Chinese gang shoots down aerospace security with MSFT flaws

'Panda Emissary' group has an appetite for defence projects


Black Hat 2015 An alleged Chinese advanced hacking group has been found cherry-picking data from high-profile governments and corporations, p0wning many within six hours according to Dell researchers.

The group, codenamed TG-3390 or Panda Emissary, is thought to operate from China and have an appetite for defence-related aerospace projects.

Its techniques mean domain credentials and multiple systems are compromised with six hours of gaining access to an environment.

Watering holes are the group's attack vector of choice, as it likes to compromise websites popular with a target organisation's staff. Doing so gives the gang a beachhead into the target's network.

To date it has popped about 100 sites. Each of these watering holes employs a whitelist to ensure that only staff from a target organisation are attacked in a move that helps maintain stealth.

Researchers say the group, revealed at Black Hat 2015 in Las Vegas this week, is notable in its small-scale data exfiltration and use of custom Microsoft Exchange backdoors.

"The group extensively uses long-running [watering holes], and relies on whitelists to deliver payloads to select victims," Dell's counter-threat unit says .

"After the initial compromise, TG-3390 delivers the HttpBrowser backdoor to its victims. The threat actors then move quickly to compromise Microsoft Exchange servers and to gain complete control of the target environment.

"The threat actors are adept at identifying key data stores and selectively exfiltrating all of the high-value information associated with their goal."

Six hours to p0wnage.

Researchers say they information plucked from targets is specific to projects, and rather than a wholesale en-masse exfiltration, which shores up the argument that the group is hacking for specialist interests.

"CTU researchers have observed the threat group obtaining information about specific U.S. defense projects that would be desirable to those operating within a country with a manufacturing base, an interest in U.S. military capability, or both," they say.

Dell did not go as far as to say the group are a hacking-for-hire outfit, however.

They add that other organisations targeted include Middle East, Europe, and Asia embassies based in Washington DC, non-governmental organisations, and government agencies. The outfit exploits old vulnerabilities not yet patched by victims, with Java (CVE-2011-3544, CVE-2010-0738) a favourite, and makes use of DLL side-loading.

It also has access to a criminal development team focused on building hacking tools and is proficient at hiding malware and does not bother with reconnaissance, instead waiting to gain a foothold in target organisations.

"The adversary's end goal is to exfiltrate, not infiltrate. After gaining access to a target network in one intrusion analysed by CTU researchers, TG-3390 actors identified and exfiltrated data for specific projects run by the target organisation."

Five hours to regain access.

Researchers observed the group after being punted from a network attempting to re-gain access through its backdoors and failing that targeting insecure remote access portals.

Given the perils of attribution, Dell acknowledges the group's suspected Chinese origin which includes local working hours, and use of native language tools, could be an elaborate false-flag operation.

Tools used include custom tools OwaAuth web shell and ASPXTool, and popular criminal hacking tools PlugX, HttpBrowser, and ChinaChopper.

Terrified enterprises should use two factor authentication for all remote access, search for logs and particular user agent strings. ®

Similar topics


Other stories you might like

  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • Symbiote Linux malware spotted – and infections are 'very hard to detect'
    Performing live forensics on hijacked machine may not turn anything up, warn researchers

    Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.

    Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

    The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

    Continue reading
  • Ransomware encrypts files, demands three good deeds to restore data
    Shut up and take ... poor kids to KFC?

    In what is either a creepy, weird spin on Robin Hood or something from a Black Mirror episode, we're told a ransomware gang is encrypting data and then forcing each victim to perform three good deeds before they can download a decryption tool.

    The so-called GoodWill ransomware group, first identified by CloudSEK's threat intel team, doesn't appear to be motivated by money. Instead, it is claimed, they require victims to do things such as donate blankets to homeless people, or take needy kids to Pizza Hut, and then document these activities on social media in photos or videos.

    "As the threat group's name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons," according to a CloudSEK analysis of the gang. 

    Continue reading

Biting the hand that feeds IT © 1998–2022