The FBI has called on the public for assistance in identifying individuals behind an extensive campaign targeting edge devices and networks across industries and governments. The campaign leverages malware to exploit vulnerabilities, exfiltrate sensitive data, and maintain persistent access, impacting critical infrastructure worldwide.
This operation highlights the sophisticated and persistent tactics used by #APT groups linked to Chinese state-sponsored actors such as APT31, APT41, and Volt Typhoon. Here’s what you need to know:
Key Findings
- Exploitation of Edge Devices: Attackers target firewalls and other edge devices, exploiting vulnerabilities like CVE-2020-12271, CVE-2020-15069, and more.
- Targeted Industries: Victims include critical infrastructure sectors—nuclear energy suppliers, government ministries, healthcare, and defense, predominantly in South and Southeast Asia.
- Evolving Tactics: Earlier widespread attacks have shifted to highly targeted operations since 2021, focusing on critical sectors with “hands-on-keyboard” strategies.
Techniques Observed
Disabling Event Logging (T1562.002):
- Attackers disable logging to mask malicious activities.
- Example: Use of malware like Pygmy Goat, a sophisticated backdoor for persistent remote access.
Exploitation of Vulnerabilities:
Attackers exploit zero-day vulnerabilities, later transitioning to precise attacks with known exploits.
Rootkits:
Deployment of rootkits like libsophos.so, enabling backdoor access while blending into normal network activity.
Operational Relay Boxes:
Edge devices repurposed as proxies to obscure attack origins and facilitate onward targeting.
Threat Actor Profile
- University Ties: Many of the exploits were traced to researchers from the University of Electronic Science and Technology of China, with findings later shared with state-sponsored groups.
- Assembly Line of Exploits: Exploit development in educational institutions, passed to frontline APT actors, reflects systemic sharing as mandated by China’s vulnerability disclosure laws.
Defense Recommendations
Patch Management:
Regularly update systems to address vulnerabilities, especially those in edge devices and firewalls.
Event Logging:
Ensure tamper-proof logging solutions and centralized monitoring for better detection and analysis.
Network Segmentation:
Isolate edge devices from critical internal systems to limit lateral movement.
Monitoring:
Use sandboxing and intrusion detection systems to monitor unusual behavior in real-time.
Collaboration and Threat Intelligence Sharing:
Work with national and global security organizations to stay informed of emerging threats.
Autor: Sebastian Burgemejster
Comentários