Chinese hackers lay cybersnares for US, UK firms

The group has set up at least 100 watering hole attacks to ensnare victims in the defense, education and political sectors.

ghostshellcredsymantec.jpg
Symantec
A Chinese hacking group has compromised the networks of 50 companies in the UK and United States.

At Black Hat in Las Vegas, Nevada this week, Dell's SecureWorks' Counter Threat Unit (CTU) revealed the security team has been tracking TG-3390, also known as Emissary Panda, for the past two years.

The Chinese cyberespionage group is one of many groups which use digital means to steal sensitive data belonging to both corporate entities and government institutions. CTU says Emissary Panda is "far from cuddly" and has spanned across the globe by compromising legitimate websites in order to deliver malware able to compromise targeted networks.

In the same way as other advanced persistent threat (APT) groups, Emissary Panda uses watering hole attacks to infect their targets. Watering hole attacks, otherwise known as strategic web compromises (SWC), are cyberattacks developed based on a target's online activity and which websites they visit.

Once a list of often-visited websites has been collected, the cyberattacker will try to infect these trusted websites with malware in order to achieve the true goal -- compromising a victim's system.

Emissary Panda has developed a substantial network of SWC attacks, having infected at least 100 websites worldwide in order to ensnare targets in countries across Europe, South America, Middle East and Africa.

According to CTU, websites compromised by the hacking group include the embassy for the Russian Federation in Washington, D.C, other embassies representing countries worldwide, Spanish defense manufacturing firm Amper and various NGOs, energy firms, defense companies and government organizations. Auto manufacturers, aircraft designers and players in the pharmaceutical industry have also been targeted.

Code was placed on each compromised website which redirected visitors to a malicious version controlled by Emissary Panda. If potential victim's IP address was of interest, the user would be served an exploit kit when they next returned to the website.

Once inside a targeted network, the hackers tended to go for the domain controller in order to steal various credentials and gain access to other network areas which may store sensitive data.

Emissary Panda also targets Microsoft Exchange Servers, installing keyloggers and backdoors along the way as an insurance policy against being discovered and kicked out of a victim's system.

CTU said:

"Not only was TG-3390 very selective about which website visitors (organisations) they compromised, but they were also very discriminating when it came to the intellectual property they stole from their victims.

The CTU observed that TG-3390 would set its sights on a particular project or projects the victim organisation was working on, and then they would steal every file relating to the project or projects but not extract any other files, further staying under the radar."

In order to avoid detection, the APT group did not always use watering hole websites to serve malware -- instead, payloads would be stopped for varying lengths of time to prevent the website arousing suspicion.

The group has a number of tools at its disposal. According to CTU, a number of malicious software tools detected are "exclusive" to Emissary Panda, such as a modified version of the ASPXSpy web shell which is used to spy upon internally accessible servers running Internet Information Services (IIS), as well as the OwaAuth web shell, which steals deployed to Exchange Servers.

The group is also believed to have access to other tools shared among Chinese threat actors.

So far, no zero-day vulnerabilities have been detected in Emissary Panda campaigns, However, the group has been detected using old vulnerabilities such as CVE-2011-3544 and CVE-2010-0738 in spear phishing attacks.

The group is believed to originate in China. CTU researchers say Emissary Panda -- which operates in the timezone linked to the second half of the workday in China -- uses the PlugX remote access tool, malware already linked to Chinese threat actors. In addition, the team says the hackers use the Chinese Baidu search engine for reconnaissance and often attempt to ensnare targets with political meaning to China.

For example, one website transformed into a watering hole is the Uyghur cultural website, which CTU says "is a Muslim minority group found mostly in the Xinjiang region of China that has at times been in conflict with the Chinese government over its independence." It is unlikely the website would be a target of interest for threat actors outside of the country.

The security team recommends the enterprise mandates the use of two-factor authentication for any and all remote access solutions which relate to corporate networks.

Two-factor authentication -- such as linking a mobile device and inputting additional security codes before accessing an account -- is becoming more and more necessary as passwords simply don't cut it any longer. However, CTU also recommends that Local Administrator access rights are removed when possible. Companies should also maintain a good ISAPI filter audit schedule for Microsoft Exchange servers and, naturally, keep software up-to-date and patched.

Read on: Top picks

In pictures: