New APT Alert: Chinese-Linked Hackers Target South China Sea Countries

-

 Source: Researchers Warn of Chinese-Aligned Hackers Targeting South China Sea Countries (thehackernews.com)


Recently, cybersecurity researchers have been able to unmask a previously hidden threat group named Unfading Sea Haze. Active since 2018, the shadowy group made a name for itself by targeting high-level organizations, specifically in countries that border the South China Sea. Its victim list includes everything from military organizations to government and political entities, and according to research conducted on it by Bitdefender, the group appears to be aligned with Chinese state interests, representing a worrying trend in the increased proliferation of nation-backed cybercrime. To this day, Unfading Sea Haze has targeted eight victims, and its signature attack mechanisms revolve around exploiting poor credential hygiene along with inadequate patching practices. 

Specific tactics used by the group include the leveraging of various iterations of the Gh0st RAT malware, which was previously associated with other Chinese-speaking threat actors. The use of such a tool indicates not only its proliferation but, more worryingly, evidence of collaboration between Unfading Sea Haze and other Chinese threat actors, potentially all aided, backed, and facilitated by the Chinese government. In addition to preexisting malware, the group also utilizes sophisticated techniques, including the use of a tool called SharpJSHandler, which is used to run JScript code. This technique resembles another correlation between the group and an external threat group, namely APT41, which is another Chinese state-backed threat group that made a name for itself by conducting a mix of espionage along with cybercrime for personal gain. Another sign of the advanced tactics, techniques, and procedures utilized by Unfading Sea Gaze is their incorporation of commercially sold Remote Monitoring and Management (RMM) tools such as ITarian RMM, which represents a considerable level of modularity in their attack mechanism, as they blend between off the shelf and custom tools seamlessly. Such a level of sophistication is uncommon even among nation-state actors and, as such, serves as a further indicator that considerable state support was vital to developing the group's capabilities. 

When looking at the attack methodology of Unfading Sea Haze, an attack by them typically is initiated by spear-phishing emails designed to socially engineer and exploit the users at varying levels of the target's hierarchy to fall for the attached booby-trapped archives that kickstart the exploitation process via Windows shortcut (LNK) files. Containing a backdoor called SerialPktdoor grants the attackers considerable levels of access to infected machines, allowing them to execute scripts, engage in file manipulation, and maintain persistence. This persistence will enable them to remain a threat far after the initial exploit is complete, and the group's use of such sneaky methods undoubtedly played a role in their ability to stay under the radar for over five years since their first attacks in 2018. Other custom tools that allow the group to acquire data from their victims include variants of Gh0st RAT, Ps2dllLoader, and a keylogger called xkeylog, which point to a highly lethal arsenal that can wreak havoc on victims who are not prepared. 

Ultimately, the advanced TTPs utilized by Unfading Sea Haze, along with the depth of tools available to the group, serve as a potent reminder of the increasingly dangerous cyberspace that we find ourselves in. Even more worrying is the potential for the existence of even more hidden APTs that we are currently oblivious to, similar to how the group in question was able to hide under the radar from 2018 until recently. Its existence, along with similar APTs, should be a wake-up call for the cybersecurity community globally and a key driver behind security innovation to blunt the effectiveness of such threats. 

For a more detailed analysis, please examine the source article at The Hacker News

Comments

Post a Comment

Popular posts from this blog

Configuring Secure Cloud Networks with VPN and NAT on AWS: A Personal Project

-
Image
As a passionate and driven cybersecurity enthusiast, I embarked on a side project to enhance my knowledge of cloud security and networking using AWS. This project involved setting up a secure network across two AWS regions using custom VPNs and NAT on EC2 instances. The hands-on experience not only deepened my understanding of AWS but also set me on a path towards better understanding the principles of cloud security as a whole. Objectives and Requirements Objective: Demonstrate configuring a secure network across two AWS regions using custom VPNs and NAT on EC2 instances. Requirements: Select two AWS cloud regions. Create a VPC in each region with distinct CIDR blocks. Configure a public and private subnet in each VPC. Deploy a VPN Gateway VM in the public subnet and a Private VM in the private subnet of each region. Establish a secure tunnel using VPN software between the VPN Gateway VMs. Configure the VPN Gateway VM to provide NAT functionality for the Private VM. Update route table...
Read more

How Misconfigurations Outweigh CVEs in Cybersecurity Risks

-
  Source:  New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs (thehackernews.com) Research conducted by XM Cyber has uncovered that a whopping 80% of security exposures are due to misconfigurations, while a comparatively minuscule 1% are from Common Vulnerabilities and Exposures (CVEs). Their research, which has studied over 40 million exposures, underlines that more efforts should  be directed  toward properly configuring systems to reduce cyber risk.  Focusing solely on  CVEs  results is a flawed security posture, as misconfigured systems can pose a more substantial risk to critical assets than previously understood. They can create more challenging vulnerabilities, especially since they do not appear on typical vulnerability scans that target software versions rather than configurations. Furthermore, with traditional security measures typically  being  CVE-focused, the odds of misconfigurations slipping ...
Read more

30+ Tesla Cars Compromised Due to TeslaLogger Vulnerability

-
Source:  30+ Tesla Cars Hacked Globally Using Third-Party Software (cybersecuritynews.com) Following up on our most recent blog post regarding the threat posed by misconfigurations, a recent incident impacting Tesla places those findings under a brighter spotlight. Due to vulnerabilities caused by misconfigurations in TeslaLogger, a third-party software used for data logging, security researcher Harish SG uncovered that  its insecure default settings could be exploited  to gain unauthorized access. After Harish discovered the issue, it  was reported  to the platform's maintainer, who  is expected  to have taken actions to mitigate or resolve that risk.  It is essential to clarify that the vulnerability and potential remote access associated with it did not reside in Tesla's vehicles or in Tesla's infrastructure but rather stemmed from misconfigurations surrounding the use of default credentials and improper storage of API keys by TeslaLogger. Desp...
Read more