U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Operation Beebus, another chinese cyber espionage campaign

Security Firm FireEye revealed to have discovered an APT campaign targeting companies in the defense and aerospace sector and that has been originated from China to steal intellectual property and industrial secrets from US companies. In this period many other attacks have been linked to China such as the cyber espionage campaign against NYT and […]

Operation Beebus, another chinese cyber espionage campaign

Security Firm FireEye revealed to have discovered an APT campaign targeting companies in the defense and aerospace sector and that has been originated from China to steal intellectual property and industrial secrets from US companies.

In this period many other attacks have been linked to China such as the cyber espionage campaign against NYT and Washington Post, this time the hackers demonstrated particular interest in the design of Unmanned Aerial Vehicles (UAVs) and other robotic aircraft.

FireEye named the last campaign ‘Operation Beebus’ from the name of an initial sample in this campaign (MD5: 7ed557921ac60dfcb295ebabfd972301), which was originally submitted to VirusTotal on April 12, 2011

The schema adopted for the attack is a basic spear phishing, the hackers in fact uses both email and drive-by downloads to targeted victims exploiting common vulnerabilities in PDF and DOC files to install a Trojan backdoor.

Last March FireEye registered suspicious activities against its clients operating in aerospace and defense sector, continuous waves of attacks that are repeated over time.

The principal evidence against China for the attack is related to many similarities with past attacks linked to Beijing, the reuse of the command and control infrastructure (C&C) connected to APT attack on RSA’s SecurID token system occurred in 2011. The researchers discovered the following “Beebus” traffic pattern:

GET /s/asp?XAAAAM4w5jmIa_kMZlr67o8jettxsYA8dZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; )
Accept: */*
Host: 68.96.31.136

where the IP address 68.96.31.136 was another C2 node reported by Dell SecureWorks as hosting the HTran proxy infrastructure.  Dell’s security team reported that the authors of the malware were Chinese and it dated malware creation back to 2003, Dell Securwork post on the agent states:

“HTran (aka HUC Packet Transmit Tool) is a rudimentary connection bouncer, designed to redirect TCP traffic destined for one host to an alternate host. The source code copyright notice indicates that HTran was authored by “lion”, a well-known Chinese hacker and member of “HUC”, the Honker Union of China. The purpose of this type of tool is to disguise either the true source or destination of Internet traffic in the course of hacking activity.

Source code can be readily found on the Internet:

http://read.pudn.com/downloads199/sourcecode/windows/935255/htran.cpp__.htm

FireEye recorded 261 separate attacks on its clients in 2012, 123 of which were on UAV or UAS (Unmanned Aerial Systems) vendors.

In total the C&C had reached 214 servers with 60 unique IP addresses, a large investment in time and effort.

6a00d835018afd53ef017c36806ac4970b-800wi

The attackers identified by FireEye used the same techniques and tools of the RSA attack, according to McAfee, one of the major tools used by these hackers was the use of obfuscated or encrypted HTML comments embedded in otherwise benign websites, in order to indirectly control compromised endpoints.

“Obfuscated/encrypted HTML comments has been also widely reported in the media as associated with the nation state group called “Comment Group” or “Comment Team,” which is believed to be associated with the Chinese government.“

Darien Kindlund, senior staff scientist at FireEye declared:

“We have enough evidence that points heavily in that direction” “We knew this was being done on behalf of a nation state,” “we believe the attack was largely successful.”

It ‘clear that to deal with the phenomenon of cyber espionage requires a structured approach, the threat has grown in complexity in recent years and in many cases the attackers were able to evade the main security mechanisms for long periods.

On the one hand therefore be thought of a new model of dynamic defense which however cannot be separated by a major level of awareness of users, in majority of cases the exposure is caused by wrong human behavior.

You must know the threat to mitigate it.

Pierluigi Paganini