#TradeSecretsStolen- Chinese Hackers Caught Stealing Trade Secrets and Intellectual Properties from Multinational Companies

-
image

An elusive and sophisticated cyberespionage campaign orchestrated by the Chinabacked Winnti group has managed to fly under the radar since at least 2019. 

 Dubbed "Operation CuckooBees" by Israeli cybersecurity company Cybereason, the massive intellectual property theft operation enabled the threat actor to exfiltrate hundreds of gigabytes of information. 

 Targets included technology and manufacturing companies primarily located in East Asia, Western Europe, and North America. 

 "The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturingrelated proprietary data," the researchers said. 

 "In addition, the attackers collected information that could be used for future cyberattacks, such as details about the target company`s business units, network architecture, user accounts and credentials, employee emails, and customer data." 

 Winnti, also tracked by other cybersecurity vendors under the names APT41, Axiom, Barium, and Bronze Atlas, is known to be active since at least 2007. 

 "The purpose of this group is to steal intellectual property from organizations in developed countries, which will be done on behalf of China and support decision-making in many Chinese economic sectors," Secureworks said. .. The multi-stage chain of  infection  documented by 

 Cybereason involves leveraging an internet-connected server to provide a web shell for reconnaissance, traversal, and data extraction activities. It will be. 

 Complex and complex, each component of the kill chain relies on other modules  to function, making it very difficult to analyze following the "card house" approach. 

 "This shows the attention and effort devoted to both  malware and operational security considerations, and analysis is almost impossible  unless all pieces of the puzzle are put together in the correct order." The researchers explained. 

  data acquisition is facilitated by  a modular loader called Spyder, which is used to decrypt and load additional payloads. It also uses four different payloads (STASHLOG, SPARKLOG, PRIVATELOG, and DEPLOYLOG). These payloads are sequentially deployed to destroy the kernel-level rootkit WINNKIT. The key to camouflaging the 

  campaign is to use  "rarely seen" techniques, such as the abuse of Windows Common Log File System & # 40; CLFS & # 41 ;. A mechanism that hides the payload and allows hacking groups to hide the payload and avoid detection by traditional security products. 

 Interestingly, some of the attack sequences were already detailed by Mandiant in September 2021 and CLFS was being abused to hide the second stage payload to evade detection. I am paying attention.

Cyber-security companies have attributed the malware to an unknown attacker, but warned that it could have been deployed as part of a  targeted activity. 

 “There is no tool that can analyze CLFS log files because the file format is not widely used or documented,” Mandiant said at the time. "This allows an attacker to easily hide the data as a log record because it can be accessed via API functions." As part of that, the 

 WINNKIT compilation timestamp is May 2019 on VirusTotal. The detection rate  of is almost zero, reflecting its elusive nature. Of the malware that allowed the author to remain undetected for years. According to 

 researchers, the ultimate goal of the intrusion is to soak up proprietary information, research documents, source code, and blueprints for various technologies. 

 "Winnti is one of the most hard-working groups working for the national interest of China," said Cybereason. "The threat [actor] employed an elaborate, multistage infection chain that was critical to enabling the group to remain undetected for so long."

Comments

Post a Comment

Popular posts from this blog

#The biggest password leak ever: nearly 10 billion credentials exposed

-
Image
    Cybersecurity researchers are calling it the largest password compilation leak of all time. On July 4, a newly registered user on a popular hacking forum posted a file containing nearly 10 billion compromised passwords in plaintext. The post was first noticed by researchers at  Cybernews . RockYou2024 leaked password compilation This gigantic list of leaked passwords known as RockYou2024 provides hackers with an important tool that can be utilized in a brute force attack.  A brute force attack is a popular hacking method where the attacker guesses a user's password by trial-and-error. Hackers commonly use automated scripts when carrying out a brute force attack, which enables them to try out a slew of passwords within a short period of time. With a leaked password database this big, hackers have a nearly unlimited pool of passwords to try out.  “In its essence, the RockYou2024 leak is a comp...
Read more

Donald Trump back on Twitter. Elon Musk says he's letting Donald Trump back on Twitter

-
Image
Elon Musk has announced that Donald Trump may be returning to Twitter. Musk justified this decision with the results of his personal Twitter poll. The @realDonaldTrump account and his tweets are back in full view just days after Trump confirmed he would run for president again in 2024. Shortly after taking control of the social network, Musk said he would not reopen suspended accounts until the company established and convened a content moderation council with "very diverse perspectives." . Instead, on Friday night, as people plunged into Thanksgiving weekend, he decided to vote for his followers on his Twitter. "Rehire former President Trump," he tweeted, along with a poll with buttons to select "yes" or "no." "Vox Populi, Vox Dei," he added in a follow-up tweet, in Latin, "The voice of the people is the voice of God." A "yes" answer won him by a narrow margin of 52-48. It's not clear how many of them were bots....
Read more

#Police pulled over a Waymo car for driving in the oncoming lane

-
Image
  On June 19th, a Phoenix police officer pulled over an autonomous Waymo vehicle that had been driving in an oncoming traffic lane. The car was apparently confused by some construction signs and reportedly ran a red light before pulling over in a parking lot to let the officer talk to one of Waymo’s support representatives. In about two-and-a-half minutes of bodycam footage published by  AZCentral,  t he officer told Waymo the car was driving in a construction zone when it “went into opposing lanes of traffic, which is real bad.” He then told a curious bystander what had happened, adding, “so I light it up and it takes off in the intersection.” A dispatch record reportedly said the car drove through a red light and ‘FREAKED OUT’ before it pulled over. Waymo spokesperson Chris Bonelli told  The Verge  in an email that the vehicle, which had no passengers, drove into the oncoming lane whe...
Read more