Chinas BlackFly Targets Materials Sector in Relentless Quest for IP

  /     /     /  
Publicated : 23/11/2024   Category : security


Chinas BlackFly Targets Materials Sector in Relentless Quest for IP


Separate attacks on two subsidiaries of an Asian conglomerate reflect a surge of cyber-espionage activity in the region in the last 12 months.



Chinas Blackfly advanced persistent threat (APT) group hit two subsidiaries of an Asian conglomerate in the materials and composites sector with cyberattacks recently. Researchers say its part of a broader, relentless assault of various sectors in the region aimed at stealing intellectual property (IP). 
According to
a blog post published today
by researchers at Symantec (which is owned by Broadcom Software), the latest activity from Blackfly (aka APT41, Winnti Group, or Bronze Atlas) occurred late last year and early this year, and it shows the group relying more on open source tools than its usual trove of custom malware. This trend is reflected by other threat groups targeting the region, which has been a hotbed of activity. Last week, for instance, researchers at Symantec
revealed a new threat group
dubbed Hydrochasma targeting Asia-based organizations associated with COVID-19 treatments and vaccines in an intelligence-gathering operation — solely using open source and commodity malware and tools.
Dick OBrien, principal intelligence analyst at Symantec Threat Hunter, tells Dark Reading that this puts Blackflys incursions in context. This investigation is a small piece of the jigsaw, he says. The bigger picture is that there seems to be a fairly relentless intelligence operation underway on multiple fronts.
The open source tools tactic helps them avoid detection, which in the case of Blackfly — members of whom already have been indicted by the US government — would be an attractive proposition, OBrien says.
This shift toward open source tools is something weve seen a lot of attackers doing, he tells Dark Reading. It makes attacks more difficult to attribute.
Blackfly is one of the
longest known threat groups
operating out of China. The group originally earned notoriety by attacking the gaming industry, but has evolved to target a diverse range of organizations and sectors, including
industrial control systems
, semiconductor, telecommunications, pharmaceutical, media and advertising, hospitality, and more, the researchers said.
Different research groups track the APT using different monikers. In fact, some use the umbrella label APT41 to denote not just Blackfly, but also another China-backed APT known as
Grayfly
because the two groups are so closely associated. In 2020, the US government
indicted seven men
on charges relating to hundreds of cyberattacks carried out by both groups, which highlighted the link between them by identifying two Chinese nationals alleged to have worked with both, the researchers said.
As
security experts have already predicted
, the public attention from that indictment on APT41 has apparently done nothing to deter the group, which continues its onslaught in an attempt to steal IP from multiple business sectors, OBrien says.
Blackfly and a number of its peers have been highly active over the past 12 months, he says.
While the latest attacks continue the patterns of activity that researchers have seen from Blackfly in recent years, as mentioned, one new aspect is the use of open source tools that havent been a hallmark of previous activity, OBrien says.
Early Blackfly attacks were distinguished by the use of the PlugX/Fast/Korplug, Winnti/Pasteboy, and
ShadowPad malware
families. The Winnti backdoor and other custom tools were used in the recent spate of attacks (for taking screenshots, dumping credentials, querying SQL databases, and configuring proxies), but Blackfly also used for the first time an open source, proof-of-concept (PoC) app called ForkPlayground to create a memory dump of an arbitrary process, and the publicly available credential-dumping tool Mimikatz.
While the groups technical sophistication has remained consistent, theres been a regular refreshing of its toolset, no doubt in a bid to stay ahead of detection, OBrien notes.
Symantec advises using an overall in-depth defense strategy and the adoption of
multifactor authentication (MFA)
across the enterprise network to help avoid compromise by Blackfly and other APTs aimed at stealing IP. This entails using multiple detection, protection, and hardening technologies to mitigate risk at each point of the potential attack chain, OBrien says.
Organizations should also monitor the use of dual-use tools inside the enterprise network and ensure that the latest version of PowerShell is deployed, as well as enable logging, and only allow remote desktop protocol (RDP) from specific known IP addresses, he adds.
Proper audit and control of administrative account usage can also help organizations avoid attacks, as well as introducing a policy for one-time credentials for administrative work on the network to help prevent theft and misuse of admin credentials, OBrien says.
Wed also suggest creating profiles of usage for admin tools, he adds. Many of these tools are used by attackers to move laterally undetected through a network.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Chinas BlackFly Targets Materials Sector in Relentless Quest for IP