Threat Hunter has discovered a network of over 1,000 compromised small office and home office (SOHO) devices used to promote a long-term cyberspy infrastructure campaign for China and Nexus hacking groups.
The Operational Relay Box (ORB) network is codenamed LapDogs by the Strike Team at SecurityScoreCard.
“The LapDogs network is slowly and steadily growing with casualties concentrated in the US and Southeast Asia,” the cybersecurity company said in a technology report released this week.
Other regions where infectious diseases are common include Japan, South Korea, Hong Kong and Taiwan, with the victims spanning it, including the networking, real estate and media sectors. Active Infection provides span and service to devices and services from Ruckus Wireless, Asus, Buffalo Technology, Cisco-Linksys, Cross DVR, D-Link, Microsoft, Panasonic, Synology.
Lapdogs’ Beating Heart is a custom backdoor called ShortLeash designed to register network-infected devices. Once installed, it sets up a fake Nginx web server and generates a unique, self-signed TLS certificate with the issuer name “LAPD” in an attempt to impersonate the Los Angeles Police Station. It is this reference that gave the ORB network its name.
ShortLeash is rated as being delivered by shell scripts to infiltrate Linux-based Soho devices, but we also found artifacts that provide a Windows version of the backdoor. The attack itself weaponizes N-Day security vulnerabilities (such as CVE-2015-1548 and CVE-2017-17663) to gain initial access.
The first signs of activity related to the rapdog were traced back to Taiwan on September 6, 2023, with a second attack recorded on January 19, 2024. There is evidence to suggest that each one starts in batches. To date, a total of 162 different intrusion sets have been identified.
ORBs are known to share some similarities with another cluster called Polarradege. This was recorded by Sekoia in early February this year, since late 2023, to surround them with a network to take advantage of known security flaws in routers and other IoT devices for obviously determined purposes.
Aside from overlap, Lapdogs and Polardeg are evaluated as two separate entities, taking into account the differences in infection processes, the persistence methods used, and the former’s ability to target virtual private servers (VPS) and Windows systems.
“The Polared Backdoor replaces the CGI scripts on the device with the operator’s specified web shell, but ShortLeash is simply inserted into the system directory as a .Service file, ensuring service persistence on reboot and root-level privileges.”
Furthermore, the tracking of Chinese-linked hacking crews linked to China was measured with moderate confidence as UAT-5918 used rap dogs in at least one of its operations targeted at Taiwan. Currently, it is unclear whether UAT-5918 is behind the network or just a client.
The use of ORB networks as a means of obfuscation of Chinese threat actors has been previously documented by Google Mandiant, Sygnia, and Sentinelone, indicating that they are increasingly being adopted in playbooks for their highly targeted operations.
“While both orbs and botnets generally consist of a large set of compromised, legitimate Internet-oriented devices or virtual services, ORB networks are similar to Swiss Army Knifes, and can contribute to every stage of the intrusion lifecycle from reconnaissance, anonymous actor viewing, intrusive intrusive skating from Netflow collections, vulnerability to vulnerability. SecurityScorecard relays servers and exftlated data onto streams.”
Source link
