Apr 05, 2024NewsroomAdvanced Persistent Threat

Multiple China-nexus threat actors have been linked to the zero-day exploitation of three security flaws impacting Ivanti appliances (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893).

The clusters are being tracked by Mandiant under the monikers UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. Another group linked to the exploitation spree is UNC3886.

The Google Cloud subsidiary said it has also observed financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely in an attempt to conduct cryptocurrency mining operations.

“UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments,” Mandiant researchers said.

The threat actor has been linked to post-exploitation activity leading to the deployment of the Sliver command-and-control (C2) framework, a variant of the WARPWIRE credential stealer, and a new Go-based backdoor dubbed TERRIBLETEA that comes with command execution, keylogging, port scanning, file system interaction, and screen capturing functions.

UNC5330, which has been observed combining CVE-2024-21893 and CVE-2024-21887 to breach Ivanti Connect Secure VPN appliances at least since February 2024, has leveraged custom malware such as TONERJAM and PHANTOMNET for facilitating post-compromise actions –

• PHANTOMNET – A modular backdoor that communicates using a custom communication protocol over TCP and employs a plugin-based system to download and execute additional payloads
• TONERJAM – A launcher that’s designed to decrypt and execute PHANTOMNET

Besides using Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence, UNC5330 is known to compromise LDAP bind accounts configured on the infected devices in order to domain admin access.

Another notable China-linked espionage actor is UNC5337, which is said to have infiltrated Ivanti devices as early as January 2024 using CVE-2023-46805 and CVE-2024 to deliver a custom malware toolset known as SPAWN that comprises four distinct components that work in tandem to function as a stealthy and persistent backdoor –

• SPAWNSNAIL – A passive backdoor that listens on localhost and is equipped to launch an interactive bash shell as well as launch SPAWNSLOTH
• SPAWNMOLE – A tunneler utility that’s capable of directing malicious traffic to a specific host while passing benign traffic unmodified to the Connect Secure web server
• SPAWNANT – An installer that’s responsible for ensuring the persistence of SPAWNMOLE and SPAWNSNAIL by taking advantage of a coreboot installer function
• SPAWNSLOTH – A log tampering program that disables logging and log forwarding to an external syslog server when the SPAWNSNAIL implant is running

Mandiant has assessed with medium confidence that UNC5337 and UNC5221 are one and the same threat group, noting the SPAWN tool is “designed to enable long-term access and avoid detection.”

UNC5221, which was previously attributed to web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE, has also unleashed a Perl-based web shell referred to as ROOTROT that’s embedded into a legitimate Connect Secure .ttc file located at “/data/runtime/tmp/tt/setcookie.thtml.ttc” by exploiting CVE-2023-46805 and CVE-2024-21887.

A successful deployment of the web shell is followed by network reconnaissance and lateral movement, in some cases, resulting in the compromise of a vCenter server in the victim network by means of a Golang backdoor called BRICKSTORM.

“BRICKSTORM is a Go backdoor targeting VMware vCenter servers,” Mandiant researchers explained. “It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying.”

The last among the five China-based groups tied to the abuse of Ivanti security flaws is UNC5291, which Mandiant said likely has associations with another hacking group UNC3236 (aka Volt Typhoon), primarily owing to its targeting of academic, energy, defense, and health sectors.

“Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024,” the company said.

The findings once again underscore the threat faced by edge appliances, with the espionage actors utilizing a combination of zero-day flaws, open-source tooling, and custom backdoors to tailor their tradecraft depending on their targets to evade detection for extended periods of time.

Two China-linked advanced persistent threat (APT) groups have been observed targeting entities and member countries affiliated with the Association of Southeast Asian Nations (ASEAN) as part of a cyber espionage campaign over the past three months.

This includes the threat actor known as Mustang Panda, which has been recently linked to cyber attacks against Myanmar as well as other Asian countries with a variant of the PlugX (aka Korplug) backdoor dubbed DOPLUGS.

Mustang Panda, also called Camaro Dragon, Earth Preta, and Stately Taurus, is believed to have targeted entities in Myanmar, the Philippines, Japan and Singapore, targeting them with phishing emails designed to deliver two malware packages.

“Threat actors created malware for these packages on March 4-5, 2024, coinciding with the ASEAN-Australia Special Summit (March 4-6, 2024),” Palo Alto Networks Unit 42 said in a report shared with The Hacker News.

One of the malware package is a ZIP file that contains within it an executable (“Talking_Points_for_China.exe”), that when launched, loads a DLL file (“KeyScramblerIE.dll”) and ultimately deploys a known Mustang Panda malware called PUBLOAD, a downloader previously employed to drop PlugX.

It’s worth pointing out here that the binary is a renamed copy of a legitimate software called KeyScrambler.exe that’s susceptible to DLL side-loading.

The second package, on the other hand, is a screensaver executable (“Note PSO.scr”) that’s used to retrieve next-stage malicious code from a remote IP address, including a benign program signed by a video game company renamed as WindowsUpdate.exe and a rogue DLL that’s launched using the same technique as before.

“This malware then attempts to establish a connection to www[.]openservername[.]com at 146.70.149[.]36 for command-and-control (C2),” the researchers said.

Unit 42 said it also detected network traffic between an ASEAN-affiliated entity and the C2 infrastructure of a second Chinese APT group, suggesting a breach of the victim’s environment. This unnamed threat activity cluster has been attributed to similar attacks targeting Cambodia.

“These types of campaigns continue to demonstrate how organizations are targeted for cyber espionage purposes, where nation-state affiliated threat groups collect intelligence of geopolitical interests within the region,” the researchers said.

Earth Krahang Emerges in Wild

The findings arrive a week after Trend Micro shed light on a new Chinese threat actor known as Earth Krahang that has targeted 116 entities spanning 35 countries by leveraging spear-phishing and flaws in public-facing Openfire and Oracle servers to deliver bespoke malware such as PlugX, ShadowPad, ReShell, and DinodasRAT (aka XDealer).

The earliest attacks date back to early 2022, with the adversary leveraging a combination of methods to scan for sensitive data.

Earth Krahang, which has a strong focus in Southeast Asia, also exhibits some level of overlap with another China-nexus threat actor tracked as Earth Lusca (aka RedHotel). Both the intrusion sets are likely managed by the same threat actor and connected to a Chinese government contractor called I-Soon.

“One of the threat actor’s favorite tactics involves using its malicious access to government infrastructure to attack other government entities, abusing the infrastructure to host malicious payloads, proxy attack traffic, and send spear-phishing emails to government-related targets using compromised government email accounts,” the company said.

“Earth Krahang also uses other tactics, such as building VPN servers on compromised public-facing servers to establish access into the private network of victims and performing brute-force attacks to obtain email credentials. These credentials are then used to exfiltrate victim emails.”

The I-Soon Leaks and the Shadowy Hack-for-hire Scene

Last month, a set of leaked documents from I-Soon (aka Anxun) on GitHub revealed how the company sells a wide array of stealers and remote access trojans like ShadowPad and Winnti (aka TreadStone) to multiple Chinese government entities. This also encompasses an integrated operations platform that’s designed to carry out offensive cyber campaigns and an undocumented Linux implant codenamed Hector.

“The integrated operations platform encompasses both internal and external applications and networks,” Bishop Fox said. “The internal application is mainly for mission and resource management. The external application is designed to carry out cyber operations.”

The obscure hack-for-hire entity has also been implicated in the 2019 POISON CARP campaign aimed at Tibetan groups and the 2022 hack of Comm100, in addition to attacks targeting foreign governments and domestic ethnic minorities to gain valuable information, some of which are carried out independently on their own in hopes of landing a government customer.

“The data leak has provided rare insight into how the Chinese government outsources parts of its cyber operations to private third-party companies, and how these companies work with one another to fulfill these demands,” ReliaQuest noted.

Cybersecurity firm Recorded Future, in its own analysis, said the leak unravels the “operational and organizational ties” between the company and three different Chinese state-sponsored cyber groups such as RedAlpha (aka Deepcliff), RedHotel, and POISON CARP.

“It provides supporting evidence regarding the long-suspected presence of ‘digital quartermasters‘ that provide capabilities to multiple Chinese state-sponsored groups.”

It also said the overlaps suggest the presence of multiple sub-teams focused on particular missions within the same company. I-Soon’s victimology footprint spreads to at least 22 countries, with government, telecommunications, and education representing the most targeted sectors.

Furthermore, the publicized documents confirm that Tianfu Cup – China’s own take on the Pwn2Own hacking contest – acts as a “vulnerability feeder system” for the government, allowing it to stockpile zero-day exploits and devise exploit code.

“When the Tianfu Cup submissions aren’t already full exploit chains, the Ministry of Public Security disseminates the proof of concept vulnerabilities to private firms to further exploit these proof-of-concept capabilities,” Margin Research said.

“China’s vulnerability disclosure requirement is one part of the puzzle of how China stockpiles and weaponizes vulnerabilities, setting in stone the surreptitious collection offered by Tianfu Cup in previous years.”

The source of the leak is currently not known, although two employees of I-Soon told The Associated Press that an investigation is ongoing in collaboration with law enforcement. The company’s website has since gone offline.

“The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China’s cyber espionage ecosystem,” SentinelOne’s Dakota Cary and Aleksandar Milenkoski said. “It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.”