Cyber ââsecurity firm Cybereason’s âDeadRingerâ research has uncovered attack trends emanating from China that are exploiting third-party service providers to compromise multiple targets. Meanwhile, in the UK, cybersecurity officials admit to facing increased threats.
Cybereason has revealed its discovery of several previously unidentified cyber attack campaigns infiltrating major telecommunications providers in Southeast Asia.
In the report, titled “DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos”, several groups of attack activities were identified and are assessed as being the work of several aligned “Advanced Persistent Threat” (APT) leading groups. on the interests of the Chinese. government.
Like the recent ‘SolarWinds’ and ‘Kaseya’ attacks, threat actors first compromised third-party service providers, but instead using them to distribute malware through a supply chain attack , the intention was to exploit them to monitor their customers. ‘confidential communications.
The report found that attackers were highly adaptive and worked diligently to mask their activity and maintain persistence on infected systems, dynamically responding to mitigation attempts and continuing to evade security efforts since at least 2017 – an indication that targets are of great value to attackers.
By exploiting vulnerabilities in Microsoft Exchange servers, threat actors were able to gain access to targeted networks, from which they compromised critical network assets such as domain controllers (DCs) and billing systems containing data. highly sensitive information such as “Call Detail Record” (CDR), allowing them to access the sensitive communications of any person using the telecommunications services concerned.
It is believed that telecommunications companies were likely compromised in order to facilitate espionage against specific targets, such as businesses; political figures; government officials; law enforcement agencies; political activists and dissident factions of interest to the Chinese government. Three separate attack groups have various ties to the APT Soft Cell, Naikon, and Group-3390 groups – all of which are known to operate in the interests of the Chinese government.
Cybereason observed significant overlap in tactics, techniques, and procedures (TTPs) in all three operations, supporting the assessment that each attacking group was tasked with parallel objectives by monitoring communications of specific high-value targets under the direction of a centralized coordination body aligned with the interests of the Chinese state.
While these attacks mainly compromised telecommunications companies in ASEAN countries (the Association of Southeast Asian Nations, an economic union comprising 10 member states), the same activity could be replicated in other countries. other parts of the world. Although it is believed that the operations were intended only for espionage purposes, the objectives of attackers could easily shift from espionage to interference, potentially disrupting communications for millions of customers.
Cybereason’s report comes shortly after the Biden administration publicly reprimanded China’s State Security Ministry for the recent “Hafnium” attacks that again exploited vulnerabilities in unpatched Microsoft Exchange servers and put endangered thousands of organizations around the world. Exploitation of these same vulnerabilities has been central to the success of the attacks detailed in this research.
Lior Div, CEO and Co-Founder of Cybereason, said: âThe attacks are of great concern as they undermine the security of critical infrastructure providers and expose the confidential and proprietary information of public and private organizations that depend on secure communications to conduct their activities.
âThese state-sponsored espionage operations not only have a negative impact on the customers and business partners of telecommunications operators, but they also have the potential to threaten the national security of countries in the region and those who have a direct interest in the stability of the region.
“That’s why Cybereason has a global team of seasoned threat intelligence investigators whose goal is to expose advanced adversary tactics, techniques and procedures so that we can better protect organizations against this type of complex attack, now and in the future. ”
A separate survey released today by Bluefort Security Research suggests that the global pandemic has severely impacted the ability of information security officers (CISOs) at UK manufacturing, engineering and construction companies to protect their businesses against cybercriminals.
Interviewing 100 CISOs from manufacturing, engineering and construction companies revealed that the combination of the Covid-19 pandemic, the resulting accelerated digital switchover, and the current lack of skills conspired to create a perfect cybersecurity storm, making them more vulnerable to attack than ever before.
72% said they considered their organization to be at greater risk of a cybersecurity attack due to the transition to working from home, with a third (32%) admitting that due to tight budgets and shifted priorities , they have inevitably lost their eyes over the past 12 months, losing sight of the flow of movers, carpenters, leavers and appliances.
About one in four respondents (26%) said that gaps in cybersecurity awareness and knowledge of staff have emerged, with a similar proportion expressing concerns about the provision of cybersecurity from supply chain partners.
Shockingly enough, over three-quarters (77%) of CISOs admitted that their company had experienced a cybersecurity incident in the past 12 months, despite the vast majority (82%) saying their organization had introduced security measures due to teleworking. Almost half (42%) said mitigating cybersecurity threats was their top priority, while 51% prioritized Identity and Access Management during the same time frame.
Almost all respondents (93%) believe cyber risk management will become more complicated once Covid-19 restrictions are relaxed, with hybrid work introducing new challenges. 33% think that managing a remote workforce is more difficult; 21% said the threat surface is more disparate and diverse due to hybrid or remote work; 27 percent said it would be less clear where the endpoint data is, and 18 percent simply said there would be more threats to fear.
The good news, as it stands, is that 90% of those surveyed said cybersecurity has become an increased priority for their company’s board of directors over the past 12 months as CISOs are able invest in new technologies to meet emerging challenges. . Automation, AI, machine learning, network discovery and response, zero trust architecture, and endpoint discovery and response are among the options being considered.
Ian Jennings, co-founder of BlueFort Security, commented: âIt is no surprise that CISOs have had a particularly difficult time over the past 18 months. What shocked me was the severity of the impact. It’s a sad story of lack of visibility – of their infrastructure, devices, and people – which has led to poor intelligence and limited control. The bright spot is the recognition that new technologies will play an important role in restoring the balance. ”
Sign up for E&T News email to get great stories like this delivered to your inbox every day.