Cybersecurity firm Sygnia has discovered a sophisticated cyberespionage campaign allegedly linked to China. Their research shared with Hackread.com ahead of publishing, reveals that a Chinese state-sponsored group, Velvet Ant, gained persistent access to a large organization’s “complex” network, manoeuvring without detection for about three years.
Velvet Ant used compromised F5 BIG-IP devices as their secret weapon. The organization’s network relied on two F5 BIG-IP devices for firewall, WAF, load balancing, and local traffic management services, both exposed to the internet and compromised. The attackers exploited their outdated OS, transforming them into internal C2 servers to maintain persistence, evade detection systems, and establish a foothold for further infiltration.
The actor exploited various methods to compromise the victim organization’s systems and hijack execution flow, including DLL hijacking, sideloading, phantom DLL loading, and tampering with security software to deploy PlugX malware and the ShadowPad family malware( VELVETSTING, VELVETTAP, SAMRID aka EarthWorm, and ESRDE) both associated (PDF) with Chinese espionage groups.
The PlugX remote access trojan allowed attackers to gain control over the machines and its modular plugin system further enhanced their capabilities for malicious purposes. The actor tampered with the EDR product “consistently” before installing PlugX and used an internal file server as C2, blending it with legitimate traffic to deploy two versions of PlugX.
The PlugX malware execution chain consisted of three files: ‘iviewers.exe’, ‘iviewers.dll’, and ‘iviewers.dll.ui’. These files are legitimate applications, loaded by the malicious PlugX DLL loader via DLL search order hijacking, and installed as a Windows service.
In addition to these tools, Velvet Ant utilized an open-source, Python classes collection called Impacket for lateral tool transfer and RCE on compromised devices, creating firewall rules for connections to the C2 server.
The group demonstrated high operational security awareness, avoiding installing the malware on a workstation where it failed to disable the security software. Velvet Ant’s focus wasn’t just on establishing dominance but on acquiring sensitive data for espionage purposes.
Sygnia successfully removed the threat actor from the network, but the actor resurfaced repeatedly through “dormant persistence mechanisms in unmonitored systems,” Sygnia’s blog post read.
Regularly patching critical systems, limiting network access, deploying endpoint security solutions, limiting outbound internet traffic, enforcing strict network segmentation, and actively hunting for threats within your network are important steps to protect against such threats.
Experts Comments
Jason Soroko, Senior Vice President of Product at Sectigo commented on the report highlighting the vulnerable state of legacy equipment and the cybersecurity threat they pose.
”Legacy equipment in an organization’s network is a significant cybersecurity risk. These outdated systems lack modern authentication capabilities and have vulnerabilities that often cannot be patched, making them prime targets for cyber-attacks,” Jason explained Legacy systems also often rely on simple passwords, as seen in the Velvet Ant attack. Despite efforts to eradicate these threats, legacy equipment provided persistent re-entry points for attackers.”
To mitigate this threat, Jason advised that ”Balancing the risk posed by legacy systems with the investment needed to upgrade them is crucial. These kinds of decisions need to be made using a top-down approach, with executives who own the risk within an organization understanding where the balance point is.”
”From a technical standpoint, architecting and modernizing infrastructure, enhancing patch management, and enforcing advanced authentication are necessary steps to mitigate these risks. It should be noted that within the timeframe of most of our careers, the advent of quantum computing poses new threats, as legacy systems are ill-equipped to handle quantum-resistant encryption,” he added.
RELATED TOPICS
- China-Linked Blackwood APT Deploys Advanced NSPX30 Backdoor
- Crimson Palace: Chinese Hackers Steal Military Secrets Over 2 Years
- China-Linked Spyware Found in Google Play Store Apps, 2m Downloads
- APT Group “Unfading Sea Haze” Hits Military Targets in South China Sea
- Muddling Meerkat Group Suspected of Espionage via Great Firewall of China