ข่าวประชาสัมพันธ์ Press Releases ข่าวย้อนหลัง หัวข้อข่าว บลอก

Chinese-speaking cyberespionage group APT10 crawls towards Southeast Asia

Information Technology Press Releases วันอังคารที่ ๑๐ กันยายน พ.ศ. ๒๕๖๒ ๑๖:๐๘ น.
ขนาดตัวอักษร: ใหญ่ กลาง เล็ก
กรุงเทพฯ--10 ก.ย.--แคสเปอร์สกี้

After closely monitoring the activities of the infamous cyberespionage group, Kaspersky has detected new infection attempts from APT10 against organisations located in the Southeast Asia region. The global cybersecurity company has monitored new wave of attacks potentially targeting health and medical facilities in Malaysia between October to December last year and Vietnam between February to May 2019.

The malware used in the two countries is different from the known tricks APT10 is known for, but the goal remains the same – to steal credentials and confidential information from the infected machines.

"We have been monitoring several operations of APT10, particularly in Japan where they caused information leakage and serious reputational damage. They are known in the industry for their stealthy and large-scale cyberespionage campaigns, always hungry for confidential information and even trade secrets. Now they are extending their geography of attack towards Southeast Asia, potentially setting eyes on some medical organisations and associations in Malaysia and Vietnam," reveals Suguru Ishimaru, security researcher at Kaspersky.

APT10 -- also known as MenuPass, StonePanda, ChessMaster, Cloud Hopper, and Red Apollo -- is known for several high-profile attacks against different industries, including information and technology, government and defence, telecommunications, academic, medical, healthcare and pharmaceutical since 2009.

Back in December last year, a report from PwC revealed that the alleged nation-backed group has successfully infected key MSP (managed service provider) companies such as Hewlett Packard Enterprise Co and IBM. Through this breach, the actors have stolen sensitive corporate data from the affected firms' clients. Among the alleged targets were Australian corporations.

Several latest reports also revealed researchers spotting APT10 infections in the Philippines, as well as against telecommunication providers in Europe, Africa, the Middle East, and Asia.

The group is widely known in the cybersecurity industry as a Chinese-speaking cyberespionage group. While their target sectors have been changing since their first known attack, their goal to steal important information including confidential data, defence intelligence, and corporate secrets remains unchanged.

APT10 using trial and error to covert operations
APT10 is known for using multiple types of RATs or remote access Trojans in the past, including Poison Ivy, PlugX, ChChes, Redleaves, and more.

Kaspersky in 2017 has detected PlugX malware in pharmaceutical organisations in Vietnam to steal precious drug formulas and business information. This malware is usually spread via spear phishing and has previously been used by other Chinese-speaking actors in targeted attacks against the military, government and political organisations.

In terms of its malicious activities in Japan, the notorious APT10 used Redleaves, a fileless malware which runs only in memory, and its variants from October 2016 to April 2018. Kaspersky researchers have discovered 120+ malicious modules of Redleaves and its variants like Himawari and Lavender.

In Himawari samples, researchers found medical terminology as well as decoy documents related to medical, healthcare, and pharmaceuticals organisations. All samples of targeting medical industries detected were also password-protected, halting researchers in conducting further analysis.

"In April 2018, we have observed a new trick being used by APT10 – Zark20rk. It is another variant of Redleaves but the hackers behind this group updated some crypto algorithms, data structure, and malware features adding some key strings related to Russia. Based on their behavioural patterns, we can say this is another false flag planted to confuse researchers monitoring their movements," explains Ishimaru.

For the attacks potentially against healthcare organisations in Malaysia and Vietnam, Kaspersky unmasked that the group has changed its main RAT from Redleaves to a well-known backdoor called ANEL. ANEL usually starts with an infected word document containing VBA macro to infect ANEL modules.

To further hide their actions, APT10 embedded someanti-AV and anti-reversing methods in ANEL and its modules such as: strong obfuscations for anti-reversing, DLL side-loading for AV-evasion, multiple encryption for malware configuration and communication to C2s (command and control servers), as well as fireless malware which is executed only in memory like Redleaves.

"With password-protected attachments, complicated obfuscations, evolving evasion tricks, and encrypted modules using multiple algorithms, APT10 is undoubtedly paying a lot of attention on how they conduct their attacks. Through trial and error, they are in search for the best technique to infect their specific targets. And based on the results of our investigation and the pattern of their attack behaviour, medical and healthcare industry are definitely well within the radar of this group," he adds.

Healthcare's defence against APT10

Given the sophisticated nature of APT 10's techniques, Kaspersky suggests healthcare companies to consider getting security solutions beyond anti-virus, preferably a solution built around a Machine Learning core (Targeted Attack Analyzer) which combines advanced detection capabilities using static, behavioral, cloud reputation, sandboxing, YARA and pattern-based detection engines.

Real-time and comprehensive threat intelligence services is also necessary to build an organisation's immunity against unseen cyberattacks. Such service will give a 360-degree view of tactics and tools used by past and current known threat actors, making it easier to prevent and detect complex attack attempts.


ขนาดตัวอักษร: ใหญ่ กลาง เล็ก

ข่าวประชาสัมพันธ์ที่เกี่ยวข้อง

BSA-ISSA Commissioned Survey Shows Significant Progress in Cyber Security Prioritization and Awareness

The Business Software Alliance (BSA) released the findings of the Information Security Survey, a joint initiative with the Information Systems Security Association (ISSA). Among the major findings; more organizations have raised security to the senior man...

Lifeline for Asian and African Sea Turtles First meeting of new multilateral environment agreement

Marine turtles in South East Asia and the Indian Ocean stand to benefit from a new international agreement designed to ensure their long-term survival. In Bangkok today, the first meeting of the Signatory States to the Memorandum of Understanding on the C...

Genomewatch - the alerting agent software for scientific literature databases.

Genomewatch is a software tool that helps scientists and product development specialists with current awareness and biotechnology intelligence monitoring. Brasschaat, Belgium, January 15, 2003. AderA Software announces the release of Genomewatch, an alert...

หัวข้อข่าวที่เกี่ยวข้อง

หัวข้อข่าวยอดนิยม

กรมสรรพากร ธนาคารกรุงเทพ ธนาคารกรุงไทย ธนาคารออมสิน ไปรษณีย์ไทย การบินไทย ธนาคารกสิกรไทย hotmai เพียวริคุ jobbkk ธนาคารไทยพาณิชย์ คาราบาว ดีแทค ไทยพาณิชย์ แจ่มใส เมเจอร์ ธนาคารอาคารสงเคราะห์ 12car กรุงไทย ธนาคารกรุงศรีอยุธยา กระทรวงสาธารณสุข การรถไฟแห่งประเทศไทย มิตซูบิชิ เมืองทอง ธนาคารทหารไทย ตลาดหลักทรัพย์แห่งประเทศไทย ซัมซุง มาม่า วันทูคอล ธนาคารแห่งประเทศไทย กระทรวงพาณิชย์ เวลาประเทศไทย ปตท ธอส บิ๊กซี กรมอุตุ กรมศุลกากร แม็คโคร ธนาคารกรุงศรี กระทรวงการคลัง