Operations Cache Panda
A hacking group connected with the Chinese government is believed to have carried out a months-long attack against Taiwan’s financial sector by leveraging a vulnerability in a security software solution used by roughly 80% of all local financial organizations.
Tracked under the codename of Operation Cache Panda to a well-known Chinese cyber-espionage group known in the cybersecurity industry as APT10.
The name of the product that was exploited in the current attacks is not been disclosed because of the ongoing law enforcement investigation and because of the efforts to have a patch released and installed across the local financial sector.
The hackers exploited the software vulnerability and only saw a credential stuffing attack that APT10 used as a cover and a way to get access to some trading accounts, which they used to execute large transactions on the Hong Kong stock market.
The actual fact is APT10 exploited a vulnerability in the web interface of a security tool, planted a version of the ASPXCSharp web shell, and then used a tool called Impacket to scan a target company’s internal network.
The attackers then used a technique called reflective code loading to run malicious code on local systems and install a version of the Quasar RAT that allowed the attackers persistent remote access to the infected system using reverse RDP tunnels.
Initially it was presumed to be two separate waves of cyberattacks was actually one prolonged attack campaign in which the attackers leveraged advanced obfuscation techniques not previously observed.
The attacks does not appear to have been financial gain but rather the exfiltration of brokerage information, PII data, and the disruption of investment during a period of economic growth for Taiwan.
As Chinese cyberespionage groups have had Taiwan in their sights for years, having repeatedly and relentlessly attacked almost all sectors of its local government and economy.