Sunday, July 14, 2024

Chinese Hacker Groups Using Off-The-Shelf Tools To Deploy Ransomware

Cyberespionage actors are increasingly using ransomware as a final attack stage for financial gain, disruption, or to cover their tracks, as the report details previously undisclosed attacks by a suspected Chinese APT group, ChamelGang, who used CatB ransomware against a major Indian healthcare institution and the Brazilian Presidency in 2022.

ChamelGang also targeted other government and critical infrastructure organizations.

Another intrusion cluster using common encryption tools like BestCrypt and BitLocker hit various industries across North America, South America, and Europe, with a focus on US manufacturing.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

While the source of this second cluster is unclear, there are overlaps with past intrusions linked to suspected Chinese and North Korean APT groups. 

BestCrypt & BitLocker targets

Researchers analyzed two APT clusters targeting governments and critical infrastructure sectors globally between 2021 and 2023. One cluster is linked to ChamelGang, a suspected Chinese APT group. 

In 2023, ChamelGang targeted a government organization in East Asia and an aviation organization in the Indian subcontinent, using their known tools and techniques. 

They are also suspected to be behind the 2022 ransomware attacks on the Presidency of Brazil and the All India Institute of Medical Sciences, likely using their CatB ransomware, which is based on overlaps in code, staging mechanisms, and malware artifacts with other ChamelGang intrusions.  

There were intrusions between 2021 and 2023, during which attackers abused legitimate disk encryption tools, Jetico BestCrypt and Microsoft BitLocker, to encrypt victim endpoints for ransom. Thirty-seven organizations, primarily in North America’s manufacturing sector, were affected. 

The attackers leveraged compromised access to deploy the encryption tools, impacting the education, finance, healthcare, and legal sectors as well.

Cyberespionage actors are increasingly using ransomware for more than just financial gain, while the data encryption can destroy forensic artifacts, hindering attribution and deflecting blame. 

Additionally, the urgency of data recovery can distract security teams, allowing further espionage activities to go unnoticed, and this convergence of cybercrime and espionage tactics creates challenges. 

Siloed information sharing between law enforcement (ransomware focus) and intelligence agencies (espionage focus) can lead to missed opportunities to identify threats, assess risks, and maintain a clear understanding of the overall cyber landscape. 

SentinelLabs stresses collaboration on cybercrime/espionage incidents, which includes sharing data, examining artifacts, and analyzing the bigger picture of ransomware attacks by improving the identification of attackers, their goals, and motivations.

They are actively tracking cyberespionage groups that blur the lines between traditional categories and aim to share knowledge to help organizations defend against these threats.

Stay in the loop with the latest in cybersecurity by following us on Linkedin and X for daily updates!


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles