Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    What's Hot

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Home»Cyber Security»Chinese Hackers Using Never-Before-Seen Tactics for Critical Infrastructure Attacks
    Cyber Security

    Chinese Hackers Using Never-Before-Seen Tactics for Critical Infrastructure Attacks

    justmattgBy justmattgJune 26, 2023No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email

    [ad_1]

    Jun 26, 2023Ravie LakshmananCyber Espionage / LotL

    Chinese Hackers

    The newly discovered Chinese nation-state actor known as Volt Typhoon has been observed to be active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest.

    The findings come from CrowdStrike, which is tracking the adversary under the name Vanguard Panda.

    “The adversary consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement,” the cybersecurity company said.

    Volt Typhoon, as known as Bronze Silhouette, is a cyber espionage group from China that’s been linked to network intrusion operations against the U.S government, defense, and other critical infrastructure organizations.

    An analysis of the group’s modus operandi has revealed its emphasis on operational security, carefully using an extensive set of open-source tools against a limited number of victims to carry out long-term malicious acts.

    Cybersecurity

    It has been further described as a threat group that “favors web shells for persistence and relies on short bursts of activity primarily involving living-off-the-land binaries to achieve its objectives.”

    In one unsuccessful incident targeting an unspecified customer, the actor targeted the Zoho ManageEngine ADSelfService Plus service running on an Apache Tomcat server to trigger the execution of suspicious commands pertaining to process enumeration and network connectivity, among others.

    “Vanguard Panda’s actions indicated a familiarity with the target environment, due to the rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for WMI,” CrowdStrike said.

    A closer examination of the Tomcat access logs unearthed several HTTP POST requests to /html/promotion/selfsdp.jspx, a web shell that’s camouflaged as the legitimate identity security solution to sidestep detection.

    The web shell is believed to have been deployed nearly six months before the aforementioned hands-on-keyboard activity, indicative of extensive prior recon of the target network.

    While it’s not immediately clear how Vanguard Panda managed to breach the ManageEngine environment, all signs point to the exploitation of CVE-2021-40539, a critical authentication bypass flaw with resultant remote code execution.

    Cybersecurity

    It’s suspected that the threat actor deleted artifacts and tampered with the access logs to obscure the forensic trail. However, in a glaring misstep, the process failed to account for Java source and compiled class files that were generated during the course of the attack, leading to the discovery of more web shells and backdoors.

    This includes a JSP file that’s likely retrieved from an external server and which is designed to backdoor “tomcat-websocket.jar” by making use of an ancillary JAR file called “tomcat-ant.jar” that’s also fetched remotely by means of a web shell, after which cleanup actions are performed to cover up the tracks.

    The trojanized version of tomcat-websocket.jar is fitted with three new Java classes – named A, B, and C – with A.class functioning as another web shell capable of receiving and executing Base64-encoded and AES-encrypted commands.

    “The use of a backdoored Apache Tomcat library is a previously undisclosed persistence TTP in use by Vanguard Panda,” CrowdStrike said, noting with moderated confidence that the implant is used to “enable persistent access to high-value targets downselected after the initial access phase of operations using then zero-day vulnerabilities.”

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.



    [ad_2]

    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleNSA Releases Guide to Combat Powerful BlackLotus Bootkit Targeting Windows Systems
    Next Article 3 Steps to Successfully & Ethically Navigate a Data Breach
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Demo
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Don't Miss
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Muddled Libra Shifts Focus to SaaS and Cloud for Extortion and Data Theft Attacks

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from SmartMag about art & design.

    [mc4wp_form id=3515]
    Demo
    Top Posts

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Latest Reviews
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    justmattgApril 16, 2024

    [ad_1] Apr 16, 2024NewsroomSupply Chain / Software Security Security researchers have uncovered a “credible” takeover…

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Demo
    MOST POPULAR

    Name That Toon: Last Line of Defense

    April 16, 2024

    California mountain lion P-22 left mark on wildlife conservation

    January 1, 2023

    Congress Again Writes To Home Minister Amit Shah Over Rahul Gandhi’s Security

    January 1, 2023
    OUR PICKS

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑