Chinese APTs Cash In on Years of Edge Device Attacks

  /     /     /  
Publicated : 23/11/2024   Category : security


Chinese APTs Cash In on Years of Edge Device Attacks


The sophisticated Chinese cyberattacks of today rest on important groundwork laid during the pandemic and before.



Chinese threat actors are operating at a higher level today than ever before, thanks to years of trial-and-error-style attacks against mass numbers of edge devices.
Networking devices are a known favorite of Chinas advanced persistent threats (APT), and why wouldnt they be? Sitting on the outer banks of an enterprise network, they not only allow threat actors a way in, they also double as
useful nodes for botnets
. They offer opportunities for lateral movement, they often store sensitive data, and network defenders have a harder time seeing into and securing them than they do other kinds of network computers. 
Over time, Chinese APTs have been improving on their edge attack capabilities. Since 2018, Sophos has traced a distinct evolution in tactics: from naive, low-level attacks came more sophisticated campaigns against massive numbers of devices, followed by a period of more targeted attacks against specific organizations.
On Dec. 4, 2018, Sophos analysts discovered a suspicious device running network scans against Cyberoam, a Sophos subsidiary based in India. In some ways the attack was run of the mill, using commodity malware and common living-off-the-land (LotL) tactics.
Other evidence, though, suggested that this was something different. For example, the attacker utilized a novel technique to pivot from on-premises devices to the cloud, via an overly permissive identity and access management (IAM) configuration to the Amazon Web Services Systems Manager (AWS SM).
AWS SM was quite a new technology, and it was quite a subtle misconfiguration, Sophos chief information security officer (CISO) Ross McKerchar recalls. That was one of the first indicators that we were up against an interesting adversary. 
Later, the attackers deployed a novel rootkit called
Cloud Snooper
. Cloud Snooper was so stealthy that two third-party consultancies missed it in their analysis, before Sophos eventually picked up on its presence.
The goal of the attack, it seemed, was to collect information useful for future attacks against edge devices. It was a harbinger of what was to come.
Chinese cyber threats blossomed from roughly 2020 to 2022, as attackers focused on identifying and breaching edge devices en masse.
It worked thanks to the large quantity of devices in the wild that have Internet-facing portals. Typically, these interfaces are designed for internal use. With COVID-19, though, more and more companies were allowing employees to connect from the open Web. This provided a window for hackers with the right kind of credentials or vulnerabilities to get in.
It helped, too, that around that same time — July 2021 — Chinas Cyberspace Administration passed the Regulations on the Management of Network Product Security Vulnerability Information rules. These mandates forced cybersecurity researchers to report vulnerabilities to the countrys Ministry of Industry and Information Technology (MIIT) before disclosing to any other parties. It was designed to co-opt the whole country — private citizens included — into being assets for PRC objectives, McKerchar says. Sophos argues with medium confidence that two notable campaigns during this period were facilitated by vulnerabilities responsibly disclosed by researchers at universities in the Chinese city of Chengdu.
Chinese APTs werent only interested in using compromised devices to attack the companies from whence they came. With varying degrees of success, they would often try to incorporate the devices into broader
operational relay box networks (ORBs)
. These ORBs, in turn, offered higher-level threat actors more sophisticated infrastructure from which to launch more advanced attacks and hide any trace of their origin.
After this noisy period, around the middle of 2022, Chinese APTs shifted yet again. Ever since, theyve been focused on much more deliberate and targeted attacks against organizations of high value: government agencies, military contractors, research and development firms, critical infrastructure providers, and the like.
These attacks follow no single pattern, involving known and zero-day vulnerabilities, userl and and
UEFI bootkits
, and whatever other elements pair with active, hands-on-keyboard-type attacks. They almost certainly wouldnt be as sophisticated as they are, though, without all of the years of trial and error that occurred before. Evidence to that is just how effective these threat actors are at overcoming cybersecurity defenses. In recent years, theyve demonstrated an ability to sabotage hotfixes for vulnerable devices, and block evidence of their activity from reaching Sophos analysts.
Theres a clear arc of moving to stealthier and stealthier persistence in the activity that weve uncovered, McKerchar says.
He explains how the first malware, whilst it was bespoke for our devices, it wasnt really trying to hide. They were just banking on nobody looking. In the second wave of attacks they learned a bunch of lessons, remarkably quickly. The malware wasnt explicitly trying to hide, it was just smaller, and naturally able to blend in a bit more. Then after that, they started kind of pulling out more interesting tactics: Trojan class files, memory-resident malware, rootkits, bootkits.
He concludes, Itd be hard to speculate on whats next, except [that] theyre going to be improving again.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Chinese APTs Cash In on Years of Edge Device Attacks