CyberSecurity news

FlagThis - #PlugX

MalBot@malware.news //

US Treasury Hacked by Chinese APT Group

The US Treasury Department has sanctioned a Chinese cybersecurity firm, Sichuan Juxinhe Network Technology Co., and a Shanghai-based hacker, Yin Kecheng, for their involvement in significant cyberattacks. These attacks compromised sensitive systems at the Treasury Department and major US telecommunication companies and ISPs. Sichuan Juxinhe is linked to the Salt Typhoon hacking group, which has infiltrated numerous US telecom companies and ISPs intercepting sensitive data from high-value political officials and communication platforms. Yin Kecheng, connected to the Chinese Ministry of State Security (MSS), is associated with the recent breach of the Treasury's network, impacting systems involved in sanctions and foreign investment reviews.

The Treasury's systems, including those used by Secretary Janet Yellen, were accessed during the breach resulting in the theft of over 3,000 files. The stolen data included policy documents, organizational charts, and information on sanctions and foreign investment. The cyber activity has been attributed to the Salt Typhoon group, alongside a related group known as Silk Typhoon (formerly Hafnium), which exploited vulnerabilities in Microsoft Exchange Server and used compromised APIs. The Treasury Department stated that it will continue using its authority to hold accountable malicious actors that target American people and the US government.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • malware.news: US Sanctions Chinese firm behind sweeping Salt Typhoon telecom hacks
  • The Hacker News: U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Silk Typhoon
  • BleepingComputer: US sanctions Chinese firm, hacker behind telecom and Treasury hacks
  • ciso2ciso.com: US Sanctions Chinese Hacker & Firm for Treasury, Critical Infrastructure Breaches – Source: www.darkreading.com
  • ciso2ciso.com: US sanctions Chinese hacker & firm for Treasury, critical infrastructure breaches
  • : U.S. Treasury : Treasury's OFAC is sanctioning Yin Kecheng, a Shanghai-based cyber actor who was involved with the recent Department of the Treasury network compromise.
  • ciso2ciso.com: U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Silk Typhoon – Source:thehackernews.com
  • www.bleepingcomputer.com: US sanctions Chinese firm, hacker behind telecom and Treasury hacks
  • securityaffairs.com: U.S. Treasury Sanctions Chinese cybersecurity firm and actor over federal agency breach tied to Salt Typhoon
  • ciso2ciso.com: Treasury Levels Sanctions Tied to a Massive Hack of Telecom Companies and Breach of Its Own Network – Source: www.securityweek.com
  • Pyrzout :vm:: Treasury Levels Sanctions Tied to a Massive Hack of Telecom Companies and Breach of Its Own Network – Source: www.securityweek.com
  • ciso2ciso.com: The U.S. Treasury’s OFAC sanctioned a Chinese cybersecurity firm and a Shanghai cyber actor for ties to Salt Typhoon and a federal agency breach.
  • www.tomshardware.com: News report on Chinese hackers infiltrating US Treasury Secretary's PC and gaining access to over 400 PCs.
  • ciso2ciso.com: U.S. Treasury Sanctions Chinese cybersecurity firm and actor over federal agency breach tied to Salt Typhoon
  • www.nextgov.com: US Treasury Department sanctions imposed for Salt Typhoon's involvement.
  • www.nextgov.com: The Treasury Department's sanctions follow a major hack targeting telecommunications companies and potentially impacting high-value political officials.
  • Threats | CyberScoop: Treasury sanctions Chinese cybersecurity company, affiliate for Salt Typhoon hacks.
  • cyberscoop.com: Treasury sanctions Chinese cybersecurity company, affiliate for Salt Typhoon hacks
  • thecyberexpress.com: U.S. Treasury sanctions Salt Typhoon hackers
  • www.csoonline.com: The US is hitting back against the threat group, dubbed Salt Typhoon by Microsoft, which is allegedly behind recent cyber attacks against American telecommunications providers, as part of a wider campaign against Chinese-based hacking.
  • Security Affairs: The US Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned Chinese firm Sichuan Juxinhe Network Technology Co., LTD.
  • Security Boulevard: U.S. Treasury Sanctions Chinese Individual, Company for Data Breaches
Classification:
  • HashTags: #CyberAttack #Sanctions #ChinaCyberEspionage
  • Company: US Treasury
  • Target: US Treasury
  • Attacker: Chinese APT
  • Product: US Treasury Network
  • Feature: network compromise
  • Malware: PlugX
  • Type: Espionage
  • Severity: Major
@therecord.media //

DOJ Removes China's PlugX Malware from US Computers

The U.S. Department of Justice, working with the FBI, has successfully removed the PlugX malware from over 4,250 infected computers within the United States. This multi-month operation targeted the command and control infrastructure used by hackers linked to the People's Republic of China (PRC). PlugX, a remote access trojan (RAT), has been used by the group known as Mustang Panda, or Twill Typhoon, since 2014, to infiltrate systems and steal information from victims across the U.S., Europe, and Asia, as well as Chinese dissident groups. The Justice Department obtained court orders to authorize the operation and eliminate the malware, which is known for its capability to remotely control and extract information from compromised devices. This action aimed to disrupt the ability of state-sponsored cyber threat actors from further malicious activities on affected networks.

The removal of PlugX involved a self-delete command that was developed by French cybersecurity firm Sekoia. The FBI tested the method before deploying it. This command deleted the malware from infected computers without impacting their legitimate functions or collecting any further content. The operation was conducted in partnership with French law enforcement, which also identified a botnet of infected devices in its own investigation. This international cooperation highlights the ongoing efforts to counteract nation-state cyber threats and protect U.S. cybersecurity. The owners of the affected devices have been notified of the actions through their internet service providers.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • ciso2ciso.com: FBI Wraps Up Eradication Effort of Chinese ‘PlugX’ Malware – Source: www.darkreading.com
  • Threats | CyberScoop: Law enforcement action deletes PlugX malware from thousands of machines
  • The Hacker News: FBI Deletes PlugX Malware from 4,250 Hacked Computers in Multi-Month Operation
  • therecord.media: The Record reports DOJ deletes China-linked PlugX malware.
  • discuss.privacyguides.net: FBI Deletes PlugX Malware from 4,250 Hacked Computers in Multi-Month Operation
  • securityonline.info: “PlugX” Malware Deleted from Thousands of Computers in Global Operation
  • www.justice.gov: Justice.gov press release on international operation to delete PlugX malware.
  • www.scworld.com: Widespread PlugX malware compromise eradicated in law enforcement operation
  • securityaffairs.com: FBI deleted China-linked PlugX malware from over 4,200 US computers
  • CyberInsider: FBI Neutralizes PlugX Malware on 4,200 Computers in the U.S.
  • securityboulevard.com: Security Boulevard article on FBI Deletes PlugX Malware From Computers Infected by China Group
  • securityonline.info: “PlugX” Malware Deleted from Thousands of Computers in Global Operation
  • www.helpnetsecurity.com: FBI removed PlugX malware from U.S. computers
  • The Verge: FBI hacked thousands of computers to make malware uninstall itself
  • malware.news: PlugX malware deleted from thousands of systems by FBI
  • Malwarebytes: Malwarebytes blog post on PlugX removal operation.
  • www.bleepingcomputer.com: BleepingComputer reports on FBI wipes Chinese PlugX malware from over 4,000 US computers
  • www.techmeme.com: The US says the FBI hacked ~4.2K devices in the US to delete PlugX, malware used by China-backed hackers since 2014, after obtaining warrants in August 2024 (Carly Page/TechCrunch)
  • ciso2ciso.com: FBI Wraps Up Eradication Effort of Chinese ‘PlugX’ Malware – Source: www.darkreading.com
  • cyberpress.org: Cyberpress.org article about 4,000+ PCs Infected by Chinese Hackers with PlugX Malware
Classification:
  • HashTags: #PlugX #CyberAttack #DOJ
  • Company: US DOJ
  • Target: US Computers
  • Attacker: China
  • Product: PlugX malware
  • Feature: malware removal
  • Malware: PlugX
  • Type: Malware
  • Severity: Major
@www.recordedfuture.com //

RedDelta Chinese APT Cyber Espionage Operations

The Chinese state-sponsored cyber espionage group known as RedDelta, also referred to as Mustang Panda, has been actively targeting several countries in Asia and beyond since July 2023. Their operations have primarily focused on Mongolia, Taiwan, and Southeast Asia, but have also extended to Japan, the United States, Ethiopia, Brazil, Australia and India. RedDelta employs sophisticated spearphishing techniques, using lure documents themed around political and cultural events, such as the 2024 Taiwanese presidential candidate Terry Gou, the Vietnamese National Holiday, flood protection in Mongolia and meeting invitations. The group has been observed distributing its customized PlugX backdoor through adapted infection chains, targeting government and diplomatic organizations.

RedDelta has evolved its attack methods over time, initially using Windows Shortcut (LNK) files, transitioning to Microsoft Management Console Snap-In Control (MSC) files in 2024, and most recently using HTML files hosted on Microsoft Azure. Since July 2023 they consistently used the Cloudflare content distribution network (CDN) to proxy command-and-control (C2) traffic in order to blend in with legitimate network activity, making victim identification more difficult. The group’s activities, which have included successful compromises of the Mongolian Ministry of Defense and the Communist Party of Vietnam, align with the Chinese governments strategic priorities in Asia.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • malware.news: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • www.recordedfuture.com: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • : RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • www.recordedfuture.com: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • www.recordedfuture.com: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • The Hacker News: RedDelta Deploys PlugX Malware to Target Mongolia and Taiwan in Espionage Campaigns
  • app.recordedfuture.com: Recorded Future: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • osint10x.com: RedDelta Deploys PlugX Malware to Target Mongolia and Taiwan in Espionage Campaigns
  • securityonline.info: RedDelta Leverages PlugX Backdoor in State-Sponsored Espionage Campaigns
Classification:
  • HashTags: #RedDelta #PlugX #CyberThreat
  • Company: China
  • Target: Mongolia, Taiwan, Southeast Asia
  • Attacker: RedDelta
  • Product: Government Infrastructure
  • Feature: PlugX Backdoor
  • Malware: PlugX
  • Type: Espionage
  • Severity: Major

Blogs

Research Tools