Today, Cybersecure has released new risk research revealing a multi-year cyber espionage operation led by Vinty, a Chinese advanced persistent threat (APT) group of companies using technology to steal trade secrets and manufacturing secrets in the US, Europe and Asia. Make a target.
Cybersecurity research also reveals some of the key obscure techniques used by attackers, such as the use of Windows Common Log File System (CLFS) mechanisms and NTFs transaction manipulations to hide malicious payloads and avoid traditional security products.
While Vinty’s campaigns primarily target technology and manufacturing companies, the techniques used by the attackers pose a risk to all enterprises who need to be aware of the techniques used by the attackers to prevent them from being exploited by other cyber gangs and APTs. Theft of intellectual property.
How Operation Cuckoo Seeds Work
As mentioned above, during Operation Cuckoo Bees, most of the targets were compromised by exploiting Windows CLFS.
“Cybersecurity investigators discovered an initial infection vector that was used to compromise Vinty targets, using the popular ERP solution using multiple vulnerabilities, some known and some unknown at the time of exploitation,” said the senior director, head of Threat. Said. Research at Cyberson, Asaf Dahan.
“Threateners misused the CLFS undocumented file format and used the logging framework Windows CLFS to secretly store malicious payloads,” Dahan said.
In this case, the malicious payload was a previously invisible piece of malware known as Vinty Malware, which contained digitally-signed kernel-level rootkits and a multi-stage infection chain designed to avoid detection so that attackers could gather information to use as part. Future cyber attacks.
The reality of APT threats
APT threats have become a concern for the enterprise as more nation-states have attempted to steal trade secrets and confidential information.
According to the FBI, there have been more than 1,000 cases of IP theft related to China’s espionage efforts targeting every sector since 2018.
Most recently, earlier this year, the CISA, the FBI and the US Cyber Command Cyber National Mission Force (CNMF), the UK’s National Cyber Security Center (NCSC-UK), and the National Security Agency leaked secret information about an Iranian government-sponsored APT MuddyWater activity. Statement.
As these intelligence-gathering attacks become more common, organizations need to be prepared if they want to keep these sophisticated dangerous actors at bay.
Combustion recommends that organizations seeking protection against these threats adhere to the MITER and other best practice frameworks to ensure that they have the capability to visibility, investigate, and remedy. It is also important to have the ability to protect Internet-facing assets and detect scanning activity and exploitation attempts.
“Organizations that pose a 24-hour hazard in their environment have a greater chance of tightening their security controls and increasing their overall security posture,” Dahan said.
Any untapped systems or unsecured accounts will be used to gain access to the enterprise environment, indicating that organizations need to have an active patch management strategy, along with threat detection technologies such as XDR.
Venturebeat’s mission Transformative Enterprise is about to become a digital town square for technology decision makers to gain knowledge about technology and transactions. Learn more about membership.