Chinese APT group Winnti stole trade secrets in years-long undetected campaign

Read Time:34 Second

Security researchers have uncovered a cyberespionage campaign that has remained largely undetected since 2019 and focused on stealing trade secrets and other intellectual property from technology and manufacturing companies across the world. The campaign uses previously undocumented malware and is attributed to a Chinese state-sponsored APT group known as Winnti.

“With years to surreptitiously conduct reconnaissance and identify valuable data, it is estimated that the group managed to exfiltrate hundreds of gigabytes of information,” researchers from security firm Cybereason said in a new report. “The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data.”

To read this article in full, please click here

Read More

New Sophisticated Malware

Read Time:1 Minute, 46 Second

Mandiant is reporting on a new botnet.

The group, which security firm Mandiant is calling UNC3524, has spent the past 18 months burrowing into victims’ networks with unusual stealth. In cases where the group is ejected, it wastes no time reinfecting the victim environment and picking up where things left off. There are many keys to its stealth, including:

The use of a unique backdoor Mandiant calls Quietexit, which runs on load balancers, wireless access point controllers, and other types of IoT devices that don’t support antivirus or endpoint detection. This makes detection through traditional means difficult.
Customized versions of the backdoor that use file names and creation dates that are similar to legitimate files used on a specific infected device.
A live-off-the-land approach that favors common Windows programming interfaces and tools over custom code with the goal of leaving as light a footprint as possible.
An unusual way a second-stage backdoor connects to attacker-controlled infrastructure by, in essence, acting as a TLS-encrypted server that proxies data through the SOCKS protocol.

[…]

Unpacking this threat group is difficult. From outward appearances, their focus on corporate transactions suggests a financial interest. But UNC3524’s high-caliber tradecraft, proficiency with sophisticated IoT botnets, and ability to remain undetected for so long suggests something more.

From Mandiant:

Throughout their operations, the threat actor demonstrated sophisticated operational security that we see only a small number of threat actors demonstrate. The threat actor evaded detection by operating from devices in the victim environment’s blind spots, including servers running uncommon versions of Linux and network appliances running opaque OSes. These devices and appliances were running versions of operating systems that were unsupported by agent-based security tools, and often had an expected level of network traffic that allowed the attackers to blend in. The threat actor’s use of the QUIETEXIT tunneler allowed them to largely live off the land, without the need to bring in additional tools, further reducing the opportunity for detection. This allowed UNC3524 to remain undetected in victim environments for, in some cases, upwards of 18 months.

Read More

Pro-Ukrainian DoS attack compromises Docker Engine honeypots to target Russian, Belarusian websites

Read Time:37 Second

Researchers from cybersecurity vendor CrowdStrike have detected a denial-of-service (DoS) attack compromising Docker Engine honeypots to target Russian and Belarusian websites amid the ongoing Russia-Ukraine war. According to the firm, the honeypots were compromised four times between February 27 and March 1, 2022, with two different Docker images that both share target lists that overlap with domains reportedly shared by the Ukraine government-backed Ukraine IT Army.

CrowdStrike has therefore linked the attacks to pro-Ukrainian activity against Russia. It has also warned of the risk of retaliatory activity by threat actors supporting the Russian Federation against organizations being leveraged to conduct disruptive attacks against government, military, and civilian websites.

To read this article in full, please click here

Read More

9 most important steps for SMBs to defend against ransomware attacks

Read Time:1 Minute, 15 Second

What is the best way for a small- to medium-sized business (SMB) to protect itself from ransomware? Ransomware is impacting firms around the world. Mandiant has indicated that ransomware is on the rise and doesn’t appear to be slowing down one bit. These are the nine tasks that SMBs should focus on to mitigate risk from ransomware attacks.

1. Have a backup plan and tested recovery process

Some might argue that multi-factor authentication (MFA) is the best way to protect a firm, but I’d argue that having a tested backup and recovery process would be better. Too often businesses overlook having a backup and a tested recovery process. Especially for firms with on-premises servers and domain controllers, have a process where someone – in the firm or a consultant or managed service provider — perform a dry run of an actual recovery process. When I’ve done a dry run, I often find that I need to perform some step that I’ve forgotten to restore from a bare metal process. You may find that a HyperV parent needs additional steps or you need to take ownership of the restoration image to fully restore a Hyper V server or virtual machine to full working condition. Ensure that you have a recovery script or manual in place so that staff tasked to recover know the steps. The documented steps will help lower the stress of the event.

To read this article in full, please click here

Read More