{"id":196,"date":"2024-09-10T10:09:00","date_gmt":"2024-09-10T10:09:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=196"},"modified":"2024-09-10T10:09:00","modified_gmt":"2024-09-10T10:09:00","slug":"china-based-cyber-espionage-campaign-in-se-asia-is-expanding-says-sophos","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=196","title":{"rendered":"China-based cyber espionage campaign in SE Asia is expanding, says Sophos"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>CISOs in Southeast Asia should be on alert after the discovery that a suspected Chinese-based cyber espionage campaign that started last year is expanding its scope.<\/p>\n<p>The warning today comes from researchers at Sophos, in a new report on activity it dubs <a href=\"https:\/\/news.sophos.com\/en-us\/2024\/09\/09\/crimson-palace-new-tools-tactics-targets\/\">Operation Crimson Palace<\/a>. Initially the campaign \u2014 made up of clusters of activity by three attack groups \u2014 targeted what researchers said was a prominent agency of an unnamed country in Southeast Asia in 2023.<\/p>\n<p>The three threat groups Sophos identified as being part of the campaign are nicknamed Alpha, Bravo, and Charlie. Sophos isn\u2019t sure if they are all government-run groups or include private hackers. Each group seemed to specialize: Alpha focused on initial access and persistence, while Charlie specialized in finding documents.<\/p>\n<p>Sophos says the groups\u2019 activity, which it believes was overseen by China\u2019s Ministry of State Security, stopped in August of that year.<\/p>\n<p>But the updated report says not only has the activity resumed, using a previously undocumented keylogger, the attacks have spread, including hitting two non-governmental public service organizations with what Sophos says have government-related roles, as well as other targets in Southeast Asia.<\/p>\n<p>\u201cIt\u2019s unlikely this threat group is only pursing the victims we\u2019ve seen,\u201d Chester Wisniewski, Sophos\u2019 global field CTO, said in an interview. \u201cWe\u2019ve only got visibility into certain organizations because they\u2019re our clients, so we\u2019re hoping by sharing this information, our competitors that may be protecting similar entities in the region can use the information we have to perhaps identify more activity and maybe add their information to paint a more complete picture.\u201d<\/p>\n<p>\u201cWe are seeing highly coordinated activity between multiple groups, with bespoke malware being developed on the fly,\u201d he added. When those tools are detected, the threat actors temporarily shift to open source tools, \u201cput the hammer down and really go at it, and then before you know it they\u2019re back with new, not-seen-before malware again.\u201d<\/p>\n<h2 class=\"wp-block-heading\">\u2018Wily\u2019 attackers<\/h2>\n<p>The open source tools include Cobalt Strike (for command and control, aka C2), SharpHound (for reconnaissance), Impacket (for lateral movement), Donut (a shellcode loader). Cloudflared tunnel (also for C2 work), RealBlindingEDR (for killing endpoint detection and response solutions), and more.<\/p>\n<p>A compromised unnamed telecom provider was also used.<\/p>\n<p>Wisniewski described the attackers as \u201csophisticated and wily\u201d and spoke of the \u201crelentlessness\u201d of their efforts.<\/p>\n<p>Asked what CISOs and infosec leaders in Southeast Asia need to be doing, Wisniewski said, \u201cthe speed at which these groups are able to operate and how they are able to shift gears means you really need to have a 24 by 7 monitoring operation these days.<\/p>\n<p>\u201dYou need to make sure you\u2019re actively threat hunting for this type of activity and understand your network may be abused as part of a supply chain [attack].\u201d<\/p>\n<p>Among the intelligence being sought in this campaign, he said, are documents about the <a href=\"https:\/\/www.britannica.com\/topic\/territorial-disputes-in-the-South-China-Sea\">ongoing conflict in the South China Sea<\/a> between China and Taiwan, the Philippines, Malaysia and Brunei. This dispute has also drawn the attention of the US.<\/p>\n<h2 class=\"wp-block-heading\">New techniques<\/h2>\n<p>The researchers suspect one new technique discovered is using trial versions of Sophos <a href=\"https:\/\/www.csoonline.com\/article\/653052\/how-to-pick-the-best-endpoint-detection-and-response-solution.html\">EDR software<\/a> to look as though attack or test servers were in Europe and the US.<\/p>\n<p>Another tactic is installing Trend Micro\u2019s Platinum Watch Dog, a utility that detects if a Trend Micro agent is running on a server, as part of an attack.<\/p>\n<p>Other new tactics seen include the use the of one organization\u2019s IT servers as a command and control replay point and a staging ground for attack tools, and the staging of malware on another organization\u2019s compromised Microsoft Exchange server.<\/p>\n<p>Another alarming finding: In one case, the threat actor was able to create a new user machine authentication key, suggesting the attackers attempted authentication of a remote desktop protocol session from a device outside the targeted organization\u2019s IT environment.<\/p>\n<p>As noted in Sophos\u2019 first report on Crimson Palace, the threat actors rely heavily on DLL sideloading, using a malicious Windows dynamic link library with function names matching those used by legitimate, signed Windows executables, and placing them in a directory where they would be found and loaded by those executables.<\/p>\n<h2 class=\"wp-block-heading\">Recent attacks<\/h2>\n<p>Among the more recent efforts:<\/p>\n<p>in April, the attackers injected a new keylogger researchers dub TattleTale, which can collect data from Edge and Chrome browsers;<\/p>\n<p>in June, the attackers installed the Cloudflared tunnel client after disabling telemetry on the computer so deployment of the tunnel wasn\u2019t detected. It went unreported until incident response re-activated endpoint protection later that month.<\/p>\n<p>Western countries have been warning for years of China\u2019s cyber espionage threats. In May, US and UK officials issued cautions at a British security conference.<\/p>\n<p>\u201cRussia and Iran pose immediate threats, but China is the \u2018epoch-defining\u2019 challenge,\u201d\u00a0Reuters quoted\u00a0Anne Keast-Butler, director of Britain\u2019s Government Communications Headquarters (GCHQ) electronic spy agency, as saying.<\/p>\n<p>And Harry Coker, US National Cyber Director, was quoted as telling the conference that Chinese military hackers were circumventing US defenses in cyberspace and targeting US interests at an \u201cunprecedented scale.\u201d<\/p>\n<p>In another China-based attack, in February, the US Cybersecurity and Infrastructure Security Agency (CISA) <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa24-038a\">issued a detailed report<\/a> on a campaign by a group dubbed Volt Typhoon (also known by other researchers as UNC3236, Bronze Silhouette, and other nicknames) to infiltrate critical infrastructure in a number of countries. This campaign isn\u2019t espionage, the report said, but an effort to plant malware in sensitive utilities for possible future network disruption.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>CISOs in Southeast Asia should be on alert after the discovery that a suspected Chinese-based cyber espionage campaign that started last year is expanding its scope. The warning today comes from researchers at Sophos, in a new report on activity it dubs Operation Crimson Palace. Initially the campaign \u2014 made up of clusters of activity [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":172,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-196","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/196"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=196"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/196\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/172"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=196"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}