Cyber Espionage | Business Upturn

Chinese cyberspies deploy new malware in Ivanti VPN attacks

Eesha Chakraborty — Thu, 29 Feb 2024 02:57:05 +0000

A recent report by cybersecurity firm Mandiant has shed light on a campaign by suspected Chinese cyberespionage actors targeting Ivanti Connect Secure VPN appliances. These actors have been exploiting vulnerabilities in the software to gain unauthorized access to victim networks and deploy new malware designed to maintain their presence even after system updates or resets.

The vulnerabilities in question were first disclosed in December 2023 and were patched by Ivanti in January 2024. However, attackers continued to exploit one of the vulnerabilities (CVE-2024-21893) by deploying a new set of malware tools. This malware, is identified as LittleLamb.WoolTea, PitStop, Pitdog, PitJet, and PitHook, allow the attackers to establish persistence on compromised systems, making it more challenging to remove them completely.

Mandiant attributes this campaign to a group known as UNC5325, which they believe is linked to another Chinese cyberespionage group, UNC3886. UNC3886 has a history of targeting vulnerable VMware products to gain access to victim networks. Both groups are suspected of primarily targeting organizations in the defense, technology, and telecommunication sectors located in the United States and Asia-Pacific regions.

The attackers demonstrated a sophisticated understanding of the Ivanti VPN appliances, employing various techniques to maintain access after gaining initial entry. This included chaining vulnerabilities, deploying web shells like BushWalk, and even modifying open-source tools and built-in Ivanti utilities to evade detection. In some instances, they attempted to exploit the SparkGateway component, a legitimate remote access plugin, by deploying malicious plugins like PitFuel and PitDog. These plugins aimed to inject backdoors and persist across system updates, patches, and even factory resets. However, these attempts were ultimately unsuccessful due to differences in encryption keys between the factory reset kernel and the running kernel version.

Mandiant’s findings highlight the evolving capabilities of suspected Chinese cyberespionage actors and their continued efforts to exploit vulnerabilities in critical infrastructure. The use of novel malware and persistence techniques underscores the importance of timely patching vulnerabilities, implementing robust security controls, and maintaining vigilance against evolving cyber threats.

Fake hostage site used in Israeli cyberattack

Eesha Chakraborty — Thu, 29 Feb 2024 02:57:05 +0000

In a recent revelation by the cybersecurity firm Mandiant, a sophisticated cyber espionage campaign originating from Iranian hackers has come to light. This campaign, attributed to the hacker group known as UNC1546 or Tortoiseshell, is allegedly closely associated with Iran’s Islamic Revolutionary Guard Corps (IRGC).

The crux of this campaign revolves around the creation of a deceptive website purportedly advocating for the release of Israeli hostages held by Hamas. However, instead of serving its stated humanitarian purpose, this site has been utilized as a platform for launching cyber attacks against Israeli targets. Under the guise of the “Bring Them Home Now” movement, which ostensibly seeks the return of the hostages, the hackers deployed malware named MINIBUS. Disguised as an application related to the hostages, unsuspecting users who installed it inadvertently triggered a decoy designed to infiltrate their systems.

The modus operandi of the UNC1546 hackers extends beyond the fabrication of a fake hostage support site. In one instance, they employed a quiz application as a decoy for spreading the MINIBUS malware. Furthermore, the group utilized deceptive tactics such as circulating false job offers in the defense and technology sectors, embedding malicious payloads within the links shared.

The scope of their cyber activities transcends the Israeli context, encompassing targeted attacks on entities within the Middle Eastern aerospace, aviation, and defense industries. While Israel and the United Arab Emirates are confirmed targets, other nations like Turkey, India, and Albania are identified as potential targets, raising concerns about the broader regional implications of this cyber campaign.

Leaked documents expose China’s cyber espionage network

Eesha Chakraborty — Fri, 23 Feb 2024 16:44:29 +0000

The revelation of a massive data leak from I-Soon, a Chinese tech security firm deeply intertwined with the country’s government agencies. This unprecedented breach offered a startling glimpse into the inner workings of China’s cyber espionage apparatus, raising serious concerns about global security and the extent of state-sponsored hacking activities.

The leaked data, encompassing contracts, marketing materials, product manuals, and personnel lists, painted a disturbing picture of I-Soon’s involvement in a wide range of activities. From large-scale surveillance of overseas dissidents to targeted hacking campaigns against foreign nations, the documents laid bare the methods employed by Chinese authorities to exert influence and gather intelligence.

One particularly concerning aspect of the leak was the revelation of I-Soon’s role in hacking networks across Central and Southeast Asia, as well as Hong Kong and Taiwan. The leaked documents detailed sophisticated tools used to unmask users on social media platforms, infiltrate email accounts, and mask the online activities of Chinese agents operating abroad. This ability to operate with near impunity highlights the sophistication and reach of China’s cyber capabilities.

Furthermore, the leak shed light on the competitive landscape of state-sponsored hacking. Documents revealed how government targeting requirements fueled a marketplace of independent contractor hackers-for-hire, with I-Soon acting as a key player in this ecosystem. This revelation underscores the potential for such activities to become increasingly decentralized and difficult to track, posing a significant challenge for international efforts to combat cybercrime.

The impact of this leak is multifaceted. On one hand, it has severely damaged I-Soon’s reputation, exposing the company’s close ties to the Chinese government and raising ethical questions about its activities. On another hand, it has provided invaluable insights for the cybersecurity community, offering a rare opportunity to understand the inner workings of a state-affiliated hacking contractor. This knowledge can be used to improve attribution efforts, develop more effective defence strategies, and raise awareness of the evolving threat landscape.

The source of the leak remains unknown. Regardless of its origin, the leak has sparked a global conversation about the ethical implications of state-sponsored hacking and the need for international cooperation to address this growing threat. While the investigation into the leak’s authenticity continues, its credibility has been widely acknowledged by cybersecurity experts, further amplifying its significance.