieving redundancy in the case of detection and cleanup. Trend Micro says the attackers use compromised Outlook accounts "to brute force Exchange credentials, while Python scripts that specialize in exfiltrating emails from Zimbra servers were also spotted." https://lnkd.in/eX4vWc8a #auguryit #cysec

🎯 China’s Hacker-for-Hire Strategy Is Scaling—And We’re the Target The front page of today’s Washington Post outlines what many in our field already know: We’re in “China’s golden age of hacking.” The scale and sophistication are escalating: 💥330+ intrusions attributed to suspected Chinese actors in 2023—double the previous year, per CrowdStrike. 💥Nation-state campaigns like Volt Typhoon, Salt Typhoon, and Silk Typhoon are not only penetrating strategic infrastructure—they’re also staying hidden and returning quickly. 💥Beijing’s strategy now includes private sector ‘enabler’ companies, incentivized to find zero-days and broker access across U.S. and allied networks. 📣 One FBI official summed it up: “They’ll find a zero-day, scan for anything vulnerable, and then try to broker access — and now we have, scale-wise, a significantly larger problem.” 🕵️♂️ What makes Silk Typhoon so effective? 🚨Targets unpatched or misconfigured systems, including routers and security appliances. 🚨Moves laterally while erasing logs to obscure its tracks. 🚨Hides persistence mechanisms and backdoors that allow for near-immediate reentry after detection. 🚨Leverages zero-day exploits in widely deployed tools like Microsoft Exchange. 🚨Prioritizes supply chain and infrastructure access that enables stealthy movement across interconnected systems. As Mandiant’s CTO put it: “Few really understand how clever they are and how well they hide back doors.” 🛡️ We can’t meet this moment with legacy security models or reactive playbooks. This demands persistent defense, real-time detection, and yes—stronger adoption of Zero Trust principles. CISA’s #ZeroTrust Maturity Model provides a clear, phased path for organizations to assess their current state and make concrete progress across identity, device, network, and data pillars. As CISA reminds us: “Cyberspace continues to be a critical front… We must maintain heightened vigilance across all critical infrastructure sectors.” 📅 This WaPost article by Joseph Menn is a reminder: adversaries are scaling. So must our defenses. 💬 Link in comments #cybersecurity #informationsecurity #computersecurity #technology 

Mandiant (now part of Google Cloud) just published details related to the zero-day exploitation of VMware vCenter Server (CVE-2023-34048) by a China-nexus espionage actor since 2021. Here’s what you need to know: 1️⃣ This is not a new vulnerability - VMware published the patch and security advisory in October 2023. They rate this as a critical security vulnerability (CVSS of 9.8). See VMware’s security advisory for more details - https://lnkd.in/eWq3Evm2 2️⃣ Zero-day exploitation was limited - We observed UNC3886 exploit this vulnerability at less than 10 victim environments since late 2021. UNC3886 is one of the most advanced China-nexus espionage actors that has a history of exploiting zero-day vulneraiblities in VMware and Fortinet technology.  3️⃣ All of the compromised VMware vCenter servers that Mandiant identified were only accessible from the victim’s internal network. UNC3886 used existing internal network access (through other backdoors or avenues) to exploit the vCenter servers. Finding concrete evidence of zero-day exploitation, especially when performed by advanced and careful threat actors who use antiforensics techniques and clean up after themselves, can be incredibly challenging. When we come across something that we can't quite understand at the time, we often look back at prior cases to see if that helps us understand the situation better. Sometimes the missing link is only found months later on a future investigation. Alexander Marvi, Shawn Chew, and Punsaen B. did an amazing job connecting dots from multiple intrusion investigations over the past few years figure this all out. Thanks to the VMware product security team for their support and collaboration with the research. Link to the blog: https://lnkd.in/enapwPZC

A cyber-espionage campaign linked to a sophisticated hacking group believed to be based in China is continuing to compromise virtualization and networking infrastructure used by enterprises globally, according to a new deep-dive report by cybersecurity company Sygnia. The hackers are targeting VMware ESXi hypervisors, a type of software that controls and hosts virtual machines for enterprise networks. They are using custom tools that grant persistent access while evading detection by standard security measures such as endpoint detection and response (EDR) systems. Sygnia is tracking the campaign under the name Fire Ant, which shares similarities with UNC3886, based on what its regional head of incident response described as “unique” engagements. It follows UNC3886’s spying activities being highlighted by Singapore’s national security minister, Kasiviswanathan Shanmugam, who said the group was behind a series of incidents affecting the country's critical national infrastructure. https://lnkd.in/gkQJH88i

Since 2021, a Chinese law has demanded that tech firms operating there report hackable (unpatched) bugs in their products to the government within 2 days. A new Atlantic Council report shows how firms seem to be complying—and how that helps China's hackers target their customers. https://lnkd.in/e6dCcggx The researchers go so far as to show how China's web portal for uploading bug reports demands detailed information for how to exploit those bugs, and how reports are then made available to China's Ministry of State Security and organizations like Shanghai Jiaotong University and the cybersecurity firm Beijing Topsec, both associated with known People's Liberation Army hacking operations. The report's authors also found a WeChat post from the Chinese government agency that collects the reports crediting six foreign tech firms (among others) for "passing examination," possibly indicating they complied with the vulnerability disclosure law. I reached out to all six firms: Beckhoff, D-Link, KUKA, Omron, Phoenix Contact, and Schneider Electric. You can read their responses (some flat-out denials, some more complicated/ambiguous reply statements) in the piece below. Thank you to Kristin Del Rosso and Dakota Cary for sharing their findings with me in advance of publication!

China-backed hackers have had access to some major U.S. critical infrastructure for "at least five years," according to an intelligence advisory released Wednesday. The U.S. Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Federal Bureau of Investigation released an advisory Wednesday to warn critical infrastructure operators about China's ongoing hacking interests. According to the advisory, China-backed hacking group Volt Typhoon has been exploiting vulnerabilities in routers, firewalls and VPNs to target water, transportation, energy and communications systems across the country. Volt Typhoon uses so-called "living off the land" techniques that limit any trace of their activities on a network — making the actors more difficult to detect. Some critical infrastructure, including water systems, lack the funds to hire security personnel or upgrade equipment. U.S. cyber defenders are urging infrastructure operators to apply available software updates to all internet-facing systems, implement multi-factor authentication and turn on activity logs to track for any suspicious user behavior. https://lnkd.in/gkV4Tykw #CyberSecurity #CriticalInfrastructure #China #OT #ICS

Security experts have identified a breach by a Chinese state-sponsored hacker group into an Asian country's power grid since February 2023. Tied to APT41, the group expanded its foothold for over half a year, leaving uncertainty on their intent to disrupt power. This incident recalls a similar breach in India's grid in 2021 amidst geopolitical tensions, using familiar malware and infrastructure. Recent alerts highlight China's potential intrusions into US grids, prepping for possible blackouts. Alarmingly, China's focus seems to be shifting towards aggressive targeting of essential infrastructure, mirroring Russian tactics of embedding sabotage malware. In essence, the global community should be wary: Chinese hackers appear to aim for power grids more frequently, possibly laying the groundwork for future strategic disruptions. #Cybersecurity #APT41 #GridSecurity #ChinaHacking #CriticalInfrastructure