Week of Monday, February 28, 2022 | Issue 65
Emma Hoskins, Marina Tovar, CICYBER Team
Hacker Silhouette[1]
Date: February 28, 2022
Location: China
Parties involved: China; Symantec Threat Hunter team; US Cybersecurity and Infrastructure Security Agency (CISA); Chinese Advanced Persistent Threat (APT) actors
The event: Symantec Threat Hunter team, in collaboration with US CISA, has detected a sophisticated malware named Daxin.[2] Chinese APT actors are linked to Daxin as similar advanced detection-avoidance techniques have previously been used by Chinese-linked cyberespionage groups, such as Slug/Owlproxy.[3] Daxin malware’s common-and-control (C2) functionality allows Chinese APT actors to send commands without direct access to the Internet and infect multiple nodes with singular commands. The malware avoids strict firewall protection by hijacking legitimate transmission connections, so Chinese APT actors’ activity remains undetectable.[4] Similar malware attacks have primarily been in telecommunications, transportation, and manufacturing sectors.[5] China’s current national security goals prioritize safeguarding national sovereignty through control and development of cyberspace capabilities, such as the Strategic Support Force (SSF) to gather data and intelligence.[6]
Analysis & Implications:
Chinese APT actors will likely use Daxin to access and steal sensitive information by accessing adversarial government-owned telecommunications, likely contributing to China’s national security goals. If Chinese APT actors steal sensitive data, it will likely generate a loss of trust towards the impacted governments as citizens will very likely believe the government cannot protect their data. Threat actors will very likely use the victims’ data for identity theft and account manipulation for financial gain as they will very likely threaten victims into paying a ransom for stolen personal data.
Chinese APT actors will very likely use malware to conduct espionage activities targeting adversarial governmental organizations and defense sector networks. Espionage activities and the retrieved information will very likely help the Chinese government gather intelligence and monitor government plans, actions, and operations. Chinese APT groups using Daxin will very likely be a persistent threat due to the inability to detect the malware. Daxin will very likely allow Chinese APT actors to continue gathering valuable information in real-time, likely advancing China’s national security goals.
Date: March 3, 2022
Location: US
Parties involved: US Senate; US Cybersecurity and Infrastructure Security Agency (CISA)
The event: The US Senate unanimously approved the “Strengthening American Cybersecurity Act'' which aims to protect and strengthen the cybersecurity of US Critical Infrastructure and Key Resources (CIKR). Additions to the Act include a need for targeted sectors to report a cyberattack within 72 hours to US CISA and incorporate more effective cybersecurity practices like adopting secure cloud servers.[7]
Analysis & Implications:
Threat actors almost certainly target US CIKR to retrieve sensitive and strategic data. A cyberattack will very likely force the targeted organizations to shut down their operations, very likely not allowing them to conduct a risk assessment and mitigation practices. Not implementing mitigation strategies will likely lead to data loss and malicious actors acquiring sensitive data stored on the organization’s networks. Threat actors acquiring customer data is likely to decrease customers’ and investors' trust due to a lack of effective protection of the information, likely leading to a decrease in its yearly turnover.
The US Senate passing the Act will very likely force enterprises and organizations to implement more effective cybersecurity practices to mitigate cyberattacks. Implementing adequate policies will almost certainly decrease the impact of the cyberattack and allow for the faster response of public organizations like US CISA. Notifying US CISA within 72 hours will likely reduce the impact and losses of the targeted organization due to US CISA’s ability to recommend and advise the targeted organizations with specific measures.
Date: March 4, 2022
Location: US
Parties involved: US Cybersecurity and Infrastructure Security Agency (CISA); Microsoft; Cisco; Adobe
The event: CISA issued a list of 95 vulnerabilities of actively exploited security issues. Actively exploited security issues are gaps in the software that threat actors exploit to conduct malware, ransomware, and other types of cyberattacks. These vulnerabilities primarily impact Microsoft, Cisco, and Adobe, as the vulnerabilities are flaws in the configuration of their systems. US CISA believes the vulnerabilities pose a significant risk to federal agencies, as their databases contain sensitive information using the named systems.[8] US CISA stated organizations targeted should implement updates and patches to cover the vulnerabilities. Threat actors can detect vulnerabilities with open-source exploiting kits or Structured Query Language (SQL) injection. Open-source exploiting kits are automated malware kits that threat actors use to scan the networks to identify the system’s vulnerabilities.[9] SQL injection allows threat actors to interfere with an application’s queries to its database.[10]
Analysis & Implications:
Public and private organizations reliant on Microsoft, Cisco, and Adobe are very likely at risk of experiencing cyberattacks if threat actors exploit the vulnerabilities of such applications. Organizations not implementing updates will likely be at risk of cyberattacks as threat actors will very likely exploit the vulnerabilities to access and disrupt the organizations’ networks and services. Threat actors accessing the organizations’ networks will very likely steal personal data, which they will very likely use for impersonation purposes and data theft, such as to buy cryptocurrencies to expand their capital.
Threat actors will very likely scan an organization’s networks for vulnerabilities to exploit them with open-source exploiting kits. Threat actors with advanced cyber knowledge will very likely opt for other methods like SQL injection if the open-source exploiting kits do not detect the vulnerabilities effectively. Once threat actors detect the vulnerability, they will very likely deploy malware on the targeted systems or introduce a Remote Access Trojan (RAT) to access the organizations’ networks. A RAT will very likely enable access to other accounts and data, monitor the screen in real-time and deploy malware, very likely impacting the targeted organization significantly as threat actors will likely expose their data.
[1] “Hacker Silhouette” by B_A licensed under Simplified Pixabay License
[2] China-linked Daxin Malware Targeted Multiple Governments in Espionage Attacks, The Hacker News, March 2022, https://thehackernews.com/2022/03/china-linked-daxin-malware-targeted.html
[3] Chinese cyberspies target govts with their ‘most advanced’ backdoor, Bleeping Computer, February 2022, https://www.bleepingcomputer.com/news/security/chinese-cyberspies-target-govts-with-their-most-advanced-backdoor/
[4] China-linked Daxin Malware Targeted Multiple Governments in Espionage Attacks, The Hacker News, March 2022, https://thehackernews.com/2022/03/china-linked-daxin-malware-targeted.html
[5] Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks, Broadcom Software, February 2022, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage
[6] Evaluating China's Road to Cyber Super Power, Lawrence Livermore National Laboratory, November 2021, https://www.osti.gov/servlets/purl/1830481
[7] U.S. Senate Passes Cybersecurity Bill to Strengthen Critical Infrastructure Security, The Hacker News, March 2022, https://thehackernews.com/2022/03/us-senate-passes-cybersecurity-bill-to.html
[8] CISA warns organizations to patch 95 actively exploited bugs, Bleeping Computer, March 2022, https://www.bleepingcomputer.com/news/security/cisa-warns-organizations-to-patch-95-actively-exploited-bugs/
[9] Exploit Kits, Though in Decline, Remain Powerful Tool for Delivering Malware, Recorded Future, December 2020, https://www.recordedfuture.com/exploit-kits-delivering-malware/
[10]SQL injection, OWASP, https://owasp.org/www-community/attacks/SQL_Injection
Comments