22 July 2021

Red Alert: More Ongoing Large-Scale Attacks > Stealth Recon and Intrusions

Here we go again! (from ArsTechnica) "On Wednesday, France’s National Agency for Information Systems Security—abbreviated as ANSSI—warned national businesses and organizations that the group was behind a massive attack campaign that was using hacked routers prior to carrying out reconnaissance and attacks as a means to cover up the intrusions.

Home and office routers come under attack by China state hackers, France warns

Compromised routers give the hackers anonymity in ongoing large-scale attacks.

“ANSSI is currently handling a large intrusion campaign impacting numerous French entities,” an ANSSI advisory warned. “Attacks are still ongoing and are led by an intrusion set publicly referred to as APT31. It appears from our investigations that the threat actor uses a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.”

People who are concerned their devices are compromised should periodically restart their devices, since most router malware is unable to survive a reboot. Users should also make sure remote administration is turned off (unless truly needed and locked down) and that DNS servers and other configurations haven’t been maliciously changed. As always, installing firmware updates promptly is a good idea

The advisory contains indicators of compromise that organizations can use to determine if they were hacked or targeted in the campaign. The indicators include 161 IP addresses, although it’s not entirely clear if they belong to compromised routers or other types of Internet-connected devices used in the attacks

A graph charting the countries hosting the IPs, created by researcher Will Thomas of security firm Cyjax, shows the biggest concentration is in Russia, followed by Egypt, Morocco, Thailand, and the United Arab Emirates. . .

Chinese hacking group APT31 uses mesh of home routers to disguise attacks -  The Record by Recorded Future

Hackers have used compromised home and small office routers for years for use in botnets that wage crippling denial-of-service attacks, redirect users to malicious sites, and act as proxies for performing brute-force attacks, exploiting vulnerabilities, scanning ports, and exfiltrating data from hacked targets.

____________________________________________________________________________

According to cyber security sources, the alleged group behind the incursion is Chinese government backed APT31. APT31 has also been dubbed Zirconium and Judgement Panda

"According to FireEye, APT31 has targeted myriad industries, such as “government, international financial organisation, and aerospace and defence organisations, as well as high-tech, construction and engineering, telecommunications, media, and insurance”.

RELATED CONTENT:

France warns of APT31 cyberspies targeting French organizations

Today, the French national cyber-security agency warned of an ongoing series of attacks against a large number of French organizations coordinated by the Chinese-backed APT31 hacking group. . .

Organizations that detect any of the shared IOCs in their logs pointing at an attack potentially connected to this ongoing APT31 campaign are urged to report the incident to ANSSI via email.

(also known as Zirconium and Judgment Panda) is a hacking group working at the behest of the Chinese Government known for its numerous espionage and information theft operations.

This threat has been linked in the past to the theft and repurposing of the EpMe NSA exploit years before Shadow Brokers publicly leaked it in April 2017.

Last year, Microsoft observed APT31 attacks targeting the international affairs community and high-profile individuals associated with the Joe Biden presidential campaign.

APT31 was also spotted by Google while targeting "campaign staffers' personal emails with credential phishing emails and emails containing tracking links."

Chinese cyberespionage operations under the spotlight

These attacks come after the US and its allies, including the European Union, the United Kingdom, and NATO, have formally accused China of this year's Microsoft Exchange hacking campaign.

The cyberattacks took place in early 2021 and targeted more than a quarter of a million Microsoft Exchange servers, belonging to tens of thousands of organizations worldwide.

No comments:

NATO Tests Capabilities in Lithuania with Real B 52 Bombing Exercise Nea...

Allied forces, including the Italian Eurofighter Typhoon and advanced Joint Terminal Attack Controllers from Lithuania, Sweden, and Norway, ...