Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

Grayfly APT uses recently discovered Sidewalk backdoor

Security researchers from Broadcom’s Symantec linked a previously undocumented backdoor to the Chinese Grayfly operation. Experts from Broadcom’s Symantec linked a previously undocumented backdoor to the Chinese Grayfly operation. In late August, ESET researchers uncovered the SideWalk backdoor that was employed by the Chine cyberespionage group in an attack aimed at a computer retail company […]

China-linked APT Salt Typhoon

Security researchers from Broadcom’s Symantec linked a previously undocumented backdoor to the Chinese Grayfly operation.

Experts from Broadcom’s Symantec linked a previously undocumented backdoor to the Chinese Grayfly operation.

In late August, ESET researchers uncovered the SideWalk backdoor that was employed by the Chine cyberespionage group in an attack aimed at a computer retail company based in the U.S.. The APT group primarily focuses on attacks against organizations in East and Southeast Asia, the group has been particularly active in recent years.

“The malware, which is related to the older Crosswalk backdoor (Backdoor.Motnug) has been deployed in recent Grayfly campaigns against a number of organizations in Taiwan, Vietnam, the United States, and Mexico. A feature of this recent campaign was that a large number of targets were in the telecoms sector. The group also attacked organizations in the IT, media, and finance sectors.” reads the analysis published by Broadcom’s Symantec.

The arsenal of the cyber espionage group includes the Barlaiy/POISONPLUG and Crosswalk/ProxIP (Backdoor.Motnug) malware.

In September 2020, US Department of Justice announced indictments against 5 Chinese nationals alleged members of a state-sponsored hacking group known as APT41. Three of them (Jiang Lizhi, Qian Chuan, and Fu Qiang) were involved in the Grayfly tools and tactics.

The recently discovered implant is related to the older Crosswalk backdoor (Backdoor.Motnug), it has been used in recent Grayfly operations against a number of organizations in Taiwan, Vietnam, the United States, and Mexico.

Most of the victims were in the telecoms sector, followed by the IT, media, and finance sectors.

A characteristic of the recent Sidewalk campaign was that the threat actors focused on exposed Microsoft Exchange or MySQL servers. Once compromised publicly facing Microsoft Exchange or MySQL web servers to deploy web shells, the attackers spread laterally across the target network and leverage additional backdoors to maintain persistence and exfiltrate sensitive data.

“In at least one attack, the suspicious Exchange activity was followed by PowerShell commands used to install an unidentified web shell. Following this, the malicious backdoor was executed.” continues the analysis. “After the installation of the backdoor, the attackers deployed a custom version of the credential-dumping tool Mimikatz. This version of Mimikatz has been used previously in Grayfly attacks.”

Symantec attributes the recent attacks to the SparklingGoblin APT, which is believed to be under the umbrella of the China-linked Winnti (aka APT41) APT group.

“Grayfly is a capable actor, likely to continue to pose a risk to organizations in Asia and Europe across a variety of industries, including telecommunications, finance, and media,” the researchers conclude. “It’s likely this group will continue to develop and improve its custom tools to enhance evasion tactics along with using commodity tools such as publicly available exploits and web shells to assist in their attacks.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Grayfly )

[adrotate banner=”5″]

[adrotate banner=”13″]