Saturday, December 14, 2024
HomeCyber AttackChinese Hackers Using Open Source Tools To Launch Cyber Attacks

Chinese Hackers Using Open Source Tools To Launch Cyber Attacks

Published on

SIEM as a Service

Three Chinese state-backed threat groups, APT10, GALLIUM, and Stately Taurus, have repeatedly employed a modified version of the open-source network scanning tool NBTscan over the past decade. 

NBTscan, designed for network discovery and forensics, sends NetBIOS status queries to IP addresses within a specified range. 

By analyzing the responses, it extracts valuable information like IP addresses, computer names, logged-in usernames, and MAC addresses, as these threat groups have leveraged NBTscan’s capabilities to gather intelligence on target networks and compromise systems.

- Advertisement - SIEM as a Service

APT10, a Chinese threat group, has been identified as using a modified NBTscan tool to conduct reconnaissance against multiple targets.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

In Operation Cloud Hopper, they targeted managed IT service providers, searching for vulnerable endpoints and gathering system information. 

Similarly, in Operation Soft Cell, they focused on telecommunications providers worldwide, using NBTscan to identify available NetBIOS name servers, which allowed APT10 to map network infrastructure and identify potential entry points for further attacks.

Tools, malware, threat groups, and threat campaigns 

Microsoft identified GALLIUM, a Chinese state-affiliated threat group, as the perpetrator of attacks on global telecommunication providers in 2019, which employed a range of tools, primarily commercial or modified security software, to conduct reconnaissance and lateral movement within targeted networks. 

Among these tools, NBTscan was utilized to identify open NetBIOS nameservers on both local and remote TCP/IP networks, facilitating the group’s reconnaissance efforts.

The Chinese cyber espionage threat actor Stately Taurus, also known as Mustang Panda, has been identified as using the NBTscan tool to scan infected environments for live hosts, open ports, and domain information. 

This tool has also been reported to be used by other Chinese threat groups, such as Earth Lusca and TGR-STA-0043.

Over the past decade, Chinese threat actors have repeatedly employed NBTscan or modified versions of it, indicating its popularity among them.

APT40, a Chinese state-sponsored hacking group, has been utilizing the ScanBox reconnaissance tool for several years, which is a JavaScript-based framework that collects information about visitors to compromised websites, including their system details, location, and keystrokes. 

It has used ScanBox in targeted phishing campaigns against Australian government agencies, news media companies, and wind turbine manufacturers by customizing the ScanBox script for its campaigns and has been observed using it in conjunction with election-themed lures.

Chinese state-aligned APT group TGR-STA-0043, responsible for Operation Diplomatic Specter, has shifted its tactics by utilizing the newly developed penetration testing toolset Yasso. 

Unlike older tools often used by Chinese threat actors, Yasso offers advanced features like SQL penetration functions and database capabilities, which suggests a more sophisticated and well-resourced threat actor, potentially a state-sponsored group rather than a hired hacker. 

TGR-STA-0043 has been targeting governmental entities in the Middle East, Africa, and Asia, aiming to obtain sensitive information related to diplomacy, economics, military operations, and political affairs.

Earth Krahang, a Chinese-nexus threat actor, heavily employs open-source scanning tools to identify vulnerable targets for attacks such as sqlmap, nuclei, xray, pocsuite, and wordpressscan, which are often developed by Chinese-speaking developers. 

The Natto Team discovered a repository called “Scanners Box” containing hundreds of open-source scanning tools, many of which are Chinese-developed, which indicates a significant enthusiasm among Chinese developers for creating scanning tools, reflecting the popularity and importance of such tools in the security landscape.

Download Free Incident Response Plan Template for Your Security Team – Free Download

Varshini
Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Malicious ESLint Package Let Attackers Steal Data And Inject Remote Code

Cybercriminals exploited typosquatting to deploy a malicious npm package, `@typescript_eslinter/eslint`, targeting developers seeking the...

Hackers Target Android Users via WhatsApp to Steal Sensitive Data

Researchers analyzed a malicious Android sample created using Spynote RAT, targeting high-value assets in...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...