[Security Weekly] Chinese APT Group Naikon Found Infiltrating Seven APAC Countries
3rd Week of May 2020
1. Chinese APT group Naikon found infiltrating seven countries in Asia Pacific
Earlier in May, cyber threat intelligence agency Check Point detected “the most extensive operation ever seen by a Chinese APT group”. The state-backed hacker group Naikon, an advanced persistent threat (APT), was found to have launched consistent espionage operations over the past five years against seven countries in the Asia Pacific region, including Australia, Indonesia, Thailand, Philippines, Vietnam, Myanmar, and Brunei.
Recently, the Government of Western Australia received an email from an embassy in one of the APAC countries containing a malicious word document. This incident is what prompted Check Point to launch a series of investigations.
Naikon was initially discovered by Kaspersky in 2015, when it was found to target governments around the South China Sea. Since then, the group has gone under the radar for five years, only to be found out today that it has been quietly infiltrating multiple governments.
Naikon’s primary operation is to first infiltrate government bodies by entering their IT systems. It would then use the stolen data and documents to launch further attacks against targets of interest, whether they are governments, organizations, or individuals.
Naikon uses a variety of phishing methods, some require the user to open an infected word document, others simply inject malware directly into the victim’s machine with an executable file. However, it is the sophisticated malware that has allowed the group to stay undetected for so long. Over the years, Naikon has developed an RAT1 named Aria-body that is extremely capable of avoiding detections.
According to Check Point, Naikon mostly targets government departments relating to foreign affairs, science and technology, as well as state-owned corporations.
Source: Check Point Research
1 A remote access trojan (RAT) is a malware program that includes a back door, allowing for remote administrative control to the targeted device.
2. Hacker group sells 164 million user records stolen from 11 companies on the dark web
A hacker group named Shiny Hunters has been selling user records of up to 11 different companies over the course of the past two weeks.
It all started in early May when the group breached Indonesia’s largest e-commerce website Tokopedia and posted 15 million of its user data online, perhaps as a means of gaining attention. It later posted all 90 million user records of Tokopedia for sale at a price of $5,000.
A few days later, the group posted 22 million records from India’s popular online learning platform Unacademy. The company later confirmed the breach.
Soon after, the group claimed to have hacked into Microsoft’s GitHub account and leaked confidential files of the company’s source code repositories.
By the end of last week, Shiny Hunter has flooded the dark web with confidential data stolen from a total of 11 companies across the world. Other than the those mentioned above, impacted companies include food delivery provider Home Chef (8 million records sold for $2,500), dating app Zoosk (30 million records sold for $500), fashion platform StyleShare (6 million records sold for $2,700), online designer market Minted (5 million records at $2,500), online store Bhinneka (1.2 million records at $1,200), furniture magazine Ggumim (2 million records at $1,300), health magazine Mindful (2 million records at $1,300), StarTribune (1 million records at $1,000), and printing service Chatbooks (15 million records at $3,500).
Some of the affected companies have not yet made any official response about the incident. Nevertheless, security experts from multiple firms believe that Shiny Hunters is a legitimate threat group.
3. Newly discovered Ramsay malware can infect air-gapped networks
Web security firm ESET made an announcement earlier this week that its security researchers have discovered a new type of malware operating on a framework never seen before. Named Ramsay, the malware appears to be capable of jumping into an air-gapped network.
Air gapping is the practice of isolating a portion of the corporate network from the rest of the network, in which the isolated network would be inaccessible from the rest of the company, nor from the Internet. Considered as the strictest security measure, air-gapped networks are usually created by government organizations and large corporations to store highly sensitive information.
The intrusion of an air-gapped network is extremely rare, but the new Ramsay malware serves as an alarming sign. ESET found three different versions of Ramsay that slightly differ in their attack mechanism. Nonetheless, all three versions serve the same purpose – to gather Word, PDF, and compressed folders from a computer, store them in a hidden folder, and exfiltrate them at a later time. The underlying mechanism behind how Ramsay is capable of jumping over the air gap remains unclear.
Air gapping should serve as the last line of defense for sensitive information. Before that, it is important to stop the malware from getting into the corporate network in the first place. Malware programs are usually injected by leveraging web application vulnerabilities. By using a web application firewall like Penta Security’s WAPPLES, these attacks can be effectively stopped well before they even come close to the air-gapped network.
4. Railway vehicle manufacturer Stadler hit by ransomware attack
Stadler, a Swiss-based manufacturer of railway vehicles, made a public announcement on May 7 about suffering a ransomware attack, in which the attackers may have stolen confidential data from the company.
Stadler primarily exports trains and streetcars, operating with nine subsidiaries and nearly 9,000 employees across the globe. According to the disclosure, the attackers infiltrated the company’s IT network and installed malware on many devices. Stadler also revealed that the attackers threatened to leak confidential data stolen from the company unless a large ransom is paid.
Even though Stadler did not explicitly say it was a ransomware attack, Swiss media reported that the company’s operation was affected worldwide, signaling that the attackers may have encrypted some of its systems. There is a fair chance that the attackers would release a portion of the data online if Stadler chooses to not pay the ransom.
The company has hired a team of external security professionals to respond to the incident. However, there is really not much one can do after suffering a ransomware attack. The best solution is to have robust security measures to prevent them in the first place.
5. Healthcare solutions provider Magellan Health suffers ransomware attack
Magellan Health, a US-based provider of managed healthcare solutions ranking 417th on Fortune 500, issued a notification on May 12 alerting its employees that their personal information may have been compromised following a ransomware attack.
Forensic investigation suggests that the attack can be traced back to an email the company received on April 6. The email appeared to be sent from a legitimate client, but was in fact infected with malware. Only a few days after the email was opened, the attackers compromised a server within the company’s IT system and exfiltrated the database before encrypting them.
The stolen data included the names, home addresses, employee IDs, taxpayer IDs, and social security numbers belonging to the company’s employees. What’s worse is that the attacker also injected a second piece of malware that was able to steal login credentials.
Magellan reported the case to the FBI and the Office of the Attorney General of California, and promised to offer free identity theft protection service for those affected. It is not clear yet whether the company would be paying the ransom.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Web Application Firewall for Cloud: WAPPLES SA
Database Encryption: D’Amo
Smart Car Security: AutoCrypt