company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

China

APT

loading..
loading..
loading..

Russian defense targeted by Chinese APT espionage operation baiting war

Twisted Panda, a sophisticatedly emerged Chinese APT espionage operation against Russian state-owned defense institutes baiting the Russo-Ukrainian war…

23-May-2022
3 min read

Related Articles

loading..

Data Security

Signzy

Signzy, an online ID verification company, has confirmed a cybersecurity inciden...

Signzy, a vendor providing verification services, confirmed a security incident that has impacted its global clientele, including major banks and fintech companies. The startup, which onboarded over 10 million customers monthly, faced a cyberattack, raising concerns about data safety. Signzy confirmed the incident without providing details on its nature or scope, citing an ongoing investigation and security reasons. This news comes amid rising concerns over cybersecurity for financial institutions, given that Signzy works with over 600 financial entities, including India's largest banks. ## **Details of the Security Incident** Multiple sources, including two major Signzy clients—PayU and ICICI Bank—informed [TechCrunch](https://techcrunch.com/2024/12/02/indian-online-id-verification-firm-signzy-confirms-security-incident/) that Signzy fell victim to a cyberattack last week. The incident involved sensitive customer data, including personal identification details and financial records, potentially being exposed, as seen in a cybercrime forum post. India’s Computer Emergency Response Team (CERT-In) acknowledged awareness of the incident and mentioned it was actively managing the situation by monitoring affected systems, providing guidance, and coordinating with other agencies. PayU, one of Signzy’s clients, clarified that it suffered no impact from the attack, likely due to its independent security measures and lack of direct data integration with Signzy's affected systems. _"There is no impact on PayU customers or their data due to Signzy's [information](https://www.upguard.com/security-report/signzy) stealer malware,"_ stated Dimple Mehta, a PayU spokesperson. Similarly, ICICI Bank confirmed that their customer data remained unaffected. ## **Uncertain Impact on Customers** Concerns linger as to the full impact on Signzy’s other customers, which include top financial institutions such as SBI, Mswipe, and Aditya Birla Financial Services, potentially facing data theft or service disruptions. The firm has engaged a professional cybersecurity agency to investigate the breach, but has yet to disclose whether any customer data had been compromised. Debdoot Majumder, a spokesperson for Signzy, stated that the startup had informed its clients, regulators, and stakeholders of the measures being taken and provided a timeline of the investigation. However, when asked if the company had engaged with the Reserve Bank of India (RBI), Signzy confirmed no such communication had taken place. The RBI did not respond to requests for comment. ## **Rising Concerns Over Data Security** The incident highlights the increasing threat that cyberattacks pose to financial infrastructure, with cybercrime-related financial losses reaching $4.2 billion globally in 2023, according to industry reports. With over 600 clients, Signzy is a major player in the identity verification ecosystem, providing services across multiple industries. The potential exposure raises significant concerns, especially given the critical nature of ID verification for preventing fraud and financial crimes. Experts warn that financial institutions must enhance cybersecurity as they increasingly rely on digital onboarding, such as implementing multi-factor authentication, conducting regular security audits, and training employees on phishing prevention. The involvement of information-stealer malware suggests a targeted attack, making it imperative for other stakeholders in the financial sector to assess their security postures by updating software, conducting vulnerability tests, and ensuring timely patch management. ## **Signzy's Action Plan** Signzy has stated that it is cooperating with authorities and has retained cybersecurity professionals to address the incident, including conducting forensic analysis, securing affected systems, and implementing additional safeguards to prevent future breaches. Backed by investors such as Mastercard, Vertex Ventures, Kalaari Capital, and Gaja Capital, the company is under pressure to ensure that its internal security framework is resilient enough to protect its users. As part of the ongoing investigation, Signzy's leadership is expected to provide more details regarding how the incident occurred, what data might have been affected, and steps to prevent similar breaches. Investors and clients will be watching closely for updates, particularly given the growth in reliance on digital identity solutions.

loading..   03-Dec-2024
loading..   4 min read
loading..

Salt Typhoon

T-Mobile halts a Chinese state-sponsored cyberattack by Salt Typhoon, safeguardi...

T-Mobile recently disclosed a security breach involving the Chinese state-sponsored hacking group referred to as "Salt Typhoon", also tracked as Earth Estries, FamousSparrow, Ghost Emperor, and UNC2286. While the hackers exploited vulnerabilities in the company's network routers, T-Mobile's defensive measures reportedly mitigated further damage, securing sensitive customer information. ### Key Incident Details - 1. Initial Compromise: Salt Typhoon accessed T-Mobile's network via routers, likely as part of lateral movement efforts to explore network vulnerabilities. The attack originated from a compromised wireline provider's network, underscoring the risks posed by interconnected systems. - 2. Detection and Response: The breach was identified when T-Mobile engineers observed unusual reconnaissance commands on routers, correlating with known Salt Typhoon tactics and indicators of compromise. Proactive monitoring and network segmentation enabled T-Mobile to block the threat actors before sensitive data was compromised or services disrupted. - 3. Extent of Damage: T-Mobile has confirmed that no customer data, including calls, messages, or voicemails, were accessed or stolen. Connectivity with the compromised provider's network was severed, effectively containing the attack. - 4. Collaboration and Transparency: T-Mobile shared findings with federal authorities and industry partners, emphasizing a collaborative approach to tackling cyber threats. ### Broader Implications of Salt Typhoon Activities This breach is part of a larger wave of telecom attacks attributed to Salt Typhoon, targeting critical infrastructure in Southeast Asia, the United States, and Canada: #### Targeted Entities: Telecom providers, including AT&T, Verizon, and Lumen Technologies, alongside government agencies and political institutions. Attacks extended to private communications, law enforcement data, and wiretapping platforms, reflecting a focus on espionage and intelligence collection. #### Duration and Impact: In some cases, breaches persisted for months or longer, allowing hackers to exfiltrate extensive internet traffic and sensitive data. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI confirmed that attackers accessed sensitive communications involving government officials. #### Geopolitical Context: Canada's disclosure of network scans linked to Chinese threat actors highlights the global scale of such campaigns, which align with China's broader cyber-espionage strategy. ### Additional Insights: Connections with Volt Typhoon Though not directly linked to Salt Typhoon, the Chinese Volt Typhoon group recently executed attacks on ISPs and Managed Service Providers (MSPs) in the U.S. and India. These breaches leveraged stolen credentials and zero-day exploits, mirroring the persistence and sophistication seen in the Salt Typhoon campaign. ### Takeaways and Recommendations - 1. Strengthen Interconnection Security: Telecom companies must enforce stricter security protocols when interfacing with third-party networks. The breach's origin in a compromised provider highlights the need for secure collaboration. - 2. Proactive Monitoring and Threat Intelligence: Continuous network monitoring and real-time threat intelligence sharing, as demonstrated by T-Mobile, are critical in mitigating advanced persistent threats. - 3. Zero-Trust Architecture: Implementing a zero-trust framework can limit attackers' ability to navigate laterally within networks after initial compromise. - 4. Vulnerability Management: Regular audits and timely patching of known vulnerabilities, such as zero-day exploits seen in Versa Director attacks, are essential. ### Final Note T-Mobile's response demonstrates the effectiveness of early detection and strong cyber defenses in preventing catastrophic breaches. However, the broader implications of the Salt Typhoon campaign reveal persistent vulnerabilities in the telecommunications sector, warranting enhanced international cooperation and cybersecurity measures.

loading..   30-Nov-2024
loading..   3 min read
loading..

GhostSpider

Espionage

Earth Estries hackers exploit GhostSpider malware to backdoor telecoms globally,...

Earth Estries, a Chinese advanced persistent threat (APT) group, has aggressively targeted critical sectors worldwide. These include telecommunications and government entities across the United States, Asia-Pacific, the Middle East, and South Africa. Utilizing sophisticated techniques and backdoors such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, Earth Estries has carried out prolonged cyber espionage operations, compromising more than 20 organizations. Key new developments uncovered by Trend Micro include the identification of the new GHOSTSPIDER backdoor, the use of MASOL RAT on Linux devices, and the discovery of complex C&C infrastructure managed by multiple teams. These findings provide valuable insights into Earth Estries' evolving tactics and motivations. The group exploits server vulnerabilities to gain initial access and uses living-off-the-land binaries (LOLBINs) for lateral movement within networks. The attacks affect sectors like telecommunications, technology, government agencies, and NGOs across regions including Southeast Asia, Africa, and the Americas. Their complex command-and-control (C&C) infrastructure and overlapping tactics, techniques, and procedures (TTPs) with other known APT groups indicate the possible use of malware-as-a-service (MaaS) tools. ## Introduction to Earth Estries Since 2023, Earth Estries (also known as Salt Typhoon, FamousSparrow, GhostEmperor, and UNC2286) has emerged as one of the most aggressive Chinese APT groups.  Their operations primarily target critical industries such as telecommunications and government sectors across various regions including the US, Asia-Pacific, the Middle East, and South Africa. ## New Backdoors: GHOSTSPIDER and MASOL RAT The Chinese state-sponsored hacking group Salt Typhoon (also known as Earth Estries, GhostEmperor, UNC2286) has been observed utilizing a new backdoor called **GHOSTSPIDER** in attacks against telecommunication service providers. The backdoor was discovered by Trend Micro, which has been monitoring Salt Typhoon's attacks against critical infrastructure and government organizations worldwide. Along with **GHOSTSPIDER**, we identified a modular backdoor called **SNAPPYBEE** (aka Deed RAT), which is shared among Chinese APT groups. Another significant discovery is the cross-platform **MASOL RAT**, initially found during Southeast Asian government incidents in 2020. Recent attacks show that Earth Estries has started deploying MASOL RAT on Linux devices, significantly expanding their reach into government networks that predominantly use Linux systems for critical infrastructure. This move represents an escalation in their tactics, targeting previously unaffected platforms and enhancing their ability to maintain persistence across diverse environments. ## Motivation Behind Attacks Earth Estries appears to target governments, internet service providers, and consulting firms to gather intelligence more efficiently, thus enabling them to infiltrate their primary targets more effectively.  Recently, U.S. authorities confirmed that the Salt Typhoon was behind several breaches of telecommunication service providers in the U.S., including Verizon, AT&T, Lumen Technologies, and T-Mobile. In some cases, they managed to tap into the private communications of U.S. government officials and stole information related to court-authorized wiretapping requests. Notably, they target both the core services (like database and cloud servers) of telecommunications firms and the networks of their vendors. A notable tactic is the deployment of a **DEMODEX rootkit** on vendor machines. This rootkit has been utilized to facilitate deeper access into target networks. ## Victimology and Attack Spread Earth Estries has successfully compromised more than 20 organizations in industries such as telecommunications, technology, consulting, chemicals, and transportation, as well as government agencies and NGOs. The victims are spread across multiple countries, including Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, the US, and Vietnam. These countries and industries are being targeted due to their strategic importance in regional stability, economic influence, and technological development. By compromising government and telecommunications sectors, Earth Estries can gather valuable intelligence, disrupt communication channels, and maintain persistent surveillance over critical infrastructure. Additionally, targeting consulting firms and NGOs that work closely with government entities allows them to indirectly access sensitive data and enhance their understanding of political dynamics. ## Initial Access and Exploitation Techniques Earth Estries aggressively targets public-facing servers by exploiting well-known vulnerabilities. Some of the vulnerabilities exploited by the group include: - **Ivanti Connect Secure VPN (CVE-2023-46805, CVE-2024-21887):** Exploited for arbitrary command execution. - **Fortinet FortiClient EMS (CVE-2023-48788):** SQL injection vulnerability. - **Sophos Firewall (CVE-2022-3236):** Code injection allowing remote code execution. - **Microsoft Exchange (ProxyLogon CVE-2021 series):** Remote code execution vulnerabilities. After gaining access, attackers utilize LOLBINs such as **WMIC.exe** and **PSEXEC.exe** for lateral movement. Malware like **SNAPPYBEE**, **DEMODEX**, and **GHOSTSPIDER** is then deployed for long-term espionage. ## Campaign Details and Infrastructure Analysis ### Campaign Alpha and Beta Earth Estries appears to be a well-organized group with a clear division of labor, launching attacks across various regions and industries. Two key campaigns highlighted in Trend Micro's report are **Campaign Alpha** and **Campaign Beta**. **Campaign Alpha** involved attacks on the Taiwanese government and chemical companies, primarily aiming to steal sensitive information related to government operations and industrial processes. The attackers downloaded malicious tools from their C&C server and deployed rootkits such as DEMODEX to maintain persistence and gather intelligence. **Campaign Beta** was a long-term espionage campaign targeting telecommunications companies and government entities across Southeast Asia. The goal was to disrupt communication channels and maintain long-term surveillance over critical infrastructure. This campaign utilized backdoors like **GHOSTSPIDER** and the **DEMODEX** rootkit for extended monitoring. These campaigns suggest that Earth Estries uses distinct infrastructure teams for different attacks, highlighting the complexity of their operations. ### GHOSTSPIDER Analysis **GHOSTSPIDER** is a sophisticated, multi-modular backdoor designed for long-term espionage operations requiring high levels of stealth, achieved through encryption and residing solely in memory. It is loaded on the target system using DLL hijacking and registered as a service via the legitimate **regsvr32.exe** tool, while a secondary module, the beacon loader, loads encrypted payloads directly in memory. GHOSTSPIDER communicates with its C&C server using a custom protocol protected by **Transport Layer Security (TLS)**, which makes it challenging to intercept and analyze. The backdoor executes commands received from the command and control (C2) server, concealed within HTTP headers or cookies to blend with legitimate traffic. The backdoor supports various commands, such as uploading malicious modules into memory, creating necessary resources, executing primary functions, and maintaining periodic communication with the C&C server. This modular design gives GHOSTSPIDER significant versatility and adaptability, allowing Salt Typhoon to adjust their attack as needed depending on the victim's network and defenses. ## Command-and-Control (C&C) Infrastructure The C&C infrastructure managed by Earth Estries involves multiple teams, each responsible for different backdoors. For example, **SNAPPYBEE** C&C domains have WHOIS information that overlaps with other known operations, suggesting shared tools or collaboration between different APT groups. This approach helps the group maintain a decentralized and flexible attack framework, making it harder for defenders to identify and counter their operations. ## Attribution and Overlapping TTPs Some TTPs used by Earth Estries overlap with those employed by **FamousSparrow** and **GhostEmperor**.  The use of shared tools, such as **ShadowPad** and **MASOL RAT**, suggests that Earth Estries may source its tools from malware-as-a-service providers. This highlights the likelihood of collaboration or shared resources between Chinese APT groups. ## Post-Exploitation Activities During post-exploitation, Earth Estries uses LOLBINs and customized malware for further infiltration and to maintain persistence. This includes executing PowerShell commands to deploy rootkits like **DEMODEX** and spreading through targeted environments, often using **SoftEther VPN** to mask their C&C activities. ## What's Next Earth Estries, also known as Salt Typhoon, continues to be one of the most aggressive Chinese APT groups, leveraging sophisticated tactics to compromise critical infrastructure. Their attacks are characterized by stealth, the use of living-off-the-land tools, and the deployment of shared backdoors, making them challenging to detect and counter. U.S. authorities have recently notified numerous victims of breaches involving Salt Typhoon, emphasizing the need for vigilance. Organizations must strengthen their cybersecurity, focusing on practices such as multi-layered security, regular patching, and enhanced network visibility. Employing tools like **Trend Micro Vision One™** can help organizations effectively monitor and mitigate these advanced threats.

loading..   29-Nov-2024
loading..   7 min read