The US government has announced sanctions against three Chinese nationals accused of creating and operating the 911 S5 proxy botnet.

The post US Sanctions Three Chinese Men for Operating 911 S5 Botnet appeared first on SecurityWeek.

Islamabad's Safe City Authority experienced a significant disruption when its online system was breached by hackers, prompting an immediate shutdown. The Safe City Islamabad Project, initiated by the PPP-led government and backed by a Chinese government concessional loan, aimed to enhance the capital's surveillance and security capabilities with the installation of 1,950 CCTV cameras, a bomb-proof command center, a 4G communication network, and advanced monitoring systems such as facial recognition technology. This unforeseen event has raised concerns over the security and the vulnerability of the system, as law enforcement officials scramble to assess the damage and restore operations.

Islamabad's Safe City Authority Breach and Initial Response

The breach revealed several systemic weaknesses within the Safe City Authority's digital infrastructure. Hackers successfully infiltrated the primary server, gaining unauthorized access to databases containing criminal records and sensitive information. While the system's firewall did issue an alert upon detecting the intrusion, the absence of backup servers and contingency plans forced a complete shutdown of the affected software and applications. The assault compromised several integral systems, including the Complaint Management System, Criminal Management Record System, and Human Resource Management System, along with software and applications vital for the Operation Division. [caption id="attachment_70433" align="alignnone" width="2800"] Source: china.aiddata.org[/caption] The compromise of these systems impacted several critical services tied to the Safe City initiative. This includes mobile applications, smart police vehicle records, police station data, video analytics, Islamabad Traffic Police, e-challan systems, and records from the operations division. Approximately 13 to 15 servers provided by the police facilitation center F-6 were also affected. An officer highlighted to Dawn, Pakistan's largest English newspaper, that this incident was not a typical hacking scenario involving stolen login credentials. Instead, the system's vulnerability stemmed from the use of simple and common login IDs and passwords by officials, making it easier for hackers to gain access. Additionally, many of the software and applications were found to be outdated or with expired licenses, further compromising the system's security. Despite the breach of several systems, the Safe City cameras' management system that operated independently through offline direct lines, remained secure, demonstrating the effectiveness of isolated systems in safeguarding against such attacks. Police spokesperson Taqi Jawad confirmed the intrusion as an attempted breach that triggered the firewall's alarm but stated that appropriate precautionary measures had been taken. "All logins have been closed for the past two days to change them, including those of police stations and officers at various ranks," he stated. Jawad refrained from sharing further specifics on the server shutdowns as he stated they were still pending technical feedback

Controversy Over Islamabad's Safe City Authority

Islamabad's Safe City project has been a source of serious controversy, with several litigations over contract transparency and cost inflation, leading the Supreme Court's order to cancel the initial contract with Huawei in 2012. The contract was later renegotiated, and the project resumed under the PMLN (Pakistan Muslim League)  government, with the command center becoming operational in 2016. By 2016, 1,805 cameras were installed, and as of 2021, 95% remained functional. Despite the extensive infrastructure, police sources claimed in 2022 that the system had not prevented any incidents or facilitated any arrests, raising questions about its effectiveness. Due to financial strain, Pakistan and China Eximbank signed several debt suspension agreements from July 2020 to December 2021, temporarily suspending principal and interest payments under the concessional loan agreement. Tragically, the project's director was found dead in July 2022 in an apparent suicide. The successful breach of the authority's systems draws additional controversy towards the project, which was intended to be a cornerstone of Islamabad's security infrastructure but has encountered several operational, legal, and financial setbacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cybersecurity defenders have widely relied on blocking attacker IP addresses through identified IOCs in response to threat actor campaigns. However, Chinese threat actors are rapidly rendering this usual strategy obsolete through the widespread adoption of ORB Networks. ORBs are complex, multi-layered networks, typically managed by private companies or entities within the Chinese government. They offer access to a constantly shifting pool of IP addresses, allowing multiple threat actors to mask their activities behind seemingly innocuous traffic.

Use of ORB Networks by Threat Actors Present Additional Challenges to Defenders

Researchers from Mandiant stated that the sheer size and scope of these networks, often hundreds of thousands of nodes deep, provide a great deal of cover and make it difficult for defenders to attribute and learn more about attackers. Additionally, the geographic spread of ORBs allows hackers in China to circumvent geographic restrictions or appear less suspicious by connecting to targets from within their own region. Most importantly, ORB nodes are short-lived, with new devices typically cycled in and out every month or few months, making it difficult for defenders to tie IPs to their users for any good amounts of time. These operational relay box networks (ORBs) are maintained by private companies or elements within the Chinese government and are made up of five layers: Chinese servers, virtual private servers (VPS), traversal nodes, exit nodes, and victim servers. ORBs can be classified into two groups: provisioned, which use commercially rented VPS's, and nonprovisioned, built on compromised and end-of-life routers and Internet of Things (IoT) devices. These networks are akin to botnets and ORB network administrators can easily grow the size of their network with little effort and create a constantly evolving mesh network that can be used to conceal espionage operations. The researchers cited two prominent examples to illustrate the sophistication of these networks:

• ORB3/SPACEHOP: A provisioned network linked to APT5 and APT15, targeting entities in North America, Europe, and the Middle East. Known for exploiting vulnerabilities like CVE-2022-27518.
• ORB2/FLORAHOX: A hybrid network employing compromised Cisco, ASUS, and DrayTek routers, alongside TOR network relays and VPS servers. Linked to APT31 and Zirconium, demonstrating a multi-layered approach to traffic obfuscation.

Adapting to the Threat of ORB Networks

Researchers have advised that instead of simply blocking adversary infrastructure, defenders must now consider temporality, multiplicity of adversaries, and ephemerality. They recommend approaching these ORB networks as distinct entities with distinct tactics, techniques, and procedures (TTPs) rather than the use of inert indicators of compromise. By analyzing their evolving characteristics - including infrastructure patterns, behaviors, and TTPs - defenders can gain valuable insights into the adversary's tactics and develop more effective defenses. While leveraging proxy networks for attack obfuscation isn't new, the rise of the ORB network industry in China points to long-term investments in equipping cyber operators with more sophisticated tactics and tools. The evolution of these ORBs networks also highlight that a static defense may be a losing defense. To counter this growing threat and level the playing field, enterprises must embrace a mindset of continuous adaptation, while investing in advanced threat intelligence, behavioral analysis tools, and skilled personnel. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Unfading Sea Haze has been targeting military and government entities in South China Sea countries since 2018.

The post Newly Detected Chinese Group Targeting Military, Government Entities appeared first on SecurityWeek.

A recently discovered cyber threat actor, dubbed 'Unfading Sea Haze', has been targeting organizations in the South China Sea region since 2018. The threat actor group remained undetected for over five years, despite its attacks on several high-profile military and government entities. Researchers observed that its operations align with Chinese geopolitical interests in the region.

Unfading Sea Nations Likely Affiliated with Chinese Government

Bitdefender researchers discovered that the group's TTPs (tactics, techniques, and procedures) and toolset overlaps with that of other Chinese state-sponsored threat actors such as APT41 (BARIUM). Unfading Sea Haze employs a multi-stage attack chain, often beginning with spear-phishing emails carrying malicious LNK files disguised within seemingly innocuous documents. Upon clicking these LNK files, a lengthy obfuscated PowerShell command checks for the presence of an ESET executable (ekrn.exe). If found, the attack halts; otherwise, the PowerShell script directly compiles malware into Windows memory using Microsoft's legitimate msbuild.exe command-line compiler. The attackers use scheduled tasks to side-load malicious DLLs and modify the disabled default administrator account to maintain persistence. They reset the password for the local administrator account, enable it, and hide it from the login screen via Registry modifications. This step provides the threat actors with a hidden administrator account for further attacks. Once access is established, Unfading Sea Haze uses a custom keylogger named 'xkeylog' to capture keystrokes, an browser-data stealer to target data stored in Chrome, Firefox, or Edge browsers, along with various PowerShell scripts to extract information from browser databases. Unfading Sea Haze's campaign employs a wide arsenal of custom-developed malware and publicly available tools. The group's initial campaigns involved the use of tools such as the xkeylog keylogger for credential theft and SharpJSHandler, a web shell alternative for remote code execution. The group later shifted towards the use of stealthier options, such as iterations of the Gh0st RAT malware family including SilentGh0st, TranslucentGh0st, and newer, more modular variants like FluffyGh0st, InsidiousGh0st, and EtherealGh0st. This recent shift demonstrates an ongoing effort to adapt their toolkit for maximum effectiveness and evasion. Unfading Sea Haze also uses commercial Remote Monitoring and Management (RMM) tools, such as Itarian RMM, in the attack chain to establish a foothold on compromised networks.

Unfading Haze Shares Similarities with APT41

Adding to the concern, the investigation revealed Unfading Sea Haze's repeated success in regaining access to previously compromised systems. This persistence points to a critical vulnerability often exploited by malicious actors: poor credential hygiene and inadequate patching practices within targeted organizations. Researchers suggest the use of various Gh0st RAT variants by the Unfading Sea Haze group could imply a close connection to the Chinese threat actor ecosystem, where the sharing of closed-source RATs and tools is common among state-sponsored actors. The campaign's integration of the SharpJSHandler module to execute script shares similarities with the invoke command found in the funnyswitch backdoor, which has been frequently employed by APT41 in its campaigns. Both SharpJSHandler and funnyswitch load .NET assemblies and execute JScript code. However, these similarities are limited, as funnyswitch contains additional features not present in SharpJSHandler. No further overlaps with APT41's tooling were discovered during the investigation.

Researchers Share Recommendations

Researchers note that the Unfading Sea Haze group has demonstrated a high level of sophistication in their attacks, with the usage of a custom malware arsenal for additional flexibility and evasiveness. The shift towards modularity, dynamic elements, and in-memory execution indicates the group's continuous efforts to circumvent traditional security measures. As attackers persistently adapt their tactics, researchers have recommended a comprehensive and layered security approach for likely victims. This includes prioritizing vulnerability management, implementation of strong authentication techniques, network segmentation, traffic monitoring and effective logging. Researchers have also shared IOC (Indicator of Compromise) information on the campaign such as associated IP addresses, domains used, MD5 file hashes and storage file paths. Additionally the researchers have linked to a full report featuring an in-depth look at the Gh0st RAT family and other malware samples. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

China’s official Xinhua news agency said the two sides would take up issues including the technological risks of AI and global governance.

The post China and US Envoys Will Hold First Top-Level Dialogue on Artificial Intelligence appeared first on SecurityWeek.

The Chinese hacking contest Matrix Cup is offering big rewards for exploits targeting OSs, smartphones, enterprise software, browsers, and security products.

The post $2.5 Million Offered at Upcoming ‘Matrix Cup’ Chinese Hacking Contest  appeared first on SecurityWeek.

PAFACA SueTok: U.S. Courts “likely” to rule whether new law is constitutional—or even practical.

The post TikTok Ban — ByteDance Sues US to Kill Bill appeared first on Security Boulevard.

The UK Ministry of Defense said a breach at a third-party payroll system exposed as many as 272,000 armed forces personnel and veterans.

The post The UK Says a Huge Payroll Data Breach by a ‘Malign Actor’ Has Exposed Details of Military Personnel appeared first on SecurityWeek.

The personal data of an unspecified number of active UK military personnel had been compromised in a significant Ministry of Defence data breach. The UK's Ministry of Defence (MoD) is tasked with protecting the UK, its crown dependencies, and its overseas territories against threats from both state and non-state actors. The ministry also oversees and trains the Royal Navy, British Army, Royal Air Force, and the Strategic Command. The breach occurred as a result of an attack on the Ministry of Defence (MoD) payroll system, but the exact motives of the perpetrators behind the breach remain unknown.

Victims of Ministry of Defence Data Breach Being Actively Notified

The compromised data spans several years and includes the names, bank details, and in at least a few instances, even the personal addresses of active and previously-serving armed forces members. The Royal Navy, Army, and Royal Air Force are included in this breach. However the ministry confirmed that no operational defence data had been accessed during the incident. The affected payroll system was managed by an external contractor. Upon becoming aware of the incident,  immediate action was taken by the Ministry of Defence, with the affected system taken offline, and investigations underway.  The MoD further confirmed that it would ensure that all salaries would reach its service members on time. The investigation parties which include public cybersecurity agencies GCHQ and NCSC, are also examining potential security failings or vulnerabilities by the third-party contractor SSCL, who operated the payroll system for the MoD. The MoD is actively notifying and providing support to those affected, including veterans' organizations. UK's Defence Secretary Grant Shapps is scheduled to update MPs in the Parliament about the breach and outline a "multi-point plan" to protect affected service personnel.

Several Sources Suspect China Behind Ministry of Defence Data Breach

Although the hackers' identity remains undisclosed, some officials and news agencies suspect China to be behind the attack amidst rising warnings about the threats posed by hostile states and third parties. China was previously reported to have attempted to obtain data from ex-RAF pilots through the use of financial lures. However, the MoD has not commented on China's involvement. Tobias Ellwood, a Conservative MP and veteran disclosed to Sky News that he believed China might behind the attack as a way of coercing the financially vulnerable in exchange for cash. In response to these allegations, the Chinese foreign ministry emphasized its stated opposition to all forms of cyber attacks and rejected the use of hacking incidents for political purposes. The UK-China relationship has been strained over recent hacking allegations, with Britain accusing Chinese-government sponsored hackers of targeting its lawmakers and electoral watchdogs over the past few years. While the breach is being investigated, concerns arise about sharing sensitive intelligence with countries harboring close relationships with China. This incident follows previous cyberattack campaigns attributed to China, prompting government officials to acknowledge China as a significant challenge. Martin Greenfield, CEO of the London-based cybersecurity consultancy Quod Orbis, expressed that the incident was the latest in a series of recent cyber-attacks demonstrating the threat of campaigns targeting nationally sensitive data as observed last month with an attack on the NHS. He added that UK organizations still face challenges in securing systems and that there needs to be further co-operation and information sharing between different teams and between public and private agencies to combat this threat rather than operating in isolation. He also expressed concern that the compromised service member data may be used in further targeted attacks in the digital and physical world, with tensions in the Middle East and Ukraine, such compromised data might pose additional challenges for MoD operations in the area. Mel Stride, a government minister, highlighted the need to balance security concerns with economic engagement with China. He emphasized the importance of including China in global discussions on issues like climate change. In Parliament, Deputy Prime Minister Oliver Dowden made use of the example of previously alleged incidents involving attacks on the Electoral Commission and targeted attempts on MPs who have made criticism against China. Opposition politicians and former military personnel expressed concerns and called for a comprehensive response from the government. As China's president, Xi Jinping, tours Europe, including friendly nations, concerns persist about the Chinese government's purported efforts at cyber espionage. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

As cyber threats grow more sophisticated, America cannot afford complacency. The time for decisive action and enhanced cyber resilience is now.

The post From Warnings to Action: Preparing America’s Infrastructure for Imminent Cyber Threats appeared first on SecurityWeek.

MITRE has shared more details on the recent hack, including the new malware involved in the attack and a timeline of the attacker’s activities.

The post MITRE Hack: China-Linked Group Breached Systems in December 2023 appeared first on SecurityWeek.

While China-linked Muddling Meerkat’s operations look like DNS DDoS attacks, it seems unlikely that denial of service is their goal, at least in the near term.

The post Chinese Hackers Have Been Probing DNS Networks Globally for Years: Report appeared first on SecurityWeek.

The US Cyber Safety Review Board released a report on the summer 2023 hack of Microsoft Exchange by China. It was a serious attack by the Chinese government that accessed the emails of senior US government officials.

From the executive summary:

The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations. The Board reaches this conclusion based on:

1. the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed;
2. Microsoft’s failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed;
3. the Board’s assessment of security practices at other cloud service providers, which maintained security controls that Microsoft did not;
4. Microsoft’s failure to detect a compromise of an employee’s laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021;
5. Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not; even though Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board’s repeated questioning about Microsoft’s plans to issue a correction;
6. the Board’s observation of a separate incident, disclosed by Microsoft in January 2024, the investigation of which was not in the purview of the Board’s review, which revealed a compromise that allowed a different nation-state actor to access highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems; and
7. how Microsoft’s ubiquitous and critical products, which underpin essential services that support national security, the foundations of our economy, and public health and safety, require the company to demonstrate the highest standards of security, accountability, and transparency.

The report includes a bunch of recommendations. It’s worth reading in its entirety.

The board was established in early 2022, modeled in spirit after the National Transportation Safety Board. This is their third report.

Here are a few news articles.

EDITED TO ADD (4/15): Adam Shostack has some good commentary.

Last week, someone posted something like 570 files, images and chat logs from a Chinese company called I-Soon. I-Soon sells hacking and espionage services to Chinese national and local government.

Lots of details in the news articles.

These aren’t details about the tools or techniques, more the inner workings of the company. And they seem to primarily be hacking regionally.

Data from a Chinese cybersecurity vendor that works for the Chinese government has exposed a range of hacking tools and services. Although the source is not entirely clear, it seems that a disgruntled staff member of the group leaked the information on purpose.

The vendor, i-Soon (aka Anxun) is believed to be a private contractor that operates as an Advanced Persistent Threat (APT)-for-hire, servicing China’s Ministry of Public Security (MPS).

The leaked data is organized in a few groups, such as complaints about the company, chat records, financial information, products, employee information, and details about foreign infiltration. According to the leaked data, i-Soon infiltrated several government departments, including those from India, Thailand, Vietnam, South Korea, and NATO.

Some of the tools that i-Soon used are impressive enough. Some highlights:

• Twitter (now X) stealer: Features include obtaining the user’s Twitter email and phone number, real-time monitoring, reading personal messages, and publishing tweets on the user’s behalf.
• Custom Remote Access Trojans (RATs) for Windows x64/x86: Features include process/service/registry management, remote shell, keylogging, file access logging, obtaining system information, disconnecting remotely, and uninstallation.
• The iOS version of the RAT also claims to authorize and support all iOS device versions without jailbreaking, with features ranging from hardware information, GPS data, contacts, media files, and real-time audio records as an extension. (Note: this part dates back to 2020)
• The Android version can dump messages from all popular Chinese chatting apps QQ, WeChat, Telegram, and MoMo and is capable of elevating the system app for persistence against internal recovery.
• Portable devices for attacking networks from the inside.
• Special equipment for operatives working abroad to establish safe communication.
• User lookup database which lists user data including phone number, name, and email, and can be correlated with social media accounts.
• Targeted automatic penetration testing scenario framework.

While some of the information is dated, the leaked data provide an inside look in the operations that go on in a leading spyware vendor and APT-for-hire.

It will certainly rattle some cages at the infiltrated entities and as such it could possibly cause a shift in international diplomacy and expose the holes in the national security of several countries.

Not all of the material has been examined yet. There is a lot available and translating is not an easy task. But we will keep you posted if anything else of interest shows up.

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.