13 May 2022 | Asia Cyber Summary

In the Spotlight this Week:

  • Google Cloud has a security issue even firewalls cannot stop

  • South Korea Joins NATO Cyber Defense Unit

  • Critical F5 Big IP vulnerability exploited to wipe devices

  • Hackers Can Hide Malware in Windows Event Logs

  • China-Backed Winnti Group Behind Major Cyber Espionage, Finds Israel-American Firm

Google Cloud Has a Security Issue Even Firewalls Cannot Stop

A misconfiguration in the Google Cloud Platform (GCP) potentially gives cyber attackers full control over the endpoint of a cyber target’s virtual machine (VM).


According to Cloud incident response experts Mitiga, attackers can utilize existing legitimate system features to read and write data from VMs, potentially resulting in a complete system takeover. While Mitiga disregards this dangerous functionality as a vulnerability or system error, it is a misconfiguration that is common enough to warrant concern. As such, Mitiga recommends that Google revises its GCP documentation to provide clarification that firewalls and other network access controls do not fully restrict access to VMs.


South Korea Joins NATO Cyber Defense Unit

The acceptance of South Korea’s National Intelligence Service (NIS) into NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE), has increased tensions from China and North Korea. Chinese military analysts have reportedly said that this move could threaten Chinese security interests in the region, due to the expansion of NATO and American interest in the region.


CCDCOE is a cyber defense hub founded in 2008 to focus on cybersecurity research, training, and exercises.


Historically, both China and North Korea have sheltered an army of cyber threat actors which have targeted the South Korean government and national infrastructures, and various institutions. Considering the use of cyberspace as a tool of war in the ongoing Russia-Ukraine conflict, there is stronger conviction on South Korea’s decision to join the CCDCOE. It should also be noted that the CCDCOE is separate from NATO’s command structure, and that South Korea’s admission to the group does not imply membership to the NATO alliance.


Analysts have long believed that South Korea relies on China to influence and put pressure on North Korea.


However, South Korea’s admission of NIS to the CCDCOE comes at a critical time where South Korea’s President-elect will be taking office this week. He is anticipated to forsake the long-adopted Sunshine Policy, which sought to improve relations with North Korea through dialogue, and take a tougher stance on Pyongyang.


Given that South Korea’s principle national security and defense goal is to neutralize North Korean missile threats, the recommended course of action would be to form an alliance with the United States yet remain collaborative with China.


Critical F5 BIG-IP Vulnerability Exploited to Wipe Devices

A critical vulnerability in F5’s BIG-IP has been used in destructive attacks, which attempt to erase the file system of a device and render the server unusable.


The vulnerability allows hackers to remotely execute commands on BIG-IP network devices as ‘root’ without authentication. These include actions such as “arbitrary system commands, create or delete files, or disable services.”


There are thousands of BIG-IP systems exposed on the internet. While the majority of attacks were used to drop webshells for initial access to networks, steal SSH keys, and enumerate system information, at least two attacks have been targeting BIG-IP devices in a much more nefarious way.


According to SANS Internet Storm Center, their honeypots saw two attacks executing a command that attempted to erase all files on the BIG-IP devices’ Linux file system, including configuration files needed for the device to operate correctly.


Thankfully, these attacks are not widespread, with most cyber attackers looking to benefit from the breach rather than cause damage.


China-Backed Winnti Group Behind Major Cyber Espionage

The Winnti Group is responsible for a massive hacking operation on its intellectual property as part of an industrial espionage.


The Winnti Group, also known as APT41, Blackfly, and Barium, are connected hacking groups that have been in operation since 2009. They are well known for hacking in quest of intellectual property on behalf of Chinese state interests.


Most recently, Asian game developers have been its target. These include attacks against Gravity, a South Korean game developer behind the Massive Multiplayer Online Role-Playing Game (MMORPG) Ragnarok Online.


The Winnti Group attempted to collect patent and product information, source codes, tech blueprints, and manufacturing instructions. A new “family of malware” has been discovered, which is an updated version of the Winnti virus known as WINNKIT. This virus has been described as a powerful cyber tool of Chinese origin, most likely originating from military intelligence. The malware enabled hackers to undertake reconnaissance and credential dumping to extract login credentials, and move laterally throughout the network.



Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.