Security
Headlines
HeadlinesLatestCVEs

Headline

China-linked APT Flew Under Radar for Decade

Evidence suggests that a just-discovered APT has been active since 2013.

Threatpost
#vulnerability#web#mac#windows#backdoor#perl

Evidence suggests that a just-discovered APT has been active since 2013.

Researchers have identified a small yet potent China-linked APT that has flown under the radar for nearly a decade running campaigns against government, education and telecommunication organizations in Southeast Asia and Australia.

Researchers from SentinelLabs said the APT, which they dubbed Aoqin Dragon, has been operating since at least 2013. The APT is “a small Chinese-speaking team with potential association to [an APT called] UNC94,” they reported.

Researchers say one of the tactics and techniques of Aoqin Dragon include using pornographic themed malicious documents as bait to entice victims to download them.

“Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,” researchers wrote.

****Aoqin Dragon’s Evolving Stealth Tactics****

Part of what’s helped Aoqin Dragon stay under the radar for so long is that they’ve evolved. For example, the means the APT used to infect target computers has evolved.

In their first few years of operation, Aoqin Dragon relied on exploiting old vulnerabilities – specifically, CVE-2012-0158 and CVE-2010-3333 – which their targets might not have yet patched.

Later, Aoqin Dragon created executable files with desktop icons that made them appear to look like Windows folders or antivirus software. These programs were actually malicious droppers which planted backdoors and then established connections back to the attackers’ command-and-control (C2) servers.

Since 2018, the group has been utilizing a fake removable device as their infection vector. When a user clicks to open what seems to be a removable device folder, they in fact initiate a chain reaction which downloads a backdoor and C2 connection to their machine. Not only that, the malware copies itself to any actual removable devices connected to the host machine, in order to continue its spread beyond the host and, hopefully, into the target’s broader network.

The group has employed other techniques to stay off-the-radar. They’ve used DNS tunneling – manipulating the internet’s domain name system to sneak data past firewalls. One backdoor leverage – known as Mongall – encrypts communication data between host and C2 server. Over time, the researchers said, the APT began slowly working the fake removable disc technique. This was done to ” pgraded the malware to protect it from being detected and removed by security products.”

****Nation-State Links****

Targets have tended to fall in just a few buckets – government, education and telecoms, all in and around Southeast Asia. Researchers assert “the targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests.”

Further evidence of China influence includes a debug log found by researchers that contains simplified Chinese characters.

Most important of all, the researchers highlighted an overlapping attack on the president of Myanmar’s website back in 2014. In that case, police traced the hackers’ command-and-control and mail servers to Beijing. Aoqin Dragon’s two primary backdoors “have overlapping C2 infrastructure,” with that case, “and most of the C2 servers can be attributed to Chinese-speaking users.”

Still, “properly identifying and tracking State and State Sponsored threat actors can be challenging,” Mike Parkin, senior technical engineer at Vulcan Cyber, wrote in a statement. “SentinelOne releasing the information now on an APT group that has apparently been active for almost a decade, and doesn’t appear in other lists, shows how hard it can be ‘to be sure’ when you’re identifying a new threat actor.”

Related news

September 2023: VM courses, Bahasa Indonesia, Russian Podcasts, Goodbye Tinkoff, MS Patch Tuesday, Qualys TOP 20, Linux, Forrester, GigaOm, R-Vision VM

Hello everyone! On the last day of September, I decided to record another retrospective episode on how my Vulnerability Management month went. Alternative video link (for Russia): https://vk.com/video-149273431_456239136 September was quite a busy month for me. Vulnerability Management courses I participated in two educational activities. The first one is an on-line cyber security course for […]

Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog

CISA’s Known Exploited Vulnerabilities Catalog has become a valuable repository of vulnerabilities to be patched. A pair of reports analyze the vulnerabilities under attack to understand the kind of threats organizations should be prioritizing.

Chinese Threat Actor Employs Fake Removable Devices as Lures in Cyber Espionage Campaign

"Aoqin Dragon" has been operating since at least 2013, with targets including government and telecommunications companies in multiple countries.

Chinese Threat Actor Employs Fake Removable Devices as Lures in Cyber Espionage Campaign

"Aoqin Dragon" has been operating since at least 2013, with targets including government and telecommunications companies in multiple countries.

A Decade-Long Chinese Espionage Campaign Targets Southeast Asia and Australia

A previously undocumented Chinese-speaking advanced persistent threat (APT) actor dubbed Aoqin Dragon has been linked to a string of espionage-oriented attacks aimed at government, education, and telecom entities chiefly in Southeast Asia and Australia dating as far back as 2013. "Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,"

A Decade-Long Chinese Espionage Campaign Targets Southeast Asia and Australia

A previously undocumented Chinese-speaking advanced persistent threat (APT) actor dubbed Aoqin Dragon has been linked to a string of espionage-oriented attacks aimed at government, education, and telecom entities chiefly in Southeast Asia and Australia dating as far back as 2013. "Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,"

Assessing risk for the May 2014 security updates

Today we released eight security bulletins addressing 13 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. The table is designed to help you prioritize the deployment of updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max exploit-ability Likely first 30 days impact Platform mitigations and key notes MS14-029(Internet Explorer) Victim browses to a malicious webpage.

Threatpost: Latest News

Student Loan Breach Exposes 2.5M Records