Home and office routers come under attack by China state hackers, France warns
Compromised routers give the hackers anonymity in ongoing large-scale attacks.
“ANSSI is currently handling a large intrusion campaign impacting numerous French entities,” an ANSSI advisory warned. “Attacks are still ongoing and are led by an intrusion set publicly referred to as APT31. It appears from our investigations that the threat actor uses a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.”
People who are concerned their devices are compromised should periodically restart their devices, since most router malware is unable to survive a reboot. Users should also make sure remote administration is turned off (unless truly needed and locked down) and that DNS servers and other configurations haven’t been maliciously changed. As always, installing firmware updates promptly is a good idea
The advisory contains indicators of compromise that organizations can use to determine if they were hacked or targeted in the campaign. The indicators include 161 IP addresses, although it’s not entirely clear if they belong to compromised routers or other types of Internet-connected devices used in the attacks
A graph charting the countries hosting the IPs, created by researcher Will Thomas of security firm Cyjax, shows the biggest concentration is in Russia, followed by Egypt, Morocco, Thailand, and the United Arab Emirates. . .
Hackers have used compromised home and small office routers for years for use in botnets that wage crippling denial-of-service attacks, redirect users to malicious sites, and act as proxies for performing brute-force attacks, exploiting vulnerabilities, scanning ports, and exfiltrating data from hacked targets.
____________________________________________________________________________
According to cyber security sources, the alleged group behind the incursion is Chinese government backed APT31. APT31 has also been dubbed Zirconium and Judgement Panda
"According to FireEye, APT31 has targeted myriad industries, such as “government, international financial organisation, and aerospace and defence organisations, as well as high-tech, construction and engineering, telecommunications, media, and insurance”.
RELATED CONTENT:
France warns of APT31 cyberspies targeting French organizations
Today, the French national cyber-security agency warned of an ongoing series of attacks against a large number of French organizations coordinated by the Chinese-backed APT31 hacking group. . .
Organizations that detect any of the shared IOCs in their logs pointing at an attack potentially connected to this ongoing APT31 campaign are urged to report the incident to ANSSI via email.
quick writeup from @ANSSI_FR on APT31 use of home routers as ORBs with IOCs:https://t.co/Hs4scHcTq6
— billy leonard (@billyleonard) July 21, 2021
and here is a potential early version of their router implant that we (cc @neelmehta) found in TAG:https://t.co/SAZtb9r4Wr
(also known as Zirconium and Judgment Panda) is a hacking group working at the behest of the Chinese Government known for its numerous espionage and information theft operations.
This threat has been linked in the past to the theft and repurposing of the EpMe NSA exploit years before Shadow Brokers publicly leaked it in April 2017.
Last year, Microsoft observed APT31 attacks targeting the international affairs community and high-profile individuals associated with the Joe Biden presidential campaign.
APT31 was also spotted by Google while targeting "campaign staffers' personal emails with credential phishing emails and emails containing tracking links."
Chinese cyberespionage operations under the spotlight
These attacks come after the US and its allies, including the European Union, the United Kingdom, and NATO, have formally accused China of this year's Microsoft Exchange hacking campaign.
The cyberattacks took place in early 2021 and targeted more than a quarter of a million Microsoft Exchange servers, belonging to tens of thousands of organizations worldwide.
No comments:
Post a Comment