5 May 2023 | Asia Cyber Summary

In the spotlight this week:

• Chinese Hacker Group Earth Longzhi Resurfaces with Advanced Malware Tactics
• Meta Uncovers Massive Social Media Cyber Espionage Operations Across South Asia
• New Custom Iranian Malware Targeting Organisations in US, Europe, and Asia
• Australia's Medibank Served With Third Class-Action Suit Over Cyber Breach
• US, Ukraine Shut Down Cryptocurrency Exchanges Used by Cyber Criminals
  ‍

Chinese Hacker Group Earth Longzhi Resurfaces with Advanced Malware Tactics

It has been reported that a Chinese state-sponsored hacking group, identified as Earth Longzhi, has launched a new cyber espionage campaign after more than six months of no activity. The group, which is a subgroup within APT41, is targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji. Cyber security researchers that attributed the intrusion set to Earth Longzhi, stated that the group uses vulnerable public-facing applications to gain entry and deploy the BEHINDER web shell as well as other payloads, including a new variant of the Cobalt Strike loader known as CroxLoader. The group has previously been linked to various other clusters known as Earth Baku, SparklingGoblin, and GroupCC.

‍Meta Uncovers Massive Social Media Cyber Espionage Operations Across South Asia

Meta, the parent company of Facebook and Instagram, has taken down several networks of fake accounts and malicious apps that targeted individuals in South Asia and engaged in "coordinated inauthentic behaviour" across social media platforms. Three different advanced persistent threat (APT) groups leveraged hundreds of fictitious personas to trick people into clicking on malicious links, downloading malware, or sharing personal information. Two of the groups, based in Pakistan and India, respectively, used low-sophistication malware and rogue apps and websites to infect military personnel and government employees with malware, while the third, based in India, harvested data from victims across several countries. Meta also disrupted six adversarial networks from various countries that set up fraudulent news media brands, hacktivist groups, and NGOs to build credibility and carried out coordinated inauthentic behaviour on Facebook and other platforms.

‍New Custom Iranian Malware Targeting Organisations in US, Europe, and Asia

A new malware tool used by the Iranian hacking group Charming Kitten, also known as Mint Sandstorm, PHOSPHORUS, and ITG18, has been discovered by security researchers. The group, thought to be state-sponsored and linked to Iran’s Islamic Revolutionary Guard Corps, has been using the malware dropper called BellaCiao, which is hard-coded for each of its victims. While the initial attack vector is unclear, it is believed to be a Microsoft Exchange exploit, with Exchange servers the main targets of the group. Once deployed, BellaCiao disables Windows Defender, establishes persistence on a machine, sets up two IIS-based backdoors for potential credential theft, and installs a custom executable. This allows Charming Kitten to download and upload files, upload weblogs, and run further commands and scripts via the malware’s C2 infrastructure. The group has been active since at least 2014 and is known to take advantage of known vulnerabilities with pre-existing proof-of-concept exploits.

‍Australia's Medibank Served With Third Class-Action Suit Over Cyber Breach

Australian healthcare insurance company Medibank Private Ltd is facing a third class-action lawsuit relating to a 2019 cyberattack, which saw 9.7 million current and former customers' personal data stolen and later released on the dark web. Law firm Slater & Gordon is leading the case in the country's federal court on behalf of those affected and healthcare service providers. The suit claims that Medibank failed to protect its customers' personal data and breached consumer law and privacy principles. Medibank is also under investigation by the country's privacy regulator over its handling of personal information.

‍US, Ukraine Shut Down Cryptocurrency Exchanges Used by Cyber Criminals

Authorities in the United States and Ukraine have collaborated to shut down nine websites that provided cryptocurrency exchange services to cyber criminals. The domains included 24xbtc.com, 100btc.pro, pridechange.com, 101crypta.com, uxbtc.com, trust-exchange.org, bitcoin24.exchange, paybtc.pro, and owl.gold. The domains and associated servers, including those in the US, have been seized. The cryptocurrency exchanges were advertised on crime forums and supported both English and Russian languages. The illegal currency exchange services were used by ransomware groups and other scammers. Meanwhile, law enforcement agencies around the world announced the takedown of dark web drug marketplace ‘Monopoly Market’ and the arrest of nearly 300 individuals who allegedly sold and bought drugs on the website.

‍