Let me remind you that we also wrote that Chinese Hackers Injected a Backdoor into the MiMi Messenger, and more that Chinese Hackers Use Ransomware As a Cover for Espionage.

And also information security specialists reported that Three Chinese APT Groups Attack Major Telecommunications Companies.

The Google Threat Analysis Group (TAG) links this campaign to the hacker group HOODOO, also known as APT41, Barium, Bronze Atlas, Wicked Panda and Winnti. Typically, this grouping targets a wide range of industries in the US, Asia, and Europe.

Google Command and Control is an open source project written in Go and developed specifically for the red team.

Essentially, the project consists of an agent that is deployed to compromised devices and then connects to a Google Sheets URL to receive commands to execute. The received commands force the agent to download and install additional payloads from Google Drive or, on the contrary, steal data, “uploading” it to the cloud storage.

According to the TAG report, APT41 attacks start from phishing emails containing links to a password-protected file hosted on Google Drive. This file contains GC2, which penetrates the victim’s system.

While it is not known what additional malware was distributed with GC2 this time around, APT41 typically deploys a wide range of malware on compromised systems. For example, a 2019 report by Mandiant explained that attackers use rootkits, bootkits, custom malware, backdoors, PoS malware, and in some cases even ransomware in their campaigns.

The researchers write that this find is notable for two reasons: first, it shows that Chinese hackers are increasingly relying on freely available and open-source tools to make attacks more difficult to attribute. Second, it points to the growing proliferation of malware and tools written in Go, which is popular with attackers due to its cross-platform and modular nature.

Google also warned that “the undeniable importance of cloud services” has made them a profitable target for both “government” hackers and ordinary cybercriminals, who are increasingly using them “either as hosts for malware or as C2 infrastructure”.

The post Chinese Hackers Use Google Command & Control Capabilities in Attacks appeared first on Gridinsoft Blog.

SentinelLabs, an American cybersecurity company, has reported about a Chinese hacking group Aoqin Dragon, which has managed to conduct successful spying activities against companies in Australia and South Asia for about ten years without being tracked.

Different cybersecurity companies partially encountered the group’s actions in the past, but due to the Aoqin Dragon’s skillful changing of tactics, the gang remained undetected until recently.

It has been revealed that the gang used bait documents with embedded scripts (earlier these were RTF files until the respective vulnerabilities were fixed) thematically united by two main subjects: news and politics of the Asia-Pacific region and porn. This factor allowed SentinelLABS to understand the area of the hacker’s activity, and Chinese hieroglyphs in the malware code gave researchers a hint about the origin of the malefactors.

Although the techniques and practices changed throughout the decade, two things remain unchanged in the Aoqin Dragon tactics: vast usage of fake removable drives shortcuts to initiate the infection downloading via user’s unawareness, spreading to existing removable drives, and installation of backdoors.

The modern implies user clicking on the spoofed removable drive icon whereafter the download of malware, which is the “Evernote Tray Application” DLL-hijacking file begins. As a result, any connected removable disk gets a copy of the malware, and, upon the next system boot, a backdoor starts allowing hackers to go rampant throughout a compromised system.

Two backdoors, Monghall and Heyoka, are the criminals’ regular tools to implement spying malware of different nature and conduct data theft on the compromised systems.

Aoqin Dragon has been identified, but it is nothing close to being seized. Presumably, PRC authorities have no interest in stopping these hackers’ practically making nation-state threat actors out of them, just like Russian special services cooperate with Russia-originating hacker groups. Therefore, it is believed that Aoqin Dragon will go on with its attacks protected by the Chinese government.

The post Chinese Hacker Group Revealed after a Decade of Undetected Espionage appeared first on Gridinsoft Blog.

According to official statistics, more than 200,000 enterprises in 140 countries around the world use Zimbra, including more than 1,000 government and financial institutions. The researchers write that using the 0-day vulnerability, attackers gain access to the mailboxes of European authorities and the media.

The attacks were discovered in mid-December, and although Volexity notified the Zimbra developers about the bug as early as December 16, the company has not yet released a patch.

The attacks were divided into two stages. Initially, the hackers sent a harmless email to victims to determine if the right accounts were active and whether users would open suspicious emails from unknown individuals.

The actual attack only happened with a second email, in which the hackers included a link. If the user accessed this URL, they were taken to a hacker site where malicious JavaScript code performed an XSS attack on Zimbra webmail at the victim’s organization.

The vulnerability works against Zimbra webmail clients versions 8.8.15 P29 and P30 and allows stealштп Zimbra session cookies. These files allow hackers to connect to someone else’s Zimbra account, from where they gain access to email (they can view emails in victims’ mailboxes and steal their contents), after which they send additional phishing messages to the user’s contacts, and also offer targets to download malware.

While there are currently over 33,000 Zimbra servers on the web, Volexity says 0-day is thankfully safe for Zimbra 9.x (the most recent version of the platform).

Based on the attacker infrastructure used in these attacks, experts were unable to link what was happening to any previously known hack group. As a result, the grouping was given the name TEMP_Heretic. At the same time, experts report that “the attacker is probably of Chinese origin.”

Let me remind you that we reported that Chinese hackers attacked US organizations and exploit bugs in F5, Citrix and Microsoft Exchange and also that Hackers attacked Microsoft Exchange servers of the European Banking Authority.

The post Chinese hackers use Zimbra 0-day vulnerability to hack European media and authorities appeared first on Gridinsoft Blog.

The researchers write that in recent years, the hack group has been spying on a variety of targets that could be of interest to the Chinese government, for example:

• government agencies in Taiwan, Thailand, Philippines, Vietnam, UAE, Mongolia and Nigeria;
• educational institutions in Taiwan, Hong Kong, Japan and France;
• Media in Taiwan, Hong Kong, Australia, Germany and France;
• pro-democracy and human rights political organizations and movements in Hong Kong;
• research organizations studying COVID-19 in the US;
• telecommunications companies in Nepal;
• religious movements banned in mainland China

Interestingly, at the same time, the group managed to attack gambling companies in China and various cryptocurrency platforms, stealing other people’s funds.

The Record notes that hack groups that practice both financially motivated and spy attacks are not a rarity. For example, Iranian hackers hack into VPN devices around the world, select important targets they need to collect data, and sell the “surplus” on the dark web, on forums frequented by ransomware operators.

North Korean hackers are a category in their own right, as some of them are clearly authorized by the state to rob banks and cryptocurrency exchanges to raise money for their country, which has long been under severe economic sanctions.

As for China, similar behavior has been previously observed in some hack groups from the Middle Kingdom. For example, the FireEye report talks about APT41 (aka Double Dragon), whose tactics are in many ways similar to Earth Lusca.

Trend Micro reports that Earth Lusca participants mainly use three attack methods in their campaigns:

• exploitation of unpatched vulnerabilities on Internet-accessible servers and web applications (eg Oracle GlassFish and Microsoft Exchange);
• targeted phishing emails that contain links to malicious files or websites;
• Watering hole attacks, when victims are lured to pre-compromised sites, and there they try to infect them with malware.

In most cases, the attackers aimed to deploy Cobalt Strike on infected hosts, and the payloads used during the second phase of the attack include the Doraemon, ShadowPad, Winnti and FunnySwitch backdoors, as well as the AntSword and Behinder web shells.

The researchers also noted that the group often deploys mining malware on infected hosts.

Although it remains unclear whether this is done for the sake of mining cryptocurrency or is it a way to divert the attention of the IT specialists of the victim company, who may believe that the hack was related to a regular mining botnet, and not a complex spy operation.

Let me remind you that I talked about the fact that the Chinese hack group Aquatic Panda exploits Log4Shell to hack educational institutions, and also that the Chinese hack group Chimera steals data from air passengers.

The post Cybersecurity researchers discovered Chinese hack group Earth Lusca appeared first on Gridinsoft Blog.

EBA launched an investigation of the incident in partnership with its information and communications technology provider, a group of information security experts and other relevant organizations.

The EBA also said the experts secured the email infrastructure and found no evidence of data theft.

This incident is a consequence of an ongoing large-scale campaign to exploit vulnerabilities in Microsoft Exchange mail servers.

We will remind that last week Microsoft released emergency security updates for its mail server Exchange, fixing four zero-day vulnerabilities, which are actively used by Chinese hackers.

According to experts, attacks using vulnerabilities in Microsoft Exchange could affect more than 60 thousand organizations around the world. Regarding this, the Bloomberg publication predicts a new global cybersecurity crisis.

According to a former senior U.S. official familiar with the investigation, the attack began with a hacker group backed by the Chinese government.

Initially, Chinese hackers appeared to be targeting important intelligence aims in the United States. About a week ago, everything changed. Other hacker groups began hitting thousands of victims in a short period of time by introducing hidden software that could give them access to companies’ mail.

Either way, the attacks were so successful – and so quick – that hackers seem to have found a way to automate the process.

The post Hackers attacked Microsoft Exchange servers of the European Banking Authority appeared first on Gridinsoft Blog.

The company warned that Chinese hackers from the Hafnium group are already exploiting these problems. For starting the attack, hackers only need to gain access to the local Microsoft Exchange server on port 443.

• CVE-2021-26855 – SSRF vulnerability that allowed sending arbitrary HTTP requests and bypassing authentication.
• CVE-2021-26857 – Unified Messaging deserialization issue. Using this bug gave a hacker the ability to run code with SYSTEM privileges on the Exchange server. For the exploit to work properly, administrator rights or another vulnerability were required.
• CVE-2021-26858 – An arbitrary file write vulnerability (after authentication with Exchange).
• CVE-2021-27065 is another random file write vulnerability (also after authenticating with Exchange).

Previously, this hack group attacked various American organizations, including infectious disease researchers, law firms, higher education institutions, defence contractors, political think tanks and NGOs.

The newest Hafnium attacks were recorded as early as 2021, and they exploited all four zero-day vulnerabilities in Exchange.

Having secured themselves on the Exchange server, the criminals stole the contents of mailboxes and address books, transferring this information to their remote server (most often file hosting services such as Mega were used for this purpose).

The first attacks on their clients’ servers were discovered by Volexity specialists, who have already prepared their own report on this malicious campaign. Microsoft also reports that it received a warning about the attacks from Danish firm Dubex experts.

Along with the listed above vulnerabilities in Exchange, the developers have fixed three other errors (CVE-2021-27078, CVE-2021-26854 and CVE-2021-26412) discovered during the incident investigation.

Microsoft engineers recommend that administrators install patches as soon as possible, or at least secure port 443 from possible attacks.

Let me remind you that I talked about the fact that Microsoft left open one of the internal servers of the search engine Bing.

The post Microsoft has released emergency patches for Exchange appeared first on Gridinsoft Blog.

According to the researchers, the campaign was active from January to February 2021. Hackers attacked Tibetan organizations around the world using a malicious Firefox extension that steals Gmail and Firefox data and then downloads malware onto infected systems.

The researchers say that cybercriminals attacked Tibetan organizations with targeted phishing emails that lured victims to sites prompting them to install a fake Flash update, allegedly required to view the content.

In fact, these resources contained code that divided users into groups. So, only Firefox users with an active Gmail session were offered to install a malicious extension, while other hackers were not interested in other users.

The malicious extension was called Flash update components, but in fact it was a variation of the legitimate Gmail notifier (restartless) extension, and was capable of abusing the following features.

Gmail:

• Search for emails
• Archive emails
• Receive Gmail notifications
• Read emails
• Changing the audio and visual alert functionality in Firefox
• Flag emails
• Mark emails as spam
• Delete messages
• Refresh Inbox
• Forwarding letters
• Searching in email
• Delete messages from the Gmail Trash
• Send mail from a compromised account

Firefox (depends on the rights granted):

• Access to user data from all sites
• Show notifications
• Read and change privacy settings
• Access browser tabs

However, the attack did not end there. The extension also downloaded and installed ScanBox malware on the infected machine. It is an old malware tool based on PHP and JavaScript that has been used more than once in attacks by Chinese hack groups.

The last recorded use of ScanBox dates back to 2019, when analysts at Recorded Future noticed attacks on visitors of Pakistani and Tibetan sites.

Interestingly, this time the fake Flash attacks worked better than ever. While majority of users know for a long time that they should stay away from sites offering Flash updates, support for Flash was discontinued early this year. On January 12, 2021, all Flash content stopped playing in browsers, and this seems to be what made the TA413 attacks much more successful than usual.

Let me also remind you that a special version of Flash for China turned into adware.

The post Hackers used Firefox extension to hack Gmail appeared first on Gridinsoft Blog.

For the first time, experts from the cybersecurity firm CyCraft spoke about this group last year, presenting their findings at the Black Hat 2020 conference.

As write analysts from the NCC Group and Fox-IT that watched the hackers from October 2019 to April 2020, the group’s activities were not limited to attacks on Taiwanese semiconductor manufacturers, as previously assumed. It turned out that hackers were not less interested in the aviation industry, and not only in Asian countries. In some cases, attackers successfully hid inside the networks of compromised companies for up to three years, avoiding detection.

While the attacks on the semiconductor industry were aimed at stealing intellectual property, the attacks on the aviation industry had a very different purpose: hackers stole the personal data of passengers (Passenger Name Records).

Typically, Chimera attacks began with a collection of credentials that were leaked to the public as a result of any incidents. This data was then used to carry out targeted attacks such as credential stuffing and password spraying.

That is, the attackers tried different usernames and tried to use them with the same simple, easily guessed password, in the hope of finding a poorly protected account. In addition, hackers have abused the fact that many people use the same logins and passwords for different sites and services.

On the internal networks of the victim companies, attackers took their time and usually deployed Cobalt Strike, which they used to move laterally across the network and hack as many systems as possible. In this way, the attackers searched for IP addresses and information about passengers. The detected data was regularly uploaded to various cloud services, including OneDrive, Dropbox and Google Drive (such traffic is usually not suspicious and is not blocked).

The experts’ report does not specify, in what kind of passengers the attackers were interested in the first place, and what was the ultimate goal of this large-scale campaign. However, this is far from the first time that “government hackers” have attacked airlines, hotel chains and telecoms in order to obtain information that can be used to track the movements and contacts of specific individuals.

Let me remind you that Chinese hackers attack US organizations and exploit bugs in F5, Citrix and Microsoft Exchange.

The post Chinese hack group Chimera steals data from air passengers appeared first on Gridinsoft Blog.

Soon, analysts from the Google Threat Analysis Group (TAG) published their report on the incident, in which they said that “government hackers” were responsible for the attack.

According to TAG, the attack came from China, from the networks of four specific providers: ASN 4134, 4837, 58453, and 9394.

The researchers write that 2.54 TB/sec was the culmination of a six-month long campaign against Google, during which attackers used various attack methods and tried to undermine the company’s server infrastructure. It was not reported which services the hackers were targeting.

“Attackers used multiple networks to spoof 167,000,000 packets per second into 180,000 open CLDAP, DNS and SMTP servers, which then sent huge responses to us. This demonstrates the scale that well-resourced criminals can achieve: four times the record 623 GB/s attack carried out by the Mirai botnet a year earlier [in 2016]”, — wrote Google engineers.

It is also worth noting that the incident described by Google surpasses even the attack on Amazon that occurred in February of this 2020, the capacity of which was 2.3 TB/sec. That is, the record for DDoS attacks has once again been broken.

Google experts explain that for a number of reasons they kept the incident secret for several years, but now they decided to make the incident public. The fact is that the Google TAG team wanted to draw attention to the increasing incidence of DDoS attacks from government hackers, as well as to the fact that as the Internet develops, the number and power of such attacks will only continue to increase.

However, since the described attack to date remains the record for maximum throughput, this slightly reduces the confidence in the extrapolation of such statistics.

Let me also remind you about the multifunctional Lucifer malware uses many exploits, is engaged in mining and DDoS attacks.

The post Google revealed the most powerful DDoS attack in history appeared first on Gridinsoft Blog.

The main target of these hackers, as you might guess, were Facebook users. The attackers used Windows Trojans, browser injection, scripting, and even vulnerabilities in the Facebook platform for their campaigns.

It is not surprising, considering that Facebook actually has bugs, for example, I recently talked about Vulnerability in OAuth Protocol that Allows Hacking Any Facebook Account.

The hackers’ task was to infect users with a Trojan, take control of their browsers, and steal passwords and cookies to gain access to the victims’ social network accounts.

First of all, the hackers were interested in the accounts to which were linked any possible payment method. On behalf of such accounts, SilentFade bought ads on Facebook, of course, using the victim’s funds.

Although the group’s activity lasted only a few months, according to Facebook, during this time the fraudsters managed to earn more than 4,000,000 US dollars, all this sum was used to place malicious ads.

Such ads, as a rule, were limited to the geographic region of the infected user (in order to limit their availability and not attract too much attention), and all were built according to the same template. For example, hackers used short URLs and celebrity images to lure users into various fraudulent sites selling controversial products, including weight loss aids, keto pills, and more.

The investigation made it possible to identify the malware used by cybercriminals, strains of the group’s malware, as well as campaigns dating back to 2016. In the end, all this helped to associate suspicious activity with a specific Chinese company and two developers.

According to Facebook, SilentFade began operations in 2016, when was developed a malware called SuperCPA, primarily targeting Chinese users.

“Not much is known about this malware because it was controlled by downloadable configuration files, but we believe it was used for click fraud (CPA stands for Cost Per Action in this case)”, — the experts said.

The researchers reported that the attackers distributed SilentFade in conjunction with legitimate software that they posted for download on the Internet. For example, one day Facebook experts stumbled upon an announcement from the SilentFade developers published on hacker forums. The scammers wrote that they were ready to buy traffic from hacked sites and other sources, and after the purchase they redirected it to pages hosting various software infected with SilentFade.

If a user fell for a scammer’s trick and malware entered the system, the SilentFade Trojan gained control over the victim’s computer and replaced the legitimate DLL files of the browser with malicious versions, which, in essence, allowed SilentFade operators to control the victim’s browser. Thus, the malware is able to successfully attack Chrome, Firefox, Internet Explorer, Opera, Edge, Orbitum, Amigo, Touch, Kometa and Yandex Browser.

These malicious DLLs were then used to steal credentials stored in the browser as well as cookies. The hackers used the Facebook session cookies to gain access to the victim’s account, and as a result, they did not need to provide credentials or a 2FA token.

Once access to the user’s account was obtained, the malware used scripts to disable the social network’s security mechanisms. Investigating what is happening, Facebook experts discovered vulnerability on its own platform, due to which users could not re-enable the deactivated security features.

So that users do not know that someone has compromised their account and is placing ads on their behalf, SilentFade operators used control over the victim’s browser to access the Facebook settings section and disabled:

• site notifications;
• chat notification sounds;
• SMS notifications;
• any email notifications;
• page related notifications.

At the same time, the attackers understood that Facebook’s security systems could still detect suspicious activity and logins, and inform users about this via private messages. Therefore, hackers additionally blocked the Facebook for usiness and Facebook Login Alerts accounts, from which such warnings could come.

The mentioned Facebook bug was abused by hackers every time the user tried to unblock these accounts, provoking the error and preventing the victim from getting rid of these bans.

“This is the first time we’ve seen malware actively altering notification settings, blocking pages, and exploiting a bug in the blocking subsystem to secure a foothold in a compromised account. However, the exploitation of the notification bug was even a positive development. This allowed us to identify compromised accounts, assess the scale of SilentFade infections and correlate this data with user account abuse, linking it to the malware responsible for the initial compromise of the accounts”, — said the researchers.

As a result, in 2019, Facebook engineers eliminated the found bug, canceled all malware actions to block notifications, and compensated the damage to users whose accounts were used to buy malicious ads.

But the company’s specialists did not stop there: throughout 2019, they tracked the malware itself and its creators all over the Internet. So, they managed to find an account on GitHub that hosted many libraries that were clearly used to develop SilentFade.

This account was linked by experts to the Hong Kong-based development company ILikeAd Media International Company Ltd., established in 2016.

As a result, in December 2019, Facebook filed a lawsuit against this company, and the proceedings are still ongoing.

In their report, Facebook experts emphasized that SilentFade is only part of a major trend among cybercriminals. It turned out that many hackers living in China are increasingly targeting the social network and its 2,000,000,000 users. Specifically, Facebook is attacked by such malware as Scranos, FacebookRobot and StressPaint.

The post Chinese hack group SilentFade defrauded Facebook users for $4,000,000 appeared first on Gridinsoft Blog.