Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 920
- Points
- 113
Outdated F5 BIG-IP devices helped cyber-vampires secretly suck out corporate data.
The cyberattack, which lasted about three years, was recorded in the networks of one of the organizations in East Asia. Presumably, a Chinese cyber espionage group is behind it, which used outdated F5 BIG-IP devices to create an internal C2 center and bypass security mechanisms.
At the end of 2023, Sygnia, a cybersecurity company, identified and investigated this intrusion, publishing the results of its work on June 17. Experts track the group's activities under the name Velvet Ant, noting the high ability of hackers to quickly adapt their tactics in response to counteraction measures.
"Velvet Ant is a sophisticated and innovative cyber threat," Sygnia experts said in a technical report. "Hackers have been collecting sensitive information for a long time, focusing on customer data and financial information."
The attack involved the use of the well-known PlugX Trojan, also known as Korplug, which is actively used by spy groups with Chinese connections. PlugX uses the technique of loading DLLs to get into devices.
Sygnia also identified hackers attempts to disable endpoint protection software before installing PlugX. Open tools such as Impacket were used to navigate the network.
During the incident, a modified version of PlugX was discovered that used an internal file server for C2 operations, which made it possible to disguise malicious traffic as legitimate network activity.
"The attackers deployed two versions of PlugX on the network," the company said. "The first version, configured with an external C2 server, was installed on endpoints with direct Internet access to transmit confidential information. The second version did not have a C2 configuration and was used exclusively on legacy servers."
To communicate with an external C2 server, the second PlugX variant used a reverse SSH tunnel, which again emphasizes the importance of vulnerable border devices to maintain the presence of intruders for a long period of time.
"For mass exploitation, only one vulnerable border service is enough," WithSecure noted in a recent analysis. "These devices are often designed to increase network security, but their vulnerabilities are regularly used by attackers to gain access."
A detailed analysis of the compromised F5 devices also revealed the presence of the PMCD tool, which sends specific requests to the C2 server every 60 minutes to execute commands, as well as programs for capturing network packets and SOCKS tunneling utilities called EarthWorm, used by the Gelsemium and Lucky Mouse groups.
The initial vector of the Velvet Ant attack discussed above has not yet been determined. It is not known whether hackers used phishing methods or vulnerabilities in systems accessible from the Internet.
The Velvet Ant incident is a prime example of the tenacity and ingenuity of modern cyber-espionage groups. Despite the security measures and protective mechanisms, the attackers managed to penetrate the corporate network and maintain their presence for a long period of time.
This case highlights the need for constant monitoring of network activity, timely updates of software and hardware, as well as the importance of multi-level protection of information systems from various attack vectors. Even one minor breach can compromise the entire corporate infrastructure.
The cyberattack, which lasted about three years, was recorded in the networks of one of the organizations in East Asia. Presumably, a Chinese cyber espionage group is behind it, which used outdated F5 BIG-IP devices to create an internal C2 center and bypass security mechanisms.
At the end of 2023, Sygnia, a cybersecurity company, identified and investigated this intrusion, publishing the results of its work on June 17. Experts track the group's activities under the name Velvet Ant, noting the high ability of hackers to quickly adapt their tactics in response to counteraction measures.
"Velvet Ant is a sophisticated and innovative cyber threat," Sygnia experts said in a technical report. "Hackers have been collecting sensitive information for a long time, focusing on customer data and financial information."
The attack involved the use of the well-known PlugX Trojan, also known as Korplug, which is actively used by spy groups with Chinese connections. PlugX uses the technique of loading DLLs to get into devices.
Sygnia also identified hackers attempts to disable endpoint protection software before installing PlugX. Open tools such as Impacket were used to navigate the network.
During the incident, a modified version of PlugX was discovered that used an internal file server for C2 operations, which made it possible to disguise malicious traffic as legitimate network activity.
"The attackers deployed two versions of PlugX on the network," the company said. "The first version, configured with an external C2 server, was installed on endpoints with direct Internet access to transmit confidential information. The second version did not have a C2 configuration and was used exclusively on legacy servers."
To communicate with an external C2 server, the second PlugX variant used a reverse SSH tunnel, which again emphasizes the importance of vulnerable border devices to maintain the presence of intruders for a long period of time.
"For mass exploitation, only one vulnerable border service is enough," WithSecure noted in a recent analysis. "These devices are often designed to increase network security, but their vulnerabilities are regularly used by attackers to gain access."
A detailed analysis of the compromised F5 devices also revealed the presence of the PMCD tool, which sends specific requests to the C2 server every 60 minutes to execute commands, as well as programs for capturing network packets and SOCKS tunneling utilities called EarthWorm, used by the Gelsemium and Lucky Mouse groups.
The initial vector of the Velvet Ant attack discussed above has not yet been determined. It is not known whether hackers used phishing methods or vulnerabilities in systems accessible from the Internet.
The Velvet Ant incident is a prime example of the tenacity and ingenuity of modern cyber-espionage groups. Despite the security measures and protective mechanisms, the attackers managed to penetrate the corporate network and maintain their presence for a long period of time.
This case highlights the need for constant monitoring of network activity, timely updates of software and hardware, as well as the importance of multi-level protection of information systems from various attack vectors. Even one minor breach can compromise the entire corporate infrastructure.
