![]() As a starting point, organizations should: government and around the world provide timely and actionable information about the PRC cyber threat to help organizations prioritize the most effective cybersecurity measures. In this context, every organization must take urgent action to understand and address known tactics, techniques, and procedures (TTPs) used by PRC cyber actors – including efforts to detect and prevent intrusions and respond to and recover from incidents, particularly by investing in the operational resilience of essential services. China almost certainly is capable of launching cyber attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems." China’s cyber pursuits and its industry’s export of related technologies increase the threats of aggressive cyber operations against the U.S. ![]() "Once the attackers have established a foothold in an organization, they proceed with lateral movement by leveraging Impacket within the network, placing a passive backdoor into the victim environment, harvesting as many credentials as possible to insure unlimited access, and focusing on data exfiltration," Chen said.The Office of the Director of National Intelligence’s 2023 Annual Threat Assessment makes clear the cyber threat posed by the People’s Republic of China (PRC): “China probably currently represents the broadest, most active, and persistent cyber espionage threat to U.S. The initial access vector remains unclear as yet. The hijacking of security products notwithstanding, other tactics adopted by the group include the use of known hacking tools and red team scripts to facilitate credential theft, lateral movement and data exfiltration. Persistence is achieved by either creating a scheduled task or a service. ![]() In the subsequent step, the hijacked DLL is used to decrypt and load the final ShadowPad or PlugX payload that resides in the same folder as that of the antivirus executable. Moshen Dragon's TTPs involve the abuse of legitimate antivirus software belonging to BitDefender, Kaspersky, McAfee, Symantec, and Trend Micro to sideload ShadowPad and Talisman on compromised systems by means of a technique called DLL search order hijacking. Discover why identity is the new endpoint. Identity is the New Endpoint: Mastering SaaS Security in the Modern Ageĭive deep into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. ShadowPad, labeled a "masterpiece of privately sold malware in Chinese espionage," emerged as a successor to PlugX in 2015, even as variants of the latter have continually popped up as part of different campaigns associated with Chinese threat actors.Īlthough known to be deployed by the government-sponsored hacking group dubbed Bronze Atlas (aka APT41, Barium, or Winnti) since at least 2017, an ever-increasing number of other China-linked threat actors have joined the fray. "Those tools have flexible, modular functionality and are compiled via shellcode to easily bypass traditional endpoint protection products." "PlugX and ShadowPad have a well-established history of use among Chinese-speaking threat actors primarily for espionage activity," SentinelOne's Joey Chen said. A Chinese-aligned cyberespionage group has been observed striking the telecommunication sector in Central Asia with versions of malware such as ShadowPad and PlugX.Ĭybersecurity firm SentinelOne tied the intrusions to an actor it tracks under the name "Moshen Dragon," with tactical overlaps between the collective and another threat group referred to as Nomad Panda (aka RedFoxtrot).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |