China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling Cyber-Espionage Attack

  /     /     /  
Publicated : 23/11/2024   Category : security


China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling Cyber-Espionage Attack


Operation CuckooBees uncovered the state-sponsored groups sophisticated new tactics in a years-long campaign that hit more than 30 tech and manufacturing companies.



Chinas Winnti cyberthreat group has been quietly stealing immense stores of intellectual property and other sensitive data from manufacturing and technology companies in North America and Asia for years.
Thats according to researchers from Cybereason, who estimate that the group has so far stolen hundreds of gigabytes of data from more than 30 global organizations since the cyber-espionage campaign began. Trade secrets are a big part of that, they said, including blueprints, formulas, diagrams, proprietary manufacturing documents, and other business-sensitive information.
In addition, the attackers have harvested details about a target organizations network architecture, user accounts, credentials, customer data, and business units that they could leverage in future attacks, Cybereason says in reports
summarizing its investigation
this week.
The security vendor said it has shared its findings with the FBI, which back in 2019 had warned of China-based cyberthreat groups engaged in the
massive theft of intellectual property
from US firms to support the countrys Made in China 2025 modernization initiative.
Global manufacturers are targets of Chinese state-sponsored threat groups, says Assaf Dahan, senior director and head of threat research at Cybereason. Our research highlights the importance of protecting Internet-facing assets, early detection of scanning activity and exploitation attempts, the ability to detect web shell activity, persistence, reconnaissance attempts by legitimate Windows tools, credential dumping, and lateral movement attempts.
Darren Williams, CEO, and founder at BlackFog, says the campaign that Cybereason observed highlights a recent trend involving data theft by cybergangs operating out of China. He says that new research that BlackFog recently conducted found that 20% of all ransomware attacks exfiltrate data to China. Theres also been a dramatic rise in attacks targeting the technology, manufacturing, and government sectors, he says
“We think its related to the increasing pressure from multiple nations on the manufacturing industry generally and the shift in reliance from Chinese manufacturing, he says. Then when you look at trade wars China has with countries like Australia, there is a general market shift happening. We think these attacks are in response and even retaliation for many of these moves.”
Winnti Stung by CuckooBees
Winnti (aka APT41, Wicked Panda, or Barium) is a threat group that has been active since at least 2010. The group is believed to be working on behalf of, or with the support of, the Chinese government. Some security vendors have described Winnti as an umbrella group
comprised of multiple threat actors
operating under the control of Chinas state intelligence agencies. The group has been linked to attacks in 2010 on scores of US firms (including Google and Yahoo). And in 2020, the US government
indicted five members
of the threat group, although the action did little to stop its activities.
Researchers from Cybereason stumbled upon the threat groups latest campaign when investigating a 2021 intrusion at a $5 billion global manufacturing company with operations in Asia, North America, and Europe, Dahan says, and has been gathering evidence on the activity since then.
The researchers dubbed the investigation Operation CuckooBees, because cuckoo bees are very evasive, and the Winnti group is one of the most elusive hacking groups, Dahan explains.
Operation CuckooBees was a 12-month investigation focused on Winnti Groups global espionage campaign against defense, aerospace, energy, biotech, and pharmaceutical manufacturers, Dahan says.
New Tools, Rare Abuse of Windows CLFS Mechanism
Cybereasons investigation also revealed fresh aspects of the groups technical approach, including the development of new malware tools — or new versions of its old malware — and sophisticated new techniques for payload delivery and evasion.
The new tools include one called DeployLog, made for deploying the threat groups namesake Winnti kernel-level rootkit. New versions of tools it has used in the past include an initial payload called Spyder Loader; a privilege-escalation tool called PrivateLog; and a tool called StashLog for storing payloads in a hard-to-crack Windows function.
One notable aspect of Winnti groups new campaign, according to Cybereason, is the threat actors use of a Windows high-performance logging feature called Common Log File System (CLFS) to hide malicious payloads.
The CLFS mechanism is rather obscure and is still undocumented by Microsoft, Dahan notes. The attackers used the CLFS mechanism to hide their payloads in a place most security products or practitioners wouldn’t look for. He adds that the ability to abuse the mechanism points to the level of sophistication and resources that the threat actors have at their disposal.
It requires a lot of effort to reverse-engineer this mechanism to abuse it for nefarious purposes, he says.
Dahan says Cybereason has not observed any other threat group abuse the CLFS mechanism to stash payloads in the same manner.
The Evolving Winnti Attack Chain
In its latest campaign, Winnti group threat actors targeted vulnerable Internet-facing servers as a vector for gaining an initial foothold on a target network. In some instances, the attackers gained initial entry on systems by exploiting known vulnerabilities in enterprise resource planning (ERP) platforms.
To the best of our knowledge, the vulnerabilities that were exploited in the observed attacks have fixes that were issued by the vendor, Dahan says.
Once in, Cybereason observed the attackers adopting what it described as a house-of-cards approach to deploying its malicious payloads, where each component of the attack chain depended on the previous one and the other components to function properly. This made it difficult to analyze each malware component in the attack chain separately.
If for some reason, one component is missing or gets detected – the entire thing would fall apart, Dahan says.
The approach also added another layer of protection and stealth because each of the components in the attack chain is not entirely malicious on its own, and so would be unlikely to be flagged as malicious by security products, Dahan says. To become malicious, the components in the attack chain must be assembled in a certain order.
The ‘house of cards’ approach makes it difficult for security researchers to analyze the payload and the flow of the attack, he explains. You really have to see the entire attack and collect all the payloads and know how to run them in the exact order in which they were designed to run.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling Cyber-Espionage Attack