Chinese Hackers | Breaking Cybersecurity News | The Hacker News

A stealthy China-based group managed to establish a persistent foothold into critical infrastructure organizations in the U.S. and Guam without being detected,  Microsoft  and  the "Five Eyes" nations  said on Wednesday. The tech giant's threat intelligence team is tracking the activity, which includes post-compromise credential access and network system discovery, under the name  Volt Typhoon . The state-sponsored actor is  geared  towards espionage and information gathering, with the cluster active since June 2021 and obscuring its intrusion footprint by taking advantage of tools already installed or built into infected machines. Some of the prominent sectors targeted include communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education. The company further assessed with moderate confidence that the campaign is "pursuing development of capabilities that could disrupt critical communications i

The  rising   geopolitical tensions  between China and Taiwan in recent months have sparked a noticeable uptick in cyber attacks on the East Asian island country. "From malicious emails and URLs to malware, the strain between China's claim of Taiwan as part of its territory and Taiwan's maintained independence has evolved into a worrying surge in attacks," the Trellix Advanced Research Center  said  in a new report. The attacks, which have targeted a variety of sectors in the region, are mainly designed to deliver malware and steal sensitive information, the cybersecurity firm said, adding it detected a four-fold jump in the volume of malicious emails between April 7 and April 10, 2023. Some of the most impacted industry verticals during the four-day time period were networking, manufacturing, and logistics. What's more, the spike in malicious emails targeting Taiwan was followed by a 15x increase in PlugX detections between April 10 and April 12, 2023, indi

Wing Security finds and ranks all SaaS applications completely for free, removing unnecessary risk.

A Chinese state-sponsored hacking outfit has resurfaced with a new campaign targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji after more than six months of no activity. Trend Micro  attributed  the intrusion set to a cyber espionage group it tracks under the name  Earth Longzhi , which is a subgroup within  APT41  (aka HOODOO or Winnti) and shares overlaps with various other clusters known as Earth Baku, SparklingGoblin, and GroupCC. Earth Longzhi was  first documented  by the cybersecurity firm in November 2022, detailing its attacks against various organizations located in East and Southeast Asia as well as Ukraine. Attack chains mounted by the threat actor leverage vulnerable public-facing applications as entry points to deploy the  BEHINDER web shell , and then leverage that access to drop additional payloads, including a new variant of a Cobalt Strike loader called CroxLoader. "This recent campa

The Chinese nation-state group dubbed  Alloy Taurus  is using a Linux variant of a backdoor called PingPull as well as a new undocumented tool codenamed Sword2033. That's according to findings from Palo Alto Networks Unit 42, which  discovered  recent malicious cyber activity carried out by the group targeting South Africa and Nepal. Alloy Taurus is the constellation-themed moniker assigned to a threat actor that's known for its attacks targeting telecom companies since at least 2012. It's also tracked by Microsoft as Granite Typhoon (previously Gallium). Last month, the adversary was attributed to a campaign called  Tainted Love  targeting telecommunication providers in the Middle East as part of a broader operation referred to as Soft Cell. Recent cyber espionage attacks mounted by Alloy Taurus have also broadened their victimology footprint to include financial institutions and government entities. PingPull,  first documented  by Unit 42 in June 2022, is a remote

The advanced persistent threat (APT) group referred to as  Evasive Panda  has been observed targeting an international non-governmental organization (NGO) in Mainland China with malware delivered via update channels of legitimate applications like Tencent QQ. The attack chains are designed to distribute a Windows installer for MgBot malware, ESET security researcher Facundo Muñoz said in a new report published today. The activity commenced in November 2020 and continued throughout 2021. Evasive Panda, also known as Bronze Highland and Daggerfly, is a Chinese-speaking APT group that has been attributed to a series of  cyber espionage attacks  targeting various entities in China, Hong Kong, and other countries located in East and South Asia since at least late December 2012. The group's hallmark is the use of the custom MgBot modular malware framework, which is capable of receiving additional components on the fly to expand on its intelligence-gathering capabilities. Some of th

A Chinese nation-state group targeted an unnamed Taiwanese media organization to deliver an open source red teaming tool known as Google Command and Control ( GC2 ) amid broader abuse of Google's infrastructure for malicious ends. The tech giant's Threat Analysis Group (TAG) attributed the campaign to a threat actor it tracks under the  geological  and  geographical-themed  moniker  HOODOO , which is also known by the names  APT41 , Barium, Bronze Atlas, Wicked Panda, and  Winnti . The starting point of the attack is a phishing email that contains links to a password-protected file hosted on Google Drive, which, in turn, incorporates the Go-based GC2 tool to read commands from Google Sheets and exfiltrate data using the cloud storage service. "After installation on the victim machine, the malware queries Google Sheets to obtain attacker commands," Google's cloud division  said  in its sixth Threat Horizons Report. "In addition to exfiltration via Drive,

A Chinese state-sponsored threat activity group tracked as  RedGolf  has been  attributed  to the use of a custom Windows and Linux backdoor called KEYPLUG. "RedGolf is a particularly prolific Chinese state-sponsored threat actor group that has likely been active for many years against a wide range of industries globally," Recorded Future told The Hacker News. "The group has shown the ability to rapidly weaponize  newly reported vulnerabilities (e.g. Log4Shell and  ProxyLogon ) and has a history of developing and using a large range of custom malware families." The use of KEYPLUG by Chinese threat actors was  first disclosed  by Google-owned Manidant in March 2022 in attacks targeting multiple U.S. state government networks between May 2021 and February 2022. Then in October 2022, Malwarebytes  detailed  a separate set of attacks targeting government entities in Sri Lanka in early August that leveraged a novel implant dubbed DBoxAgent to deploy KEYPLUG. Bot

An unknown Chinese state-sponsored hacking group has been linked to a novel piece of malware aimed at Linux servers. French cybersecurity firm ExaTrack, which found three samples of the previously documented malicious software that date back to early 2022, dubbed it  Mélofée . The newest of the three artifacts is designed to drop a kernel-mode rootkit that's based on an open source project referred to as  Reptile . "According to the vermagic metadata, it is compiled for a kernel version 5.10.112-108.499.amzn2.x86_64," the company  said  in a report. "The rootkit has a limited set of features, mainly installing a hook designed for hiding itself." Both the implant and the rootkit are said to be deployed using shell commands that download an installer and a custom binary package from a remote server. The installer takes the binary package as an argument and then extracts the rootkit as well as a server implant module that's currently under active develop

A recent campaign undertaken by  Earth Preta  indicates that nation-state groups aligned with China are getting increasingly proficient at bypassing security solutions. The  threat actor , active since at least 2012, is tracked by the broader cybersecurity community under Bronze President, HoneyMyte, Mustang Panda, RedDelta, and Red Lich. Attack chains mounted by the group commence with a spear-phishing email to deploy a wide range of tools for backdoor access, command-and-control (C2), and data exfiltration. These messages come bearing with malicious lure archives distributed via Dropbox or Google Drive links that employ DLL side-loading, LNK shortcut files, and fake file extensions as arrival vectors to obtain a foothold and drop backdoors like  TONEINS, TONESHELL, PUBLOAD , and  MQsTTang  (aka QMAGENT). Similar infection chains utilizing Google Drive links have been observed  delivering Cobalt Strike  as early as April 2021. "Earth Preta tends to hide malicious payloads

The zero-day exploitation of a now-patched medium-severity security flaw in the Fortinet  FortiOS  operating system has been linked to a suspected Chinese hacking group. American cybersecurity company Mandiant, which made the attribution, said the activity cluster is part of a broader campaign designed to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access to victim environments. The Google-owned threat intelligence and incident response firm is tracking the malicious operation under its uncategorized moniker UNC3886 , describing it as a China-nexus threat actor. "UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns," Mandiant researchers  said  in a technical analysis. "UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. Their ability to manipulate firewall firmware and exploit a zero-da

High-profile government entities in Southeast Asia are the target of a cyber espionage campaign undertaken by a Chinese threat actor known as Sharp Panda since late last year. The intrusions are characterized by the use of a new version of the Soul modular framework, marking a departure from the group's attack chains observed in 2021. Israeli cybersecurity company Check Point  said  the "long-running" activities have historically singled out countries such as Vietnam, Thailand, and Indonesia. Sharp Panda was  first documented  by the firm in June 2021, describing it as a "highly-organized operation that placed significant effort into remaining under the radar." The use of the Soul backdoor in real-world attacks was first  detailed  by Broadcom's Symantec in October 2021 in connection to an unattributed espionage operation targeting defense, healthcare, and ICT sectors in Southeast Asia. The implant's origins, according to  research  published by Fo

The China-aligned Mustang Panda actor has been observed using a hitherto unseen custom backdoor called  MQsTTang  as part of an ongoing social engineering campaign that commenced in January 2023. "Unlike most of the group's malware, MQsTTang doesn't seem to be based on existing families or publicly available projects," ESET researcher Alexandre Côté Cyr  said  in a new report. Attack chains orchestrated by the group have stepped up targeting of European entities in the wake of  Russia's full-scale invasion of Ukraine  last year. The victimology of the current activity is unclear, but the Slovak cybersecurity company said the decoy filenames are in line with the group's previous campaigns that target European political organizations. That said, ESET also observed attacks against unknown entities in Bulgaria and Australia, as well as a governmental institution in Taiwan, indicating a broader focus on Europe and Asia. Mustang Panda has a  history  of using

The threat actor known as  BackdoorDiplomacy  has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022. Palo Alto Networks Unit 42, which is tracking the activity under its  constellation-themed  moniker  Playful Taurus , said it observed the government domains attempting to connect to malware infrastructure previously identified as associated with the adversary. Also known by the names APT15, KeChang, NICKEL, and Vixen Panda, the Chinese APT group has a history of cyber espionage campaigns aimed at government and diplomatic entities across North America, South America, Africa, and the Middle East at least since 2010. Slovak cybersecurity firm ESET, in June 2021,  unpacked  the intrusions mounted by the hacking crew against diplomatic entities and telecommunication companies in Africa and the Middle East using a custom implant known as Turian. Then in December 2021, Microsoft  announced  the seizure of 42 domains operated

Chinese international students in the U.K. have been targeted by persistent Chinese-speaking scammers for over a year as part of an activity dubbed  RedZei  (aka RedThief). "The RedZei fraudsters have chosen their targets carefully, researched them and realized it was a rich victim group that is ripe for exploitation," cybersecurity researcher Will Thomas (@BushidoToken)  said  in a write-up published last week. The most notable aspect about the operation is the steps taken by the threat actors to bypass steps taken by users to prevent scam calls, using a new pay-as-you-go U.K. phone number for each wave so as to render phone number-based blocking ineffective. Thomas, pointing out the meticulous tradecraft employed by the scammers, said the threat actor alternates between SIMs from several mobile carriers such as Three, O2, EE, Tesco Mobile, and Telia. Indications are that the lucrative RedZei campaign may have started as far back as August 2019, with a report from The

A malicious campaign targeting the Middle East is likely linked to  BackdoorDiplomacy , an advanced persistent threat (APT) group with ties to China. The espionage activity, directed against a telecom company in the region, is said to have commenced on August 19, 2021 through the successful exploitation of  ProxyShell flaws  in the Microsoft Exchange Server. Initial compromise leveraged binaries vulnerable to side-loading techniques, followed by using a mix of legitimate and bespoke tools to conduct reconnaissance, harvest data, move laterally across the environment, and evade detection. "File attributes of the malicious tools showed that the first tools deployed by the threat actors were the NPS proxy tool and IRAFAU backdoor," Bitdefender researchers Victor Vrabie and Adrian Schipor said in a report shared with The Hacker News. "Starting in February 2022, the threat actors used another tool – [the] Quarian backdoor, along with many other scanners and proxy/tunnel

A threat actor with a suspected China nexus has been linked to a set of espionage attacks in the Philippines that primarily relies on USB devices as an initial infection vector. Mandiant, which is part of Google Cloud, is tracking the cluster under its uncategorized moniker  UNC4191 . An analysis of the artifacts used in the intrusions indicates that the campaign dates as far back as September 2021. "UNC4191 operations have affected a range of public and private sector entities primarily in Southeast Asia and extending to the U.S., Europe, and APJ," researchers Ryan Tomcik, John Wolfram, Tommy Dacanay, and Geoff Ackerman  said . "However, even when targeted organizations were based in other locations, the specific systems targeted by UNC4191 were also found to be physically located in the Philippines." The reliance on infected USB drives to propagate the malware is unusual if  not new . The  Raspberry Robin  worm, which has  evolved  into an initial access ser

The U.S. Federal Communications Commission (FCC) formally announced it will no longer authorize electronic equipment from Huawei, ZTE, Hytera, Hikvision, and Dahua, deeming them an "unacceptable" national security threat. All these Chinese telecom and video surveillance companies were previously included in the  Covered List  as of March 12, 2021. "The FCC is committed to protecting our national security by ensuring that untrustworthy communications equipment is not authorized for use within our borders, and we are continuing that work here," FCC Chairwoman Jessica Rosenworcel  said  in a Friday order. "These new rules are an important part of our ongoing actions to protect the American people from national security threats involving telecommunications." Pursuant to the ban, Hytera, Hikvision, and Dahua are required to document the safeguards the firms are putting in place on the sale of their devices for government use and surveillance of critical i

A notorious advanced persistent threat actor known as  Mustang Panda  has been linked to a spate of spear-phishing attacks targeting government, education, and research sectors across the world. The primary targets of the intrusions from May to October 2022 included counties in the Asia Pacific region such as Myanmar, Australia, the Philippines, Japan, and Taiwan, cybersecurity firm Trend Micro  said  in a Friday report.  Mustang Panda, also called Bronze President, Earth Preta, HoneyMyte, and Red Lich, is a China-based espionage actor believed to be active since at least July 2018. The group is known for its use of malware such as China Chopper and PlugX to collect data from compromised environments. Activities of the group chronicled by  ESET ,  Google, Proofpoint ,  Cisco Talos , and  Secureworks  this year have revealed the threat actor's pattern of using PlugX (and its variant called Hodur) to infect a wide range of entities in Asia, Europe, the Middle East, and the Ameri