06 August 2021 | Asia Cyber Summary

In the Spotlight This Week:

  • Chinese hackers target telecommunications firms in Southeast Asia

  • Hackers used never-before-seen wiper in recent attack on Iranian train system

  • Spyware features found in Chinese state benefits app

  • Top FBI official advises Congress against banning ransomware payments

  • Chipotle email marketing hacked to send phishing emails

  • A Silicon Valley VC firm with $1.8B in assets hit by ransomware

Chinese Hackers Target Telecommunications Firms in Southeast Asia

Researchers have found multiple state-backed threat actors exploiting security vulnerabilities in Microsoft Exchange Servers. Phone records and user location data from five global telecom companies in South East Asia have been stolen.

The cyber espionage campaign dubbed ‘DeadRinger’ found three clusters of intrusions by the hacking groups Soft Cell, Naikon APT, and Group-3390; all likely “operating in the interests of China.”

Researchers said they had proactively sought out threat actors after the US, Britain, European Union and others blamed China for sponsoring the massive Microsoft hack discovered earlier this year that compromised tens of thousands of computers and networks.

Hackers Used Never-Before-Seen Wiper in Recent Attack on Iranian Train System

Researchers with cybersecurity company SentinelOne reconstructed the recent cyberattack on Iran's train system in a new report, uncovering a new threat actor -- which they named 'MeteorExpresss' -- and a never-before-seen wiper.

Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.

On July 9, local news outlets began reporting on a cyberattack targeting the Iranian train system, with hackers defacing display screens in train stations by asking passengers to call '64411', the phone number of Iranian Supreme Leader Khamenei's office.

Train services were disrupted and just one day later, hackers took down the website of Iran's transport ministry. According to Reuters, the ministry's portal and sub-portal sites went down after the attack targeted computers at the Ministry of Roads and Urban Development.

In his examination, SentinelOne principal threat analyst Juan Andres Guerrero-Saade explained that the people behind the attack called the never-before-seen wiper 'Meteor' and developed it in the last three years.

Spyware Features Found in Chinese State Benefits App

Spyware-like features have been discovered inside an app named “Beijing One Pass” that foreign companies operating in China are forced to install on their systems in order to access a digital platform to manage employee state benefits.

The spyware behavior was discovered last month by Insikt Group, the threat research division of Recorded Future, which analyzed a copy received from a customer who was forced to install the suspicious on its systems.

According to the team’s analysis, the app contained features that could be considered “suspicious for a benefits software application” and which are ordinarily found in malware strains. This included features such as: Disabling of security and backup services on the host device, reading data from the clipboard, recording screenshots, capturing and retrieving keystrokes, attempts to read, create, or modify system registry ROOT certificates, checking periodically for human interaction with the operating system as the file is run, allow-listing domains for ActiveX use, which would allow it to connect to external internet resources, and the ability to autorun at Windows startup to ensure persistence

Top FBI Official Advises Congress Against Banning Ransomware Payments

A senior FBI official advised members of the Senate Judiciary Committee on Tuesday against the idea of banning companies from paying hackers behind ransomware attacks, which have become a national security concern in recent months.

“It’s our opinion that banning ransomware payments is not the road to go down,” Bryan Vorndran, the assistant director of the FBI’s Cyber Division, said in response to a question by Sen. Mazie Hirono (D-Hawaii).

Vorndran stressed that this was due to the increasing sophistication of ransomware attacks, as many cyber criminals not only encrypt a company’s network and demand payment, but also steal data from companies to use for additional blackmail if the attack is reported.

Vorndran noted that the FBI estimates between “25 and 35 percent” of cyber incidents are not reported to federal law enforcement, making it difficult for the FBI and other agencies to fully assess the scope of the ransomware attack problem and respond accordingly.

Chipotle Email Marketing Hacked to Send Phishing Emails

Cybercriminals have begun sending out phishing emails after they were able to gain access to one of the email marketing accounts used by the US-based Mexican food chain Chipotle.

According to the email security company Inky, the threat actors behind the campaign sent out at least 120 malicious emails in just three days from a hacked Mailgun account that the food chain used for email marketing.

Cybercriminals often try to obtain legitimate email addresses from businesses as they increase the chances of their phishing emails being delivered since they'll be able to bypass authentication methods including DomainKeys Identified Mail (DKIM) and Sender Policy Framework.

A Silicon Valley VC Firm with $1.8B in Assets Hit by Ransomware

Advanced Technology Ventures, a Silicon Valley venture capital firm with more than $1.8 billion in assets under its management, was hit by a ransomware attack in July that saw cybercriminals steal personal information on the company’s private investors, or limited partners (LPs).

In a letter to the Maine attorney general’s office, ATV said it became aware of the attack on July 9 after its servers storing financial information had been encrypted by ransomware. By July 26, the ATV learned that data had been stolen from the servers before the files were encrypted, a common “double extortion” tactic used by ransomware groups, which then threaten to publish the files online if the ransom to decrypt the files is not paid.

The letter said ATV believes the names, email addresses, phone numbers and Social Security numbers of the individual investors in ATV’s funds were stolen in the attack. Some 300 individuals were affected by the incident, including one person in Maine, according to a listing on the Maine attorney general’s data breach notification portal.

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.