The November 2024 RA World Ransomware attack involves an attack targeting unknown Asian software and service companies. capacity.
“During the attacks in late 2024, the attackers deployed a clear set of tools previously used by actors linked to China in the classic spy attack,” said Symantec, part of Broadcom. The Threat Hunter team said in a report shared with Hacker News. .
“In all previous invasions, including the toolset, attackers appeared to be engaged in classic espionage. By installing backdoors, they would maintain a lasting presence in the target organization. It seems he’s only interested in it.”
This includes a compromise by the Ministry of Foreign Affairs of the country in southeastern Europe in July 2024. This included the use of classic DLL sideloading technology to deploy Plugx (aka Korplug), a malware that is repeatedly used by actors from Mustang Panda (aka Figheant and Reddelta). .
Specifically, the attack chain requires the use of a legitimate Toshiba executable named “toshdpdb.exe”.
Other invasions related to the same toolset include two different government agencies in August 2024 in Southeast Europe and Southeast Asia, carriers in September 2024, and another Southeast Asian country in January 2025. It has been observed in connection with attacks targeting government ministries.
However, Symantec noted that it observed that the Plugx variant was rolled out in November 2024 as part of its criminal tor campaign against medium-sized software and services companies in South Asia.
The attacker claimed that he did so by exploiting known security flaws in the Palo Alto Networks Pan-OS software (CVE-2024-0012), but it is not clear how the company’s network was compromised. The attack culminated in machines encrypted with RA World Ransomware, but not before Toshiba binaries were used to launch Plugx malware.
At this point, previous analysis of Cisco Talos and Palo Alto Networks Unit 42 revealed the Chinese threat known as the RA World (formerly known as the RA Group) and the Bronze Starlight (aka Storm-401 and Emperor Dragonfly). Note that overlapping trades between the groups is becoming apparent. It has a history of using short-lived ransomware families.
I don’t know why the espionage actors are making financially motivated attacks, but Symantec is likely to have only actors behind the efforts, and they have some quick on the side I theorized that I was trying to make a profit. This rating also coincides with the analysis of Signia’s Emperor Dragonfly in October 2022, and is called the “single threat actor.”
This form of moonlight is rarely observed in China’s hacking ecosystem, but is much more common among threat actors in Iran and North Korea.
“Another form of financially motivated activity in favour of state goals is that state-sponsored espionages perform financially motivated operations, either implicitly or explicitly, to supplement income. It’s a group that is permitted to do so,” said Google Threat Intelligence Group (GTIG). A report released this week.
“This will allow the government to offset the direct costs required to maintain a robustly capable group.”
Salt Typhoon exploits vulnerable Cisco devices to violate telecom business
This development is because a Chinese nation-state hacking group called Salt Tion is linked to a series of cyberattacks that exploit known security flaws in Cisco network devices (CVE-2023-20198 and CVE-2023-20273). , multiple, multiple, pervasive networks.
Malicious cyber activity has led to the US, a major UK telecommunications provider, South Africa telecommunications provider, Italian internet services, and large Thai telecommunications providers based on communications detected between infected Cisco devices. It is rated as having selected a base affiliate. Threat Actor Infrastructure.
The attack occurred between December 4, 2024 and January 23, 2025, and was recorded according to the Insikt group of Future, adding enemies and tracking as Earth’s estries, Famoussparrow, Ghostemperor, Redmike, and UNC2286. did. During the period.
More than half of targeted Cisco instruments are located in the US, South America and India. In what appears to be an expanding target focus, salt typhoons have also been observed devices associated with more than 12 universities in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the US and Vietnam.
“Redmike probably targeted these universities to access research in areas related to telecommunications, engineering, technology, and especially institutions such as UCLA and Tu Delft,” the company said.
Successful compromises are followed by threat actors using advanced privileges to change the device configuration, and general for persistent access and data removal between compromised Cisco devices and their infrastructure Adds a Routing Encapsulation (GRE) tunnel.
Using vulnerable network appliances as entry points for target victims is not supported by security controls and by endpoint detection and response, and other things like the Chloride and Volt era It’s become something of a standard playbook for Chinese hacking groups. (EDR) Solution.
To mitigate the risks posed by such attacks, organizations prioritize applying available security patches and updates to publicly available network devices, particularly for those who have reached the Internet. It is recommended that you avoid exposing interfaces or non-essential services to the Internet. Life (EOL).
Source link
