This week we feature:

• A new threat against telecommunications companies believed to originate with a Chinese government-sponsored espionage group 
• A ransomware known as PYSA targeting the education, healthcare, government and private sector 
• Warnings related to a new zero-day flaw actively being exploited on Chrome browsers

APT threat likely sponsored by Chinese government targeting telecommunication companies

An advanced persistent threat (APT) actor known as ‘Mustang Panda’ is targeting telecommunication companies in the U.S., Europe and Southeast Asia in an effort to steal data pertaining to 5G technology.

The APT has been dubbed Operation Dianxun and is believed to be part of a Chinese espionage campaign. Researchers suggest that the campaign is likely motivated by the ban in several countries against  using Chinese technology in 5G telecommunications out of concerns that it may contain backdoors to enable spying. Security researchers have reported that the campaign leverages the same methods associated with Mustang Panda, a cyberthreat group previously associated with the Chinese government.

According to researchers, victims of Operation Dianxun were lured to a phishing site resembling the Huawei career site. Huawei is a Chinese company and a major developer of 5G technology. Once on the site, the victims were encouraged to download malware in the form of a fake Flash application. Notably, the site from which victim’s downloaded the fraudulent Flash malware was designed to look identical to the official Chinese website for legitimate Flash downloads. Once the systems were compromised, the malware then downloaded a Cobalt Strike attack kit.

The ‘Mustang Panda’ cybercrime/espionage group has a long history of being associated with the Chinese government. Previous attack targets by Mustang Panda have included US-based think tanks, nongovernmental organizations (NGOs) associated with the Mongolian government, and the Vatican and other Catholic organizations in Hong Kong and Italy, and attack activities related to Tibet-Ladakh relations and the United Nations General Assembly Security Council.

More on the Mustang Panda/China espionage threat against telecommunications companies can be read here and here.

PYSA ransomware targeting schools, governments, healthcare, and private sector companies

Organizations operating in the education, healthcare, government, and private sector in the U.S. and U.K. were warned by the FBI last week to watch out for new ransomware called PYSA (also known as Mespinoza) capable of exfiltrating and encrypting important data and files.

The threat compromises remote desktop protocol (RDP) credentials via phishing emails. The cybercriminals then explore the target network using Advanced Port Scanner and Advanced IP Scanner and  install open-source tools, such as PowerShell Empire, Koadic and Mimikatz. Antivirus capabilities are then deactivated before deploying the ransomware. Data is stolen from the victims’ systems, sometimes using the free open-source software WinScP5. All files connected to Windows and Linux are then encrypted.

The malware is stored in a folder named C:\Users\%username%\Downloads\ with a file name of svchost.exe, which researchers believe is designed to obfuscate the malware by tricking victims into thinking the malware is a generic Windows process name.  

The ransom message includes information on how to contact the cybercriminals and even goes so far as to display frequently asked questions (FAQs). 

The FBI alert discourages victims from paying the ransomware, reminding them that payment does not guarantee file recovery. The FBI also urges victims to “report ransomware incidents to your local FBI field office or the FBI’s Internet Crime Complaint Center (IC3) (https://ic3.gov).”

More on this story is available here and here.

Google warns of new actively exploited Chrome zero-day 

A new Chrome zero-day vulnerability (tracked as CVE-2021-21193) has been addressed by Google in a fix (89.0.4389.90) released last week for Windows, Mac, and Linux. The flaw is rated as ‘high severity’ on the Common Vulnerability Scoring System (CVSS) scale with a score of 8.8 out of 10. The unpatched flaw could enable a remote attacker to execute arbitrary code on a target system.

In its official statement, Google indicated that they were aware of reports that CVE-2021-21193 was operating in the wild.

Researchers have noted that this is the third zero-day security vulnerability found in Google Chrome over the last three months. 

In most instances, the Chrome browser will update automatically to the new version. However, Chrome users can also confirm the update through these steps:

On Windows

Click Settings > About Chrome. 

On Macs

Click Chrome > About Chrome.

The Chrome system will scan to determine if the system is up to date. If not, it will automatically update to the current version.

Additional information on the latest Chrome vulnerability can be found here and here.

Final Words

State-sponsored cyberattacks have increased dramatically in the last decade. The non-partisan think tank, the Council on Foreign Relations (CFR) reports that 77% of all state-sponsored cyberattack operations originate in China, Russia, Iran and North Korea. 

In 2019 and 2020, state-sponsored attacks against the private sector included organizations in IT, health care, finance, biomedical research, media, as well as US government contractors, utility companies, universities and think tanks. State-sponsored attacks have also focused heavily on political campaigns, advocacy groups and journalists. 

In addition to last week’s attacks against 5G telecommunications companies in the United States, the recent attack against Microsoft Exchange systems have been described as ‘highly sophisticated’ and attributed to the Chinese state-sponsored group Hafnium. 

In a recent blog, Microsoft states that the Hafnium attacks constitute “the eighth time in the past 12 months that Microsoft has publicly disclosed nation-state groups targeting institutions critical to civil society; other activity we disclosed has targeted healthcare organizations fighting Covid-19, political campaigns and others involved in the 2020 elections, and high-profile attendees of major policymaking conferences.”

While spying and espionage have always been part of a nation’s intelligence-gathering process, countries like China, Russia, Iran and North Korea have taken state-sponsored espionage to a new level, supporting (and in some instances likely endorsing and financing) criminal acts that have destroyed private businesses and personal livelihoods. 

There is no easy answer to this increasingly dangerous situation, given the complexity of the issue. However, it is critical for governments, businesses and cybersecurity professionals to continue communicating and collaborating on the best ways to stop state-sponsored cybercrime and espionage.