vietnam - X-Industry - Red Sky Alliance2024-03-28T09:09:01Zhttps://redskyalliance.org/xindustry/feed/tag/vietnamNation-state Hacker Group Graylinghttps://redskyalliance.org/xindustry/nation-state-hacker-group-grayling2023-10-14T13:00:00.000Z2023-10-14T13:00:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12254122652,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12254122652,RESIZE_400x{{/staticFileLink}}" width="250" alt="12254122652?profile=RESIZE_400x" /></a>A previously unknown government-backed hacking group is targeting organizations in the manufacturing, IT, and biomedical sectors across Taiwan, Vietnam, the US and an unnamed Pacific island, according to new research from Symantec.</p>
<p>Researchers are tracking the group under the name “Grayling” and said in a report released earlier this week that it is using custom-made malware as well as publicly available tools to attack its targets. The attacks, which began in February and continued through May, stood out to researchers due to the use of distinctive hacking tools. The goal of the campaign is espionage rather than financial motives, they said.<a href="#_ftn1">[1]</a></p>
<p>They found attacks on several organizations in the manufacturing, IT, and biomedical sectors in Taiwan as well as an incident involving a government agency located in the pacific island. Unnamed organizations in Vietnam and the US were also targeted as part of the campaign. “There are indications that Grayling may exploit public facing infrastructure for initial access to victim machines,” Symantec said. “The attackers take various actions once they gain initial access to victims’ computers, including escalating privileges, network scanning, and using downloaders.”</p>
<p>The hackers used Havoc, an open-source tool that has gained prominence among hackers as an alternative to Cobalt Strike. The tool allows hackers to download additional payloads, execute commands on victim machines, manipulate Windows tokens and more.</p>
<p>During the attacks, Symantec saw the hackers use a spyware tool called NetSpy and exploit a popular Windows vulnerability, tracked as CVE-2019-0803. “While we do not see data being exfiltrated from victim machines, the activity we do see and the tools deployed point to the motivation behind this activity being intelligence gathering. The sectors the victims operate in…are also sectors that are most likely to be targeted for intelligence gathering rather than for financial reasons,” they said. “The use of custom techniques combined with publicly available tools is typical of the activity we see from APT groups these days, with threat actors often using publicly available or living-off-the-land tools in attempts to bypass security software and help their activity stay under the radar of defenders.”</p>
<p>While Symantec declined to attribute the activity to a specific country, they said the “heavy targeting of Taiwanese organizations does indicate that they likely operate from a region with a strategic interest in Taiwan.”</p>
<p>In May, the US government and Microsoft accused Chinese hackers of infiltrating critical infrastructure systems and other areas around US military bases in Guam, a US territory in the Pacific. Symantec has also released multiple reports this year tracking Chinese espionage campaigns across Vietnam and other Southeast Asian nations, as well as Taiwan.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/nation-state-apt-targeting-taiwan-us/">https://therecord.media/nation-state-apt-targeting-taiwan-us/</a></p></div>Vietnamese Crypto Trading Platform Hit with Log4jhttps://redskyalliance.org/xindustry/vietnamese-crypto-trading-platform-hit-with-log4j2022-01-12T17:02:57.000Z2022-01-12T17:02:57.000ZMichael Brousseauhttps://redskyalliance.org/members/MichaelBrousseau<div><p><a href="{{#staticFileLink}}10006159689,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10006159689,RESIZE_400x{{/staticFileLink}}" alt="10006159689?profile=RESIZE_400x" width="250" /></a>ONUS, the Vietnamese crypto trading platform, recently experienced an attack stemming from the Log4j vulnerability (CVE-2021-44228).<a href="#_ftn1">[1]</a> ONUS allows users to trade crypto currencies through their app which is available for iOS and Android. The organization has grown significantly in the past 18 months since the app’s launch in March of 2020, with a large portion of users in Vietnam, Nigeria, and the Philippines.<a href="#_ftn2">[2]</a></p>
<p>Financial organizations and crypto platforms in particular are juicy targets for attackers who are looking to lift personal information, payment information, and monetary sums, all of which are present in a typical crypto company’s data stores. ONUS is no different as the Log4j exploit allowed attackers to access stored information about the organization’s customers.</p>
<p>The vulnerability existed in the point-of-sale (POS) solution used by ONUS and the attackers were able to get into servers and create a backdoor for extended access to electronic Know Your Customer (e KYC) information which includes identification documents, customer video selfies, among other information to authenticate customers.</p>
<p>CyStack, the vendor for the POS solution Cyclos used by ONUS, acknowledged that the Log4j vulnerability was the entry point for the attacks. Upon further analysis CyStack determined that attackers leveraged misconfigurations and permissions in ONUS’ AWS S3 buckets to access and exfiltrate the information.</p>
<p>The attackers were able to make off with the data before an update patching the Log4j vulnerability was available and demanded $5 million in ransom for the stolen information. The Log4j exploit has been used in the wild to install malware, use remote machines for crypto mining, and deploy ransomware binaries.<a href="#_ftn3">[3]</a></p>
<p>The attackers waited until 25 December 2021 for payment from ONUS, and when they did not receive the ransom, the attackers put the information of close to 2 million customers up for sale. The data was listed on the Raid forum and includes personal information and hashed passwords.<a href="#_ftn4">[4]</a> This data also includes e KYC information which is comprised of Identification Cards, Passports, and video selfies of users for authentication purposes.<a href="#_ftn5">[5]</a></p>
<p>CyStack did ultimately make recommendations for ONUS to help prevent these vulnerabilities from being exploited in the future. These recommendations include:</p>
<ul>
<li>Patching the Log4j vulnerability in Cyclos using the vendor’s instructions.</li>
<li>Deactivating all of the leaked credentials for the AWS S3 buckets.</li>
<li>Configuring permissions to secure access to AWS S3 buckets.</li>
<li>Blocking public access to S3 buckets and requiring tokens for access to sensitive objects.</li>
</ul>
<p>The Log4j vulnerability has been extensively exploited since its discovery in late 2021. Organizations and vendors are scrambling to create and implement patches for this zero-day that allows for remote code execution. The Log4j vulnerability received a CVSS score of 10, meaning it is a critical risk. Common Vulnerability Scoring System (CVSS) is used to rate vulnerabilities so cyber security professionals can prioritize their patching efforts.</p>
<p>A rating of 10 puts remediation of this vulnerability at the top of your security priority list. Updating to the Log4j version 2.17 and will aid in the remediation process. Based on statistics by Snyk, 60.8% of Java projects rely on Log4j indirectly, which means even if your organization is not using software that directly relies on Log4j there are dependencies that could indirectly affect your security posture. <a href="#_ftn6">[6]</a></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p> Weekly Cyber Intelligence Briefings:</p>
<ul>
<li> Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p><a href="#_ftnref1">[1]</a> ONUS Trading Platform From: Lưu Quý/ VnExpress</p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.globenewswire.com/news-release/2021/12/20/2355023/0/en/1-5-million-users-in-just-18-months-with-ONUS-anyone-can-have-some-Bitcoin.html">https://www.globenewswire.com/news-release/2021/12/20/2355023/0/en/1-5-million-users-in-just-18-months-with-ONUS-anyone-can-have-some-Bitcoin.html</a></p>
<p> <a href="#_ftnref3">[3]</a> <a href="https://venturebeat.com/2021/12/21/second-ransomware-family-exploiting-log4j-spotted-in-u-s-europe/">https://venturebeat.com/2021/12/21/second-ransomware-family-exploiting-log4j-spotted-in-u-s-europe/</a></p>
<p><a href="#_ftnref4">[4]</a> <a href="https://coinlive.me/more-than-2-million-onus-users-have-their-information-leaked-on-the-raid-forum-12287.html">https://coinlive.me/more-than-2-million-onus-users-have-their-information-leaked-on-the-raid-forum-12287.html</a></p>
<p><a href="#_ftnref5">[5]</a> <a href="https://www.bleepingcomputer.com/news/security/fintech-firm-hit-by-log4j-hack-refuses-to-pay-5-million-ransom/">https://www.bleepingcomputer.com/news/security/fintech-firm-hit-by-log4j-hack-refuses-to-pay-5-million-ransom/</a></p>
<p><a href="#_ftnref6">[6]</a> <a href="https://snyk.io/blog/log4j-vulnerability-software-supply-chain-security-log4shell/">https://snyk.io/blog/log4j-vulnerability-software-supply-chain-security-log4shell/</a></p></div>