Chinas Velvet Ant APT Nests Inside Multiyear Espionage Effort

  /     /     /  
Publicated : 23/11/2024   Category : security


Chinas Velvet Ant APT Nests Inside Multiyear Espionage Effort


The campaign is especially notable for the remarkable lengths to which the threat actor went to maintain persistence on the target environment.



Researchers have uncovered a quiet multiyear campaign by Chinas Velvet Ant cyber-espionage group to steal critical data from a large company in East Asia.
What makes the campaign noteworthy is the extent to which the threat actor managed to maintain persistence on the victims network despite repeated eradication attempts.
Researchers from Sygnia who finally booted the threat actor out of the organizations environment attributed at least part of Velvet Ants persistence to its success at finding and infecting numerous legacy and unmonitored systems on the target network.
The threat actor achieved
remarkable persistence
by establishing and maintaining multiple footholds within the victim company’s environment, Sygnia said in a
report released today
. Even after one foothold was discovered and remediated, the threat actor swiftly pivoted to another, demonstrating agility and adaptability in evading detection.
Sygnia discovered the intrusion at a customer location in late 2023. The security vendors investigation showed the threat actor had likely gained access to the victim environment some three years previously and had remained undetected using multiple persistence and defense evasion mechanisms.
After identifying what they thought were all the attack sources, vectors and tools, Sygnia researchers initiated measures to eradicate Velvet Ant and associated artifacts from the victims network and systems. But far from being shut out, Velvet Ant quickly resurfaced on the victim network just a few days later, this time via malware the group had previously planted as a Plan B on legacy systems in the target environment.
Sygnias investigation showed the threat actor had installed the highly modular — and once widely popular — PlugX remote access Trojans on some legacy Windows Server 2003 systems.
From those infected systems, Velvet Ant actors moved laterally to newer Windows systems by first tampering with their endpoint detection and remediation (EDR) protections and then installing PlugX on those, too. Once Velvet Ant gained access to targeted systems, the threat actor leveraged a commonly used open source penetration testing and exploit development tool called Impacket to laterally transfer more malware tools and to execute arbitrary commands on the compromised hosts. For remote command execution, the attackers used Impacket’s wmiexec.py, Windows Management Instrumentation (WMI) tool.
As part of the second-round threat eradication process, Sygnias team worked with the victim organization to re-image dozens of compromised system and to decommission many (but not all) legacy systems. In all, Sygnias researchers identified hundreds of indicators of compromise (IoCs).
But once again, as with the first time, just a few days later, Sygnia observed fresh signs of Velvet Ant activity in the form of new PlugX infected hosts on the organizations network. This time around, however, the researchers could find no signs of the PlugX-infected hosts communicating with an external command-and-communication (C2) server, leaving them to wonder how the threat actor might be communicating with the systems. A subsequent investigation showed Velvet Ant had previously configured a legacy file server to work as an internal C2 server for compromised hosts on the network.
This meant that the threat actor deployed two versions of PlugX within the network. The first version, configured with an external C2 server, was installed on endpoints with direct internet access, facilitating the exfiltration of sensitive information, according to the Sygnia report. The second version did not have a C2 configuration, and was deployed exclusively on legacy servers.
To access the internal C2 server, the threat actors were using backdoors and other malicious binaries they had previously installed on two unmonitored legacy F5 Big-IP load-balancing systems that were not supposed to be operational on the production network. An internal team had deployed the F5 appliances as part of a disaster recovery project that never was completed, and as a result, they were running outdated and vulnerable OS versions.
Their operation was objective-oriented, says a researcher spokesperson from Sygnia. Therefore, they did not spread throughout the victims entire network but accessed only specific servers and workstations which were required [for] technical reconnaissance at the application and network level.
As part of its strategy to achieve this goal, the threat actor created several strongholds in different locations on the target organizations network. Some of them were dormant and were utilized only as a fallback in case the activity in another network location was detected. In addition, the threat actively tampered with the installed EDR environment by disabling it and by remotely deleting locally saved logs, the Sygnia researcher says.
Among the several steps that the security vendor recommends organizations take to
mitigate exposure to APT and nation-state actors
is decommissioning and replacing legacy systems. State-sponsored actors often use infrequently monitored legacy network devices and systems to hide and to persist.
This is due to lack of auditing and partial support of EDR products or logging implementations, the researcher says. Threat actors can be very creative. It is important to make sure that every observed abnormal activity can be explained and verified in a reasonable manner.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Chinas Velvet Ant APT Nests Inside Multiyear Espionage Effort