1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Chinese hackers have been running riot on unsecured Windows devic

    From TechnologyDaily@1337:1/100 to All on Thu May 5 13:00:04 2022
    Chinese hackers have been running riot on unsecured Windows devices

    Date:
    Thu, 05 May 2022 11:48:14 +0000

    Description:
    Chinese state-sponsored threat actor Winnti has reportedly been stealing proprietary data for years.

    FULL STORY ======================================================================

    Researchers from Cybereason have uncovered a new espionage campaign thats
    been active for at least three years and includes new malware strains, rarely-seen abuse of certain Windows features, and a complex infection chain.

    According to the company's report, a Chinese state-sponsored actor known as Winnti (aka APT 41, BARIUM, or Blackfly) has been targeting numerous technology and manufacturing companies in North America, Europe, and Asia since, at least, 2019.

    The goal was to identify and exfiltrate sensitive data, such as intellectual property developed by the victims, sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data. The researchers believe the attackers stole hundreds of gigabytes of valuable intel. Rarely seen
    abuse

    This data also helped the attackers map out their victims networks, organizational structure, as well as endpoints , giving them a head start, should they decide to escalate things further (for example, with ransomware).

    In its campaign, Winnti advanced persistent threat actor deployed new
    versions of already known malware (Spyder Loader, PRIVATELOG, and WINNKIT), but it also deployed previously unknown malware - DEPLOYLOG.

    To deploy the malware, the group opted for a rarely seen abuse of the Windows CLFS Feature, the researchers said. Apparently, the group leveraged the Windows CLFS (Common Log File System) mechanism and NTFS transaction manipulations, allowing it to hide the payloads and evade being detected by security products. Read more

    Indian power grid reportedly hit by Chinese cyberattacks


    Google says Chinese hackers are targeting US government Gmail accounts


    China says Walmart has some serious security flaws

    The payload delivery itself was described as intricate and interdependent, resembling a house of cards. As a result, it was very difficult for researchers to analyze each component separately.

    Still, they managed to piece the puzzle together, and are claiming the Winnti malware arsenal includes Spyder (a sophisticated modular backdoor), STASHLOG (the initial deployment tool that stashes payloads in Windows CLFS), SPARKLOG (extracts and deploys PRIVATELOG to escalate privileges and achieve persistence on the target endpoint), PRIVATELOG (extracts and deploys DEPLOYLOG), and DEPLOYLOG (deploys the WINNKIT rootkit). Finally, theres WINNKIT, the Winnti kernel-level rootkit. Defend your premises from Chinese spies with the best firewalls around



    ======================================================================
    Link to news story: https://www.techradar.com/news/chinese-hackers-have-been-running-riot-on-unsec ured-windows-devices/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)