Cicada 🐞Chinese sponsered

The hackers, most likely from a well-known group that’s funded by the Chinese government, are outfitted with both off-the-shelf and custom-made tools. One such tool exploits Zerologon,that can give attackers instant administrator privileges on vulnerable systems. Cicada , which is widely believed to be funded by the Chinese government and also carries the monikers of APT10, Stone Panda

Japan-linked organizations need to be on alert as it is clear they are a key target of this sophisticated and well-resourced group, with the automotive industry seemingly a key target in this attack campaign.

The attacks make extensive use of DLL side-loading, a technique that occurs when attackers replace a legitimate Windows dynamic-link library file with a malicious one. Attackers use DLL side-loading to inject malware into legitimate processes so they can keep the hack from being detected by security software.

Microsoft patched the critical privilege-escalation vulnerability in August, but since then attackers have been using it to compromise organizations that have yet to install the update. .

Threat Vector

Third-stage DLL has an export named “FuckYouAnti”

Third-stage DLL uses CppHostCLR technique to inject and execute the .NET loader assembly

.NET Loader is obfuscated with ConfuserEx v1.0.0

Final payload is QuasarRAT—an open source backdoor used by Cicada in the past

It’s difficult to say how..when..where.. you get attacked and compromised across geographies… Stay safe and secure

APT Groups in Action against Covid Vaccine Makers

Microsoft revealed that at least three APT groups have targeted seven companies involved in COVID-19 vaccines research and treatments.

In recent times cyberattacks from three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for Covid-19. The targets include leading pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea and the United States. The attacks came from Strontium, an actor originating from Russia, and two actors originating from North Korea that we call Zinc and Cerium.

Microsoft linked the attacks to the Russia-linked Strontium APT group (aka APT28, Fancy Bear, Pawn Storm, Sofacy Group, and Sednit) and two North Korea-linked groups tracked as Zinc (aka Lazarus Group) and Cerium.

The group mainly targeted vaccine makers that are testing Covid-19 vaccines, one of them is a clinical research organization involved in trials, while another one has developed a Covid-19 test. Several organizations targeted by the APT groups that have contracts with or investments from government agencies for Covid-19 related work.

Strontium hackers launched password spraying and brute-force attacks to break into victim accounts and steal sensitive information.

Zinc APT targeted the centers with spear-phishing campaigns aimed at employees working at the targeted companies using messages pretending to be sent by recruiters.

Cerium APT also launched Covid-19 themed spear-phishing campaigns using messages that pretend to be sent by representatives from the World Health Organization.

The targets were located in Canada, France, India, South Korea, and the United States, according to Microsoft.

Microsoft revealed that the majority of the attacks were blocked by protections implemented in its solutions, the IT giant already notified all organizations that were breached by the hackers.

Unfortunately, these attacks are just the tip of the iceberg, the healthcare industry is a privileged target for hackers that are also attempting to take advantage of the ongoing pandemic.

Security measures should be Stringent to get rid of these attacs.. international laws should be in place to take action against countries that involved in these types of state sponsered attacks.

Sophisticated APT attacks into limelight

Many Advanced Persistent Threat (APT) groups receive guidance and support from established nation-states. Unlike most threat actors, APT attackers chase their goals for months or even years with a clear objective in mind.

Sponsered by countries

  • State-sponsored APT groups are organizations that conduct attacks on a country’s information assets related to national security or economic importance, via means of cyberespionage or cyber sabotage.
  • While China and Russia stand atop the list of nations linked to the most sophisticated state-sponsored hacking groups, the number of government-linked cyberespionage campaigns from other countries has started to burgeon in recent years.

APTs current attacks

  • The China-based APT group, CactusPete, is targeting military and financial organizations in Eastern Europe with a new attack campaign. The group is employing a new variant of the Bisonal backdoor to steal information, move laterally inside a network, and execute codes on target machines.
  • A Russian-speaking hacking group, RedCurl, which has conducted 26 corporate espionage attacks, since 2018, in attempts to steal confidential corporate information from victims in the finance, construction, law, retail, and other sectors.
  • The “Operation Skeleton Key” attacks performed by a Chinese APT group, Chimera, against numerous semiconductor vendors of Taiwan. The hackers are known to abuse Cobalt Strike, a penetration testing tool and a custom skeleton key obtained by twisting the codes of Dumpert and Mimikatz.
  • Fox Kitten (aka Parisite), a group of Iranian government-based hackers has been detected attacking the private and government sectors in the U.S. The threat actors operate by targeting high-end and high-priced network equipment using exploits for newly disclosed vulnerabilities.

The crucial role of global vigilance

From a global standpoint, visibility into these APT groups is getting better, which is good news. Due to coordinated data operations worldwide, countries and businesses are aware of the rising APT activities and are taking them seriously.

The information security community has started collaborating and sharing observed Tactics, Techniques, and Procedures (TTPs). This cooperation is needed to alleviate growing threats.