4 June 2021 | Asia Cyber Summary

In the Spotlight This Week:

  • Asian cybercrime takedown leads to intercept of USD 83 million in financial theft

  • Chinese cyber espionage hackers continue to target Pulse Secure VPN devices

  • Cyber attack forces U.S. meat producer to shut down operations

  • Zero-day bug in Wordpress plugin under active exploitation

  • U.S. seizes domains used by APT group involved in recent USAID phishing attacks

  • AMT Games data breach: Millions of users’ messages, account ID’s, and IP addresses exposed

Asian Cybercrime Takedown Leads to Intercept of $83 million in Financial Theft

A crackdown on financial cybercrime across Asia has resulted in the interception of $83 million sent by victims to criminals.

Interpol said last week that Operation Haechi-i, running between September 2020 and March 2021, focused on combating investment fraud, romance scams, money laundering linked to illegal online gambling, online sextortion, and voice phishing.

In total, $83 million was intercepted over the course of six months before the victims of these scams sent all of the requested funds to cybercriminals.

Financial cybercrime, conducted through online platforms and services, is a global issue that requires cross-border collaboration. Operation Haechi-i is an example of this, as it included specialist law enforcement officers in Cambodia, China, Indonesia, South Korea, Laos, the Philippines, Singapore, Thailand, and Vietnam.

Operation Haechi-i is the first operation planned over the next three years by law enforcement in Southeast Asia to tackle financial cybercrime.

Chinese Cyber Espionage Hackers Continue to target Pulse Secure VPN devices

Cybersecurity researchers from FireEye unmasked additional tactics, techniques, and procedures (TTPs) adopted by Chinese threat actors who were recently found abusing Pulse Secure VPN devices to drop malicious web shells and exfiltrate sensitive information from enterprise networks.

FireEye's Mandiant threat intelligence team, which is tracking the cyber espionage activity under two activity clusters UNC2630 and UNC2717, said the intrusions line up with key Chinese government priorities, adding "many compromised organizations operate in verticals and industries aligned with Beijing's strategic objectives outlined in China's recent 14th Five Year Plan."

In addition, the threat actors were also observed removing web shells, ATRIUM, and SLIGHTPULSE, from dozens of compromised VPN devices between April 17 and April 20 in what the researchers describe as "unusual," suggesting "this action displays an interesting concern for operational security and a sensitivity to publicity."

At the heart of these intrusions lies CVE-2021-22893, a recently patched vulnerability in Pulse Secure VPN devices that the adversaries exploited to gain an initial foothold on the target network, using it to steal credentials, escalate privileges, conduct internal reconnaissance by moving laterally across the network, before maintaining long-term persistent access, and accessing sensitive data.

Cyber Attack Forces U.S. Meat Producer to Shut Down Operations

The world’s largest meat distributor shut down some operations in both the United States and Australia over the Memorial Day weekend after a cyberattack on its IT systems that could have a significant effect on the food supply chain if not resolved quickly.

Attackers targeted several servers supporting North American and Australian IT systems of JBS Foods on Sunday, according to a statement by JBS USA. JBS is a global provider of beef, chicken and pork with 245,000 employees operating on several continents and serving brands such as Country Pride, Swift, Certified Angus Beef, Clear River Farms and Pilgrim’s.

JBS’s IT system does have backup servers, which were not affected, and the company is working with a third-party incident response firm to restore operations as soon as possible, according to the statement.

Further, the company said that there is no evidence so far that “any customer, supplier or employee data has been compromised or misused as a result of the situation,” according to the statement. However, customers and suppliers may experience a delay in “certain transactions,” as a “resolution of the incident will take time,” the company said.

Zero-day Bug in Wordpress Plugin Under Active Exploitation

Threat actors are scanning for sites running the Fancy Product Designer plugin to exploit a zero-day bug allowing them to upload malware.

Fancy Product Designer is a visual product configurator plugin for WordPress, WooCommerce, and Shopify, and it allows customers to customize products using their own graphics and content. According to sales statistics for the plugin, Fancy Product Designer has been sold and installed on more than 17,000 websites.

Attackers who successfully exploit the Fancy Product Designer bug can bypass built-in checks blocking malicious files uploading to deploy executable PHP files on sites where the plugin is installed.

This allows the threat actors to completely take over vulnerable sites following remote code execution attacks. Since the vulnerability is under active exploitation and was rated as critical severity, customers are advised to immediately install the Fancy Product Designer 4.6.9 patched version released on June 2.

WordFence is still holding off on releasing additional details about this vulnerability until more sites running Fancy Product Designer update to the latest version given that the zero-day can be exploited "in some configurations" even after deactivation.

U.S. Seizes Domains Used by APT Group Involved in Recent USAID Phishing Attacks

The U.S. Department of Justice has seized two Internet domains used in recent phishing attacks impersonating the U.S. Agency for International Development (USAID) to distribute malware and gain access to internal networks.

The two domains seized by the DOJ are theyardservice[.]com and worldhomeoutlet[.]com and were used to receive data exfiltrated from victims of the targeted phishing attacks and send further commands malware to execute on infected machines.

Microsoft first disclosed these attacks last Thursday and stated that they were conducted by a Russian state-affiliated hacking group known as NOBELIUM (APT29, Cozy Bear, and The Dukes). This group is believed to be affiliated with the Russian Foreign Intelligence Service (SVR).

AMT Games Data Breach: Millions of Users’ Messages, Account IDs, and IP Addresses Exposed

WizCase’s security team discovered an unsecured ElasticSearch server owned by AMT Games which exposed 1.47 TB of data.

AMT Games is a mobile and browser game developer based in China. Its free-to-play mobile game, Battle for the Galaxy, has millions of users in 103 countries, and the app can be found on Android, iPhone, Steam, and its own website as an in-browser game.

This leak exposed users’ email addresses, IP addresses, Facebook data, and more to potential attack. The leaked data numbers in the millions and was accessible to anyone who possessed the link. There was no need for a password or login credentials to access the information, and the data was not encrypted. The leak has since been secured.

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.