Malware Devil

Monday, March 1, 2021

Defending online anonymity and speech with Eva Galperin: Lock and Code S02E03

This week on Lock and Code, we discuss the top security headlines generated right here on Labs. In addition, we talk to Eva Galperin, director of cybersecurity for Electronic Frontier Foundation, about the importance of protecting online anonymity and speech.

In January, the New York Times exposed a public harassment campaign likely waged by one woman against the family of her former employer. Decades after being fired, the woman allegedly wrote dozens of fraudulent posts across the Internet, ruining the family’s reputation and often slipping past any repercussions.

Frequently, the websites that hosted this content refused to step in. And, in fact, depending on what anyone posts on major websites today, those types of refusals are entirely within a company’s right.

These stories frequently produce reactionary “solutions” to the Internet–from proposals to change one foundational law to requiring individuals to fully identify themselves for every online conversation. Those solutions, however, can often harm others, including government whistleblowers, human rights activists working against oppressive governments, and domestic abuse survivors.

Tune in to hear about the importance of online anonymity for domestic abuse survivors and why changing one key Internet law will not actually fix the problems we have today, on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

We cover our own research on:

Other cybersecurity news

NCSC helps NurseryCam to secure itself (Source: The Register)
Taking a peek behind the big-tech curtain (Source: Medium Blog)
A tale of cloned attack tools (Source: Check Point Blog)
Phishers imitate well-known shipping companies (Source: Tech Radar)
Malware gangs forge alliances (Source: Threat Post)

Stay safe, everyone!

The post Defending online anonymity and speech with Eva Galperin: Lock and Code S02E03 appeared first on Malware Devil.

https://malwaredevil.com/2021/03/01/defending-online-anonymity-and-speech-with-eva-galperin-lock-and-code-s02e03/?utm_source=rss&utm_medium=rss&utm_campaign=defending-online-anonymity-and-speech-with-eva-galperin-lock-and-code-s02e03

Wizards 2020: Celebrating a community of innovators!

Wizards is a global ideation program that allows Akamai employees to submit their innovative ideas and contribute to the business transformation of Akamai. The program has been running for eight years and has received more than 5000 idea submissions. We are proud that Akamai products like Page Integrity and Enterprise Threat Protector were once ideas on the Wizards portal, as were more than 45 other successful suggestions.

The post Wizards 2020: Celebrating a community of innovators! appeared first on Security Boulevard.

The post Wizards 2020: Celebrating a community of innovators! appeared first on Malware Devil.

https://malwaredevil.com/2021/03/01/wizards-2020-celebrating-a-community-of-innovators/?utm_source=rss&utm_medium=rss&utm_campaign=wizards-2020-celebrating-a-community-of-innovators

CISO Stories Podcast: Without Building a CISO EQ, You May Be On Your Own

The CISO must interact with many different groups within the company. These groups differ in the amount of business acumen and technical depth necessary. The CISO must have self-awareness of how to approach each of these different types of stakeholders, as well as ensuring appropriate self-care is taken to limit burnout, stress and anxiety.

The post CISO Stories Podcast: Without Building a CISO EQ, You May Be On Your Own appeared first on Security Boulevard.

The post CISO Stories Podcast: Without Building a CISO EQ, You May Be On Your Own appeared first on Malware Devil.

https://malwaredevil.com/2021/03/01/ciso-stories-podcast-without-building-a-ciso-eq-you-may-be-on-your-own/?utm_source=rss&utm_medium=rss&utm_campaign=ciso-stories-podcast-without-building-a-ciso-eq-you-may-be-on-your-own

Fun with DNS over TLS (DoT), (Mon, Mar 1st)

Going back a few weeks, we discussed how DNS over HTTPS (DoH) works (https://isc.sans.edu/forums/diary/Fun+with+NMAP+NSE+Scripts+and+DOH+DNS+over+HTTPS/27026/) – very much as an unauthenticated API over HTTPS. But DNS over TLS (DoT) has been with us for a fair bit longer (May 2016), why haven’t we heard about it so much?

After wrestling with it for a bit, I can tell you why!

DoH is easy to work with, since we have so many HTTPS tools at our disposal. Plus DoH was first implemented in browsers, and the browser developers *live* in HTTPS, so DoH is a cake-walk for them. DNSSEC is basically plain old unencrypted DNS, but with signature records.

DoT on the other hand is a whole ‘nother beast. It’s still basic DNS, but encapsulated in TLS. So to make DoT calls we need a toolset to create TLS packets, then send and validate them using the certificate at the server side. So the first tool that came to my mind of course was scapy, but read on, I used an easier method ..

To allow all of the mentioned DNS protocols to live on one server, DoT lives on tcp/853. This makes for an easy NMAP scan if you’re looking for this service. NMAP tags the port correctly, but an NMAP version scan (-sV) won’t identify the DoT service. It will however find some critical strings in the fingerprint, things like “DNSVersionBindReqTCP” and “DNSStatusRequestTCP” – so a version scan will validate the service enough for your eyes to see it, without calling it out definitively. You can also of course validate the certificate on port tcp/853 using NMAP’s ssl-cert.nse script or openssl:

nmap -p853 –script ssl-cert 8.8.8.8

Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-01 07:55 Eastern Standard Time

Nmap scan report for 8.8.8.8

Host is up (0.012s latency).

PORT STATE SERVICE

853/tcp open domain-s

| ssl-cert: Subject: commonName=dns.google/organizationName=Google LLC/stateOrProvinceName=California/countryName=US

| Subject Alternative Name: DNS:dns.google, DNS:*.dns.google.com, DNS:8888.google, DNS:dns.google.com, DNS:dns64.dns.google, IP Address:2001:4860:4860:0:0:0:0:64, IP Address:2001:4860:4860:0:0:0:0:6464, IP Address:2001:4860:4860:0:0:0:0:8844, IP Address:2001:4860:4860:0:0:0:0:8888, IP Address:8.8.4.4, IP Address:8.8.8.8

| Issuer: commonName=GTS CA 1O1/organizationName=Google Trust Services/countryName=US

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2021-01-26T08:54:07

| Not valid after: 2021-04-20T08:54:06

| MD5: 9edd 82e5 5661 89c0 13a5 cced e040 c76d

|_SHA-1: 2e80 c54b 0c55 f8ad 3d61 f9ae af43 e70c 1e67 fafd

Nmap done: 1 IP address (1 host up) scanned in 24.43 seconds

Me, I took the easy way out for DoT queries and installed the knot-dnsutils (sudo apt-get install knot-dnsutils), which installs kdig to do all the heavy lifting for me. As the name implies, kdig does just about everything that dig does, but for this task gives you parameters to make DoT queries.

So an A record query over DoT from kdig looks just very much like DOS query outpuyt from dig:

$ kdig @dns.google.com +tls-ca isc.sans.edu A

;; TLS session (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 57540

;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:

;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR

;; PADDING: 391 B

;; QUESTION SECTION:

;; isc.sans.edu. IN A

;; ANSWER SECTION:

isc.sans.edu. 4 IN A 45.60.103.34

isc.sans.edu. 4 IN A 45.60.31.34

;; Received 468 B

;; Time 2021-03-01 04:58:51 PST

;; From 8.8.8.8@853(TCP) in 38.9 ms

Note all the TLS session info at the top, and the port number in the last line.

As you’d expect, if you’re just after answers you can use the +short parameter:

# kdig @dns.google.com +tls-ca +short www.coherentsecurity.com AAAA

robvandenbrink.github.io.

.. yup, I host my website on github, handiest github feature ever (ok, maybe not the handiest, but still pretty darned handy)

Other handy parameters in kdig?

Just as in dig, you can always tack on the “-d” parameter for debug output
+tls-hostname can be used to over-ride the server name during TLS negotiation. This means you can even use the server’s IP address when you use this parameter.
Related to tls-hostname, +tls-sni adds the Server Name Indication field to the request

Without constructing the TLS packet, how can I use DoT in an NMAP script? I again took the easy way out and used kdig, in combination with the lua command os.execute. Yup, in the time honoured tradition of coding laziness I shelled out and executed the matching OS command! In the DoH script I wrote I did a quick check to make sure that the host was running HTTP services on port 443 with “shortport.http”. In the DoT script I changed this, to ensure that TLS is running on the scanned port, using the “shortport.ssl” check. An example scan is shown below:

$ nmap -p853 –script dns-dot.nse 8.8.8.8 –script-args target=www.cisco.com,query=AAAA

Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-01 05:13 PST

Nmap scan report for dns.google (8.8.8.8)

Host is up (0.017s latency).

PORT STATE SERVICE

853/tcp open domain-s

| dns-dot:

| www.cisco.com.akadns.net.

| wwwds.cisco.com.edgekey.net.

| wwwds.cisco.com.edgekey.net.globalredir.akadns.net.

| e2867.dsca.akamaiedge.net.

| 2607:f798:d04:189::b33

|_ 2607:f798:d04:191::b33

Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

You can find the DoT script here: https://github.com/robvandenbrink/dns-dot . Because is calls kdig, you’ll need the knot-dnsutils package installed before this script will run. If you’re interested in combining NMAP scans with different OS commands you’re welcome to review the source code and use whatever you need!

Do you have a handy nmap script that uses os.execute to do the “behind the scenes” work? Please, share a link in our comment form!

References:
DoT RFD: https://tools.ietf.org/html/rfc7858

Usage Profiles for DNS over TLS and DNS over DTLS: https://tools.ietf.org/html/rfc8310

knot-dnsutils: https://www.knot-dns.cz/

===============
Rob VandenBrink
rob<at>coherentsecurity.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post Fun with DNS over TLS (DoT), (Mon, Mar 1st) appeared first on Malware Devil.

https://malwaredevil.com/2021/03/01/fun-with-dns-over-tls-dot-mon-mar-1st/?utm_source=rss&utm_medium=rss&utm_campaign=fun-with-dns-over-tls-dot-mon-mar-1st

Gartner and the Top Strategic Technology Trends for 2021

Back view of businessman with suitcase in hands looking at virtual panel

For organizations the world over, COVID-19 led to drastic operational changes overnight. On-premises-only styles of work were quickly supplanted by fully remote workforces. This shift had (and continues to have) massive implications for IT and security teams. In essence, the pandemic killed the perimeter and the legacy security strategies that organizations had leaned upon for years. Fortunately, in Top Strategic Technology Trends for 2021, Gartner explains the impact of the global pandemic on businesses around the globe and makes suggestions about what organizations can do in order to succeed in 2021.

The post Gartner and the Top Strategic Technology Trends for 2021 appeared first on Security Boulevard.

The post Gartner and the Top Strategic Technology Trends for 2021 appeared first on Malware Devil.

https://malwaredevil.com/2021/03/01/gartner-and-the-top-strategic-technology-trends-for-2021/?utm_source=rss&utm_medium=rss&utm_campaign=gartner-and-the-top-strategic-technology-trends-for-2021

National Security Risks of Late-Stage Capitalism

Early in 2020, cyberspace attackers apparently working for the Russian government compromised a piece of widely used network management software made by a company called SolarWinds. The hack gave the attackers access to the computer networks of some 18,000 of SolarWinds’s customers, including US government agencies such as the Homeland Security Department and State Department, American nuclear research labs, government contractors, IT companies and nongovernmental agencies around the world.

It was a huge attack, with major implications for US national security. The Senate Intelligence Committee is scheduled to …

The post National Security Risks of Late-Stage Capitalism appeared first on Security Boulevard.

The post National Security Risks of Late-Stage Capitalism appeared first on Malware Devil.

https://malwaredevil.com/2021/03/01/national-security-risks-of-late-stage-capitalism/?utm_source=rss&utm_medium=rss&utm_campaign=national-security-risks-of-late-stage-capitalism

SolarWinds Blames Intern for Weak Password That Led to Biggest Attack in 2020

As cybersecurity researchers continue to piece together the sprawling SolarWinds supply chain attack, top executives of the Texas-based software services firm blamed an intern for a critical password lapse that went unnoticed for several years.

The said password “solarwinds123” was originally believed to have been publicly accessible via a GitHub repository since June 17, 2018, before the misconfiguration was addressed on November 22, 2019.

But in a hearing before the House Committees on Oversight and Reform and Homeland Security on SolarWinds on Friday, CEO Sudhakar Ramakrishna testified that the password had been in use as early as 2017.

While a preliminary investigation into the attack revealed that the operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor, Crowdstrike’s incident response efforts pointed to a revised timeline that established the first breach of SolarWinds network on September 4, 2019.

To date, at least nine government agencies and 100 private sector companies have been breached in what’s being described as one of the most sophisticated and well-planned operations that involved injecting the malicious implant into the Orion Software Platform with the goal of compromising its customers.

“A mistake that an intern made.”

“I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad,” Representative Katie Porter of California said. “You and your company were supposed to be preventing the Russians from reading Defense Department emails.”

“I believe that was a password that an intern used on one of his servers back in 2017 which was reported to our security team and it was immediately removed,” Ramakrishna said in response to Porter.

Former CEO Kevin Thompson echoed Ramakrishna’s statement during the testimony. “That related to a mistake that an intern made, and they violated our password policies and they posted that password on their own private GitHub account,” Thompson said. “As soon as it was identified and brought to the attention of my security team, they took that down.”

Security researcher Vinoth Kumar disclosed in December that he notified the company of a publicly accessible GitHub repository that was leaking the FTP credentials of the company’s download website in the clear, adding a hacker could use the credentials to upload a malicious executable and add it to a SolarWinds update.

In the weeks following the revelation, SolarWinds was hit with a class-action lawsuit in January 2021 that alleged the company failed to disclose that “since mid-2020, SolarWinds Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran,” and that “SolarWinds’ update server had an easily accessible password of ‘solarwinds123’,” as a result of which the company “would suffer significant reputational harm.”

NASA and FAA Also Targeted

Up to 18,000 SolarWinds customers are believed to have received the trojanized Orion update, although the threat actor behind the operation carefully chose their targets, opting to escalate the attacks only in a handful of cases by deploying Teardrop malware based on intel amassed during an initial reconnaissance of the target environment for high-value accounts and assets.

Besides infiltrating the networks of Microsoft, FireEye, Malwarebytes, CrowdStrike, and Mimecast, the attackers are also said to have used SolarWinds as a jumping-off point to penetrate the National Aeronautics and Space Administration (NSA) and the Federal Aviation Administration (FAA), according to the Washington Post.

The seven other breached agencies are the Departments of State, Justice, Commerce, Homeland Security, Energy, Treasury, and the National Institutes of Health.

“In addition to this estimate, we have identified additional government and private sector victims in other countries, and we believe it is highly likely that there remain other victims not yet identified, perhaps especially in regions where cloud migration is not as far advanced as it is in the United States,” Microsoft President Brad Smith said during the hearing.

The threat group, alleged to be of Russian origin, is being tracked under different monikers, including UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), and Dark Halo (Volexity).

“The hackers launched the hack from inside the United States, which further made it difficult for the U.S. government to observe their activity,” Deputy National Security Advisor Anne Neuberger said in a White House briefing last month. “This is a sophisticated actor who did their best to hide their tracks. We believe it took them months to plan and execute this compromise.”

Adopting a “Secure by Design” Approach

Likening the SolarWinds cyberattack to a “large-scale series of home invasions,” Smith urged the need for strengthening the tech sector’s software and hardware supply chains, and promoting broader sharing of threat intelligence for real-time responses during such incidents.

To that effect, Microsoft has open-sourced CodeQL queries used to hunt for Solorigate activity, which it says could be used by other organizations to analyze their source code at scale and check for indicators of compromise (IoCs) and coding patterns associated with the attack.

In a related development, cybersecurity researchers speaking to The Wall Street Journal disclosed that the suspected Russian hackers used Amazon’s cloud-computing data centers to mount a key part of the campaign, throwing fresh light on the scope of the attacks and the tactics employed by the group. The tech giant, however, has so far not made its insights into the hacking activity public.

SolarWinds, for its part, said it’s implementing the knowledge gained from the incident to evolve into a company that is “Secure by Design” and that it’s deploying additional threat protection and threat hunting software across all its network endpoints including measures to safeguard its development environments.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

The post SolarWinds Blames Intern for Weak Password That Led to Biggest Attack in 2020 appeared first on Malware Devil.

https://malwaredevil.com/2021/03/01/solarwinds-blames-intern-for-weak-password-that-led-to-biggest-attack-in-2020/?utm_source=rss&utm_medium=rss&utm_campaign=solarwinds-blames-intern-for-weak-password-that-led-to-biggest-attack-in-2020

From Physical to Virtual Workspaces

It’s officially been a year since enterprises all over the world were forced to instantly provision remote workspaces for their employees. Some had the advantage of already having some sort of work from home infrastructure in place, but many did not. Let’s take a look back at the 4 most common approaches – corporate devices, […]

The post From Physical to Virtual Workspaces appeared first on Hysolate.

The post From Physical to Virtual Workspaces appeared first on Security Boulevard.

The post From Physical to Virtual Workspaces appeared first on Malware Devil.

https://malwaredevil.com/2021/03/01/from-physical-to-virtual-workspaces/?utm_source=rss&utm_medium=rss&utm_campaign=from-physical-to-virtual-workspaces

Why do companies fail to stop breaches despite soaring IT security investment?

Let’s first take a look back at 2020!

Adding to the list of difficulties that surfaced last year, 2020 was also grim for personal data protection, as it has marked a new record number of leaked credentials and PI data.

A whopping 20 billion records were stolen in a single year, increasing 66% from 12 billion in 2019. Incredibly, this is a 9x increase from the comparatively “small” amount of 2.3 billion records stolen in 2018.

This trend seems to fit an exponential curve; even worse, we are yet to see the fallouts from the end of the year “Solorigate” campaign, which has the potential to marginalize even these numbers by the end of 2021.

Found among the leaked data are usernames, passwords, credit card numbers, bank account details, healthcare information, and other personal data. Malicious actors utilize these treasure troves of information for fraud and further attacks.

In just the first quarter of 2020, the Dutch government managed to lose a hard drive containing confidential citizen data. Meanwhile, the UK government exposed 28 million children’s data to betting companies, and Microsoft exposed 250 million records of customer support–including customers’ geographic data, IP addresses, and other private information.

By April, Zoom had lost 500,000 passwords at the start of the global remote working period. In June of Q2, Oracle had also leaked billions of web tracking data by storing data on an unsecured server.

Q3 kicked off with Joe Biden’s campaign app exposing millions of users’ sensitive voter data. This was followed by 300,000 Spotify users falling victim to account takeover attempts after their credentials were made public.

The year ended with Solorigate: an incident with a lasting impact that has yet to be fully seen. Ultimately, 2020 closed with a total of 1,114 incidents, with several governments and well-known brands–such as Estee Lauder, Marriott, Nintendo, and GoDaddy–involved in large-scale breaches.

Why are companies and organizations still failing?

This trend of data breaches is quite disappointing when compared to the staggering $120 Billion in global IT security spending; according to Gartner, this number has grown each year rapidly.

The only possible solution to this inconsistency rests in user awareness and the possibility that existing technologies are missing something substantial to turn the tide on these trends.

The most common cause behind data breaches is the leak of some authentication measure–this may be a username, password, token, API-key, or a negligent password-less server or application.

Users are registering to third-party websites and services with corporate email addresses and credentials every day. In tandem, they create massive blind spots in visibility and a field of Shadow IT that no audit or security tool has been able to mitigate thus far. Each employee has around 200 accounts–for every 1,000 employees, that is 200,000 potentially unknown or weak passwords, many of which may be corporate related.

Once these third parties get compromised, the credentials obtained might be reused to gain unauthorized access to other corporate services, such as email accounts or VPN servers, using attack techniques like credential stuffing or password spraying.

This was exactly the case with British Airways, which received a record GDPR fine of GBP20 million after 400,000 passengers’ data was breached, initiated through a VPN gateway accessed by a compromised account.

Most large organizations use data leak prevention technologies yet fail to protect against password leaks and account takeovers. This demonstrates an apparent need for a new approach–a hybrid of technological controls and immediate user awareness improvement that implements a fresh perspective on account protection.

Shedding Light on Shadow IT

Scirge was developed with a simple and clear focus on solving an overlooked aspect of existing IT security mechanisms: discovering and protecting accounts created by employees in the cloud. This includes the capability to monitor all new registrations, as well as viewing logins with existing credentials to websites and web applications.

Furthermore, it involves centrally managed strength and complexity checks for all passwords while also warning users for proper credential management.

Policy-based controls may be created to block the usage of certain email addresses or websites. Scirge will immediately provide users with awareness messages when they are misusing corporate credentials or disregarding password complexity requirements.

Central intelligence helps unveil reused passwords and compromised accounts via comparing every company-related account to leak databases and locally-used (Active Directory) accounts. Scirge can illuminate organizations’ otherwise hidden cloud footprint while simultaneously empowering users with knowledge about password hygiene, corporate policies, and unwanted behavior when using corporate accounts.

Scirge accomplishes each of these goals with a clean, browser-based approach. It eliminates the need to control or view network traffic, decrypt SSL, or burden clients with full-blown agents–a common source of performance degradation and compatibility issues with other security tools.

Utilizing its unique features, Scirge creates visibility for all employee-created accounts and reveals password hygiene issues. Inventory for all users–including departing workers–is readily available, unveiling unwanted account sharing between users and potential insider threats of misusing identities when accessing online resources.

The dashboard also shows IT management what cloud apps are most used without consent, helping the company comply with regulations via collecting privacy policies and T&Cs of all services.

Learn more about account protection and Shadow IT awareness here or register to one of our webinars.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

The post Why do companies fail to stop breaches despite soaring IT security investment? appeared first on Malware Devil.

https://malwaredevil.com/2021/03/01/why-do-companies-fail-to-stop-breaches-despite-soaring-it-security-investment/?utm_source=rss&utm_medium=rss&utm_campaign=why-do-companies-fail-to-stop-breaches-despite-soaring-it-security-investment

Chinese Hackers Targeted India’s Power Grid Amid Geopolitical Tensions

Amid heightened border tensions between India and China, cybersecurity researchers have revealed a concerted campaign against India’s critical infrastructure, including the nation’s power grid, from Chinese state-sponsored groups.

The attacks, which coincided with the standoff between the two nations in May 2020, targeted a total of 12 organizations, 10 of which are in the power generation and transmission sector.

“10 distinct Indian power sector organizations, including four of the five Regional Load Despatch Centres (RLDC) responsible for operation of the power grid through balancing electricity supply and demand, have been identified as targets in a concerted campaign against India’s critical infrastructure,” Recorded Future said in a report published yesterday. “Other targets identified included 2 Indian seaports.”

Chief among the victims include a power plant run by National Thermal Power Corporation (NTPC) Limited and New Delhi-based Power System Operation Corporation Limited.

Pinning the intrusions on a new group dubbed “RedEcho,” investigators from the cybersecurity firm’s Insikt Group said the malware deployed by the threat actor shares strong infrastructure and victimology overlaps with other Chinese groups APT41 (aka Barium, Winnti, or Wicked Panda) and Tonto Team.

Border conflicts have flared up since last year after deadly clashes between Indian and Chinese soldiers in Ladakh’s Galwan Valley. While 20 Indian soldiers were killed in the clashes, China formally identified four casualties on its side for the first time on February 19.

In the intervening months, the Indian government has banned over 200 Chinese apps for allegedly engaging in activities that posed threats to “national security and defence of India, which ultimately impinges upon the sovereignty and integrity of India.”

Noting that the standoff between the two countries was accompanied by increased espionage activity on both sides, Recorded Future said the attacks from China involved the use of infrastructure it tracks as AXIOMATICASYMPTOTE, which encompasses a modular Windows backdoor called ShadowPad that has been previously attributed to APT41 and subsequently shared between other Chinese state-backed actors.

Additionally, the report also raises questions about a possible connection between the skirmishes and a power blackout that crippled Mumbai last October.

While initial probe conducted by the cyber department of the western Indian state of Maharashtra traced the attack to a piece of unspecified malware identified at a Padgha-based State Load Despatch Centre, the researchers said, “the alleged link between the outage and the discovery of the unspecified malware variant remains unsubstantiated.”

“However, this disclosure provides additional evidence suggesting the coordinated targeting of Indian Load Despatch Centres,” they added.

Interestingly, these cyberattacks were described as originating from Chengdu, which is also the base for a network technology firm called Chengdu 404 Network Technology Company that operated as a front for a decade-long hacking spree targeting more than 100 high-tech and online gaming companies.

But it’s not just China. In the weeks leading to the clashes in May, a state-sponsored group called Sidewinder — which operates in support of Indian political interests — is said to have singled out Chinese military and government entities in a spear-phishing attack using lures related to COVID-19 or the territorial disputes between Nepal, Pakistan, India, and China.

The modus operandi aside, the finding is yet another reminder of why critical infrastructure continues to be a lucrative target for an adversary looking to cut off access to essential services used by millions of people.

“The intrusions overlap with previous Indian energy sector targeting by Chinese threat activity groups in 2020 that also used AXIOMATICASYMPTOTE infrastructure,” the researchers concluded. “Therefore, the focus in targeting India’s electricity system possibly indicates a sustained strategic intent to access India’s energy infrastructure.”

We have reached out to India’s Computer Emergency Response Team (CERT-IN), and we will update the story if we hear back.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

The post Chinese Hackers Targeted India’s Power Grid Amid Geopolitical Tensions appeared first on Malware Devil.

https://malwaredevil.com/2021/03/01/chinese-hackers-targeted-indias-power-grid-amid-geopolitical-tensions/?utm_source=rss&utm_medium=rss&utm_campaign=chinese-hackers-targeted-indias-power-grid-amid-geopolitical-tensions