Headline
20-Year-Old Chinese APT15 Finds New Life in Foreign Ministry Attacks
The notorious APT15 used common malware tools and a third-generation custom “Graphican” backdoor to continue its information gathering exploits, this time against foreign ministries.
From late 2022 to early 2023, a Chinese state-level threat actor used a novel malware to conduct espionage against foreign ministries in North and South America.
The group in question, APT15 (aka Flea, Nickel, Vixen Panda, KE3CHANG, Royal APT, and Playful Dragon) already “has a track record of honing in on government targets, diplomatic missions, and embassies, likely for intelligence-gathering purposes,” Symantec researchers explained in a June 21 blog post. In recent years it has targeted diplomatic organizations, government organizations, and NGOs.
This latest campaign primarily focused on ministries of foreign affairs, but also included a government finance department and a corporation. All the targets were based in the Americas, a region which “does appear to have become more of a focus for the group in recent times,” the researchers wrote.
To carry out their espionage, APT15 employed well over a dozen tools, malicious and otherwise. Among its arsenal: Mimikatz and two of its variants, four Web shells including AntSword and China Chopper, and CVE-2020-1472, a three-year-old but CVSS 10.0 “Critical” privilege escalation vulnerability in the Windows server process Netlogon.
The attackers’ only unique tool was Graphican, a new variant of its old Trojan backdoor used to run commands and download files from victim machines. “This backdoor has evolved some of its anti-detection mechanisms,” acknowledges Avishai Avivi, CISO at SafeBreach. “That said, the fact that threat actors often use the same techniques allows companies to test their defenses proactively.”
What Is Graphican?
Graphican is an iteration on APT15’s other Trojan backdoor, Ketrican, itself an evolution of their earlier model, BS2005.
Graphican mostly distinguishes itself by foregoing a typical, hardcoded command-and-control (C2) server. Instead, it uses Microsoft Graph — an API for Microsoft 365 services — to retrieve an encrypted server address from a OneDrive folder.
Once the connection is made and the machine compromised, however, Graphican possesses the same basic functionalities as its predecessor — creating an attacker-controlled command line on the victim machine, creating new processes and files, and downloading files. “The similarities in functionality between Graphican and the known Ketrican backdoor may indicate that the group is not very concerned about having activity attributed to it,” the researchers speculate.
Avivi sees it differently. “The reality is that APT groups are really looking for efficiency,” he says. “Suppose a tool is proven effective for launching attacks or opening backdoors. In that case, they’ll keep using it until it loses its efficacy or is stopped. R&D costs time and money for adversaries just like it does for companies.”
Who Is APT15?
According to Symantec, APT15 has been around for nearly two decades. The group has made its biggest waves in recent years, however, so much so that in 2021 Microsoft’s Digital Crimes Unit performed a coordinated seizure of its known infrastructure. Even that coordinated action from Microsoft wasn’t enough to stop APT15, which returned a year later with a spyware campaign targeting Uyghur populations en masse.
Organizations interested in hardening against APT15 may not want to start with infection vectors. The group has been known to use phishing emails, “but there have also been reports of it exploiting public-facing applications, as well as using VPNs, to gain initial access to victim networks,” Symantec explained.
On the other hand, the relative consistency in APT15’s malware can be of benefit to defenders.
“Adversaries will use proven techniques to accomplish their goals,” Avivi says, pointing to APT15’s rehashing of largely similar malicious backdoors. “That is one, among many reasons, why validating security controls against known patterns and cycles can help companies better defend against these threat actors.”
Related news
Talos IR observed operations involving Play, Cactus, BlackSuit and NoEscape ransomware for the first time this quarter.
The threat actors behind the Rhysida ransomware engage in opportunistic attacks targeting organizations spanning various industry sectors. The advisory comes courtesy of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). "Observed as a ransomware-as-a-service (RaaS)
Hello everyone! This month I decided NOT to make an episode completely dedicated to Microsoft Patch Tuesday. Instead, this episode will be an answer to the question of how my Vulnerability Management month went. A retrospection of some kind. Alternative video link (for Russia): https://vk.com/video-149273431_456239134 GitHub exploits and Vulristics This month I made some improvements […]
Microsoft on Thursday disclosed that it found a new version of the BlackCat ransomware (aka ALPHV and Noberus) that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution. "The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the company's
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...
New research shows that 57 vulnerabilities that threat actors are currently using in ransomware attacks enable everything from initial access to data theft.
Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.
The threat actors behind Cuba (aka COLDDRAW) ransomware have received more than $60 million in ransom payments and compromised over 100 entities across the world as of August 2022. In a new advisory shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), the agencies highlighted a "sharp increase in both the number of compromised
Ransomware and pre-ransomware engagements make up 40 percent of threats seen this quarter By Caitlin Huey. For the first time since compiling these reports, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter. It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective. This quarter featured a variety of publicly available tools and scripts hosted on GitHub repositories or other third-party websites to support operations across multiple stages of the attack lifecycle. This activity coincides with a general increase in the use of other dual-use tools, such as the legitimate red-teaming ...
A lack of MFA remains one of the biggest impediments to enterprise security.
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Threat actors associated with the Cuba ransomware have been linked to previously undocumented tactics, techniques and procedures (TTPs), including a new remote access trojan called ROMCOM RAT on compromised systems. The new findings come from Palo Alto Networks' Unit 42 threat intelligence team, which is tracking the double extortion ransomware group under the constellation-themed moniker
Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Integrity impacts). CV...
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.7.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
We have released the February security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found in the Security Update Guide.