"Chinese Cyberspies Targeting US State Legislature"

Security researchers at Symantec have warned that a China-linked cyberespionage group was recently observed targeting a state legislature in the United States.  Active since at least 2010, the group is tracked as APT27, Bronze Union, Budworm, Emissary Panda, Iron Tiger, Lucky Mouse, and TG-3390 (Threat Group 3390) and has been observed targeting various entities worldwide, mainly focusing on the Middle East and Asia.  In a new report detailing APT27’s recent activities, the researchers noted that the attack on the US state legislature is the first time in several years that they have seen the cyberespionage group targeting a US entity.  Over the past six months, the researchers also observed the threat actor targeting a Middle Eastern government, a hospital in South East Asia, and a multinational electronics manufacturer.  As part of these attacks, APT27 was seen exploiting Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105) in the Apache Tomcat service to deploy web shells and using virtual private servers (VPS) as command and control (C&C) servers.  The researchers noted that the group continues to rely on the HyperBro malware as the main backdoor, which is often executed using DLL side-loading.  In some cases, a custom HyperBro loader has been used.  In recent attacks, the cyberspies abused the endpoint privilege management application CyberArk Viewfinity for side-loading the malicious payload.  The researchers noted that this involves the attackers placing a malicious DLL in a directory where a legitimate DLL is expected to be found.  The attacker then runs the legitimate application (having installed it themselves).  The legitimate application then loads and executes the payload.  Other malware and tools that APT27 has been using include the PlugX/Korplug trojan, Cobalt Strike beacon (penetration testing tool with shell code loading capabilities), LaZagne (credential dumping), IOX (proxy and port-forwarding), Fast Reverse Proxy (FRP), and Fscan (intranet scanning).  The resesearchers stated that the HyperBro malware, which is a backdoor exclusive to APT27, was recently mentioned by the NSA, FBI, and CISA in an alert describing the TTPs used by APTs in attacks targeting a US defense industrial base organization.

 

SecurityWeek reports: "Chinese Cyberspies Targeting US State Legislature"

Submitted by Anonymous on