US Federal Agencies Uncover Massive Chinese Hacker Cyber Espionage Spying Campaign

By Nathan Wasson, Hot Hardware

Much of the discussion surrounding cyberwarfare has centered around Russia and Ukraine, in recent months. While it may have been pushed into the background, however, China’s aggressive cyber activity continues apace, whether it rises to the level of warfare or not. Only a month ago, we covered news that Chinese state-sponsored hackers had been deploying malware to steal US intellectual property in an operation that went undetected for years. Just a month before that, we wrote about a Chinese state-sponsored hacking group that had been using VLC Media Player to deploy malware in targeted attacks on foreign governments and NGOs.

Both of these Chinese-backed cyber operations were discovered by private cybersecurity researchers, but US federal agencies have been monitoring Chinese cyber activity as well. This week, the National Security Agency (NSA), Cybersecurity & Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) published a joint cybersecurity advisory detailing ways that Chinese state-sponsored hackers have been compromising network providers and devices in order to snoop on network activity and steal credentials.

According to the advisory, this cyber espionage is widespread and doesn’t solely target large network infrastructure, but also smaller, commercial network devices, like routers and Network Attached Storage (NAS) devices. The Chinese hackers carry out this activity by exploiting known vulnerabilities in network devices. In many cases, the vendors who manufacture these network devices have released patches that fix the vulnerabilities, but network administrators have neglected to update the devices. The following table lists the known network devices vulnerabilities most commonly leveraged by Chinese-backed hackers.

Just two days after US federal agencies published this cybersecurity advisory, independent cybersecurity researchers at Sentinel Labs published details on Aoqin Dragon, a Chinese state-sponsored hacking group. According to the researchers, these hackers have been conducting cyber espionage against Singapore, Hong Kong, Vietnam, Cambodia, and Australia. The researchers traced this activity all the way back to 2013, when Aoqin Dragon used malicious Microsoft Word documents to install backdoors in target systems.

The Chinese hacking group’s tactics have been through multiple changes since 2013. Around 2016, the group moved from malicious Microsoft Word documents to fake antivirus executables. Then, in 2018, Aoqin Dragon shifted to using fake removable devices and is still using that strategy at present. The group uses “RemovableDisc” shortcuts that launch “RemovableDisc.exe.” This executable installs malware that runs on device startup as “Evernote Tray Application.” This malware installs two additional malware payloads. The first payload copies the malware to all removable devices, and the second payload installs a backdoor that communicates with the hackers’ command-and-control (C2) infrastructure.


Comments

Post a Comment

Popular posts from this blog

Why remote desktop tools are facing an onslaught of cyber threats

Image
By Solomon Klappholz, IT Pro Hackers are increasingly targeting remote desktop tools in their attacks, new research reveals, prompting warnings for enterprises globally In the era of hybrid work, remote desktop tools have become vital business enablers, but due to their pervasiveness on corporate networks they have become a popular entry point for cyber criminals. If successfully exploited, remote access tools can provide hackers with a direct pathway into a system or network, and once access is gained attackers can move laterally within the network, escalating privileges and maintaining persistence. In an investigation into which remote desktop tools are targeted the most, Jonathan Tanner, senior security researcher at Barracuda Networks, explained that remote desktop software poses a particular challenge to IT teams to secure. “Among the security challenges facing IT teams implementing remote desktop software is that there are many different tools available, each using different and ...
Read more

Ransomware gang starts leaking alleged stolen Change Healthcare data

Image
By Lawrence Abrams,  Bleeping Computer The RansomHub extortion gang has begun leaking what they claim is corporate and patient data stolen from United Health subsidiary Change Healthcare in what has been a long and convoluted extortion process for the company. In February, Change Healthcare suffered a cyberattack that caused massive disruption to the US healthcare system , preventing pharmacies and doctors from billing or sending claims to insurance companies. The attack was ultimately linked to the BlackCat / ALPHV ransomware operation, who later said they stole 6 TB of data during the attack . After facing increased pressure from law enforcement, the BlackCat gang shut down their operation . This occurred amid claims they were pulling an exit scam by stealing a $22 million Change Healthcare ransom payment from the affiliate who conducted the attack. While Change Healthcare has declined to comment on whether it has paid a ransom, the affiliate known as "Notchy" said they ...
Read more

Notepad++ wants your help in "parasite website" shutdown

Image
By Ax Sharma,  Bleeping Computer The Notepad++ project is seeking the public's help in taking down a copycat website that closely impersonates Notepad++ but is not affiliated with the project. Although, at the time of writing, the lookalike website takes visitors to the official Notepad++ downloads page, there is some concern that it could pose security threats—for example, if it starts pushing malicious releases or spam someday either deliberately or as a result of a hijack. The lookalike website appears prominently in search results
Read more