Connect with us

Technology

The “Winnti Umbrella” And How It Is Linked To Chinese Intelligence Networks With Political Agenda

Researchers concluded that the recent Winnti attacks against companies are linked to a coordinated Chinese Intelligence Network with political goals. Click To Tweet

Published

on

Researchers concluded that the recent Winnti attacks against gaming and tech companies are linked to a coordinated Chinese Intelligence Network with political goals.
Researchers concluded that the Winnti attacks in recent years are connected to Chinese Intelligence. Photo: Blogtrepreneur | Flickr | CC BY 2.0

A coordinated Chinese intelligence network has been linked to the increasing sighting of the malware that was said to be used to attack a Vietnamese gaming company previously, and other links to different attacks have been concluded to be part of Chinese state intelligence operations from 2009 to 2018, cybersecurity researcher said.

In May 2018, Tom Hegel from AT&T Alien Lab, a cybersecurity research firm have established a connection between the different previously unconnected publicly disclosed cyber attacks using the Winnti malware and said that it was part of a coordinated intelligence effort originating from China.

“The purpose of this report is to make public previously unreported links that exist between several Chinese state intelligence operations. These operations and the groups that perform them are all linked to the Winnti umbrella and operate under the Chinese state intelligence apparatus. Contained in this report are details about previously unknown attacks against organizations and how these attacks are linked to the evolution of the Chinese intelligence apparatus over the past decade,” the study reads about the purpose of the research.

Results of the study reveal that initial attacks software and gaming organizations in United States, Japan, South Korea, and China but later, albeit bigger, attacks were said to be politically motivated and are targeted towards high-profile technology companies.

While the organization experiment with other forms of break-in, new tooling, and attack methodologies often, the study suggested that the use of the Winnti umbrella has been very consistent throughout the attacks linked to the Chinese organization.

“The theft of code signing certificates is a primary objective of the Winnti umbrella’s initial attacks, with potential secondary objectives based around financial gain,” the researcher said in the publication of his results.

According to the study, the Winnti umbrella has been used in different cyber attacks since 2009, with some reports stating that it could originate in 2007. The researcher was very specific to calling the malware as an “umbrella” as it refers explicitly to the “overarching entity consists of multiple teams/actors whose tactics, techniques, and procedures align, and whose infrastructure and operations overlap.”

One of the most alarming results about the study is how they were able to build connections among the different attacks. The research showed that while the primary goal of the said attacks was economic, their long-term objective is politically motivated; thus linking the umbrella to the Chinese intelligence network.

“It’s important to note that not all publicly reported operations related to Chinese intelligence are tracked or linked to this group of actors. However, TTPs, infrastructure, and tooling show some overlap with other Chinese-speaking threat actors, suggesting that the Chinese intelligence community shares human and technological resources across organizations,” the study reads.

Screenshot from Tom Hegel / Twitter

According to the Twitter post of Hegel, the attacks associated with the malware umbrella starts with an email phishing attack. Once in, theft of internal technical docs, theft of code signing certs, and sometimes source code modification, and even seeking cryptocurrency, happen.

Recent Winnti Sighting

A week ago, researchers also found a Linux version of the Winnti malware. The discovery was made by researchers from the Chronicle, Alphabet’s cybersecurity department. The researchers revealed that they found a Linux variant of the Winnti malware that works as a backdoor on infected hosts, granting attackers access to compromised systems. It was the malware used by Chinese hackers in the high-profile cybercrime against a Vietnamese game company in 2015.

Chronicle researchers said that they discovered the malware following the news that Bayer, one of the biggest pharma company in the world, had been hit by Chinese hackers, and the Winnti malware was discovered on its servers.

After the team scanned Bayer’s system using its VirusTotal platform, they found what appeared to be a Linux variant of the Winnti, dating back to 2015 when it was first used by Chinese hackers to attack a Vietnamese gaming company.

“As with other versions of Winnti, the core component of the malware doesn’t natively provide the operators with distinct functionality. This component is primarily designed to handle communications and the deployment of modules directly from the command-and-control servers. During our analysis, we were unable to recover any active plugins. However, prior reporting suggests that the operators commonly deploy plugins for remote command execution, file exfiltration, and socks5 proxying on the infected host. We expect similar functionality to be leveraged via additional modules for Linux,” said the researchers in their comprehensive report.

A consumer tech and cybersecurity journalist who does content marketing while daydreaming about having unlimited coffee for life and getting a pet llama.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Technology

These Series Of Ransomware Attacks Is More Than Just For Ransom — And The Government Should Listen And Investigate

Experts warn that the series of ransomware attacks against US City and state agencies is a message that the government should listen to. Click To Tweet

Published

on

Experts warn that the series of ransomware attacks against US City and state agencies is a message that the government should listen to.
Ransomware are plaguing city governments and experts warn that it will get worse. Photo: Christiaan Colen | Flickr | CC BY-SA 2.0

The ransomware epidemic is growing stronger, and researchers and tech experts warn that it will get much worse. Many ransomware attacks have been launched against city governments, private businesses, and have effectively shut down the system and social services in different states across the U.S.

According to a report by a cybersecurity firm Recorded Future, the recorded attacks rose from 38 in 2017 to 53 in 2018, and researchers noted that those numbers are expected to rise in the next few years.

Ransomware is not a new phenomenon. While malware remains to be the biggest threat in cybersecurity, ransomware is gaining traction in notoriety. In a typical ransomware attack, the attacker will send a Trojan, a worm, or malware to a system — to demand payment in exchange for the remedy to the ransomware. Sometimes, attackers threaten to publish the victim’s database or other secured information hidden within its system in exchange for a ransom.

Starting from around 2012, the use of ransomware scams grown internationally. There were 181.5 million ransomware attacks in the first six months of 2018. This result marks a 229% increase over the same time in 2017.

In June 2014, vendor McAfee released data showing that it had collected more than double the number of samples of ransomware that quarter than it had in the same quarter of the previous year. CryptoLocker was particularly successful, procuring an estimated $3 million before it was taken down by authorities, and CryptoWall was determined by the US Federal Bureau of Investigation (FBI) to have accrued over the $18 million by June 2015.

Atlanta ransomware attack

Probably one of the most significant and most damaging ransomware attacks in recent U.S. history, Atlanta had become one of the latest victims of ransomware attacks back in March 2018. The offense has knocked almost all of the city’s agencies offline, causing most of the social services to freeze including scheduling court cases and paying utility bills online. Furthermore, the ransomware has effectively caused decades worth of official correspondence to disappear in thin air.

Reports reveal that it took the city more than $17 million in costs to recover from the devastating effects of the ransomware.

Several tech experts have said that other cities should take the case of Atlanta to be a “wake-up” call for how vulnerable local and state governments were to these types of cyber crimes – and how underprepared they are to resist them. However, it seems like these calls have fallen to deaf ears.

More and more cities are being attacked

Just over 12 months later, Baltimore is in the throes of its costly ransomware attack. Now in its sixth week, the attack has left officials unable to process payments and even respond to emails. And Baltimore is not alone. In just the last two months, there have been ransomware attacks in Greenville, North Carolina; Imperial County, California; Stuart, Florida; Cleveland, Ohio; Augusta, Maine; Lynn, Massachusetts; and Cartersville, Georgia.

Related: Social Services Paralyzed Following A Ransomware Attack On Albany, New York

Increasing security defenses in companies shifted the target to government agencies

As corporations improve their security firewalls to prevent attacks like malware and ransomware against their systems from happening, hackers have found new ways to infiltrate vulnerable municipal and city systems whose defenses are much weaker. Add to that the fact that many cities and states are starting to digitize their records and services in recent years, making their juvenile systems vulnerable to all sorts of cyber crimes.

Read: Ransomware Are Plaguing American Cities And Experts Warn That It Will Get Worse

“The government knows it needs to change, but they move slowly compared to how quickly private business can pivot to manage their exposure to a new threat,” Gary Hayslip, a cybersecurity expert who previously acted as a chief information security officer for San Diego, said. “Until it is mandated that cities, counties, and states meet a specific level of security and have to demonstrate it as is done in business for compliance periodically, government entities will continue to be low-hanging fruit and cybercriminals don’t mind eating them for lunch.”

Moreover, because of improvements in technology and the availability of information online, it has become easier for cybercriminals to launch an attack. “On the dark web, there are lots of available tools for relative novices to craft together pretty effective pieces of ransomware technology,” said Chris Kennedy, chief information security officers at cybersecurity company AttackIQ. “It’s the ‘Idiots Guide to Hacking.’”

Read More: Ransomware Outbreak In Arizona Shuts Down Businesses

But with the growing number of cities and state agencies falling victims to ransomware attacks, will the government now listen? Maybe.

Continue Reading

Technology

A New Strain Of ‘Houdini’ Malware Is On Sale For $50 Per Month In The Black Market

The new Houdini malware targets financial institutions and their customers.

Published

on

A new strain of the Houdini malware known as Hworm has been discovered and it is now on sale in blackmarkets for $50 per month subscription.
A new strain of the Houdini malware known as Hworm has been discovered. Photo: Christoph Scholz | Flickr | CC BY-SA 2.0

When someone mentions Houdini, it is almost instantly recalled to the world’s greatest magician and escape artist. But, cybercriminals have found a way to transform the man’s legacy into something feared and unwanted. A new strain of the Houdini worm has been detected by security researchers and has launched a new series of campaigns against financial institutions and their customers.

A few days ago, a report from cybersecurity researchers from Cofense confirmed that a new strain of the Houdini malware – also known as Hworm – was released by its creators on June 2, 2019.

The new Houdini malware only took five days to start wreaking havoc and seek out victims via malicious phishing campaigns. According to the report, the main goal of the malware is to steal online banking credentials which the culprits could later use to make fraudulent online purchases. It uses a tool dubbed as WSH Remote Access Tool (RAT).

“Houdini Worm (HWorm) – a misleading name because it has more in common with a bot or RAT than a worm – has existed since at least 2013 and shares extreme similarities with what is undoubtedly its malignant siblings: njRAT and njWorm. This new iteration comes ported to JavaScript (JS) from HWorm’s original codebase of Visual Basic. WSH is likely a reference to the legitimate Windows Script Host, which is an application used to execute scripts on Windows machines,” wrote the researchers in a blog post.

How does it work?

The cybercriminals masqueraded the phishing campaign as legitimate emails from various financial institutions and banks. One particular bank used by hackers is HSBC. The fraudulent emails contain .MHT web archive files which act the same way as HTML files.

The phishing email delivering WSH RAT within an attachment . Photo: Cofense

“The email attachment contained an MHT file that is used by threat operators in the same way as HTML files. In this case, the MHT file contained an href link which when opened, directed victims to a .zip archive containing a version of WSH RAT,” they added.

When the MHT file, which contains a web address link, was executed, it directs the victims towards a .zip archive containing the WSH RAT payload. WSH RAT uses the same configuration structure that Hworm uses for this process.

WSH RAT is a version of HWorm which has been ported to Javascript from HWorm’s original Visual Basic setup but acts in the same manner as the original malware. The Trojan not only uses the same Base64 encoded data — which Cofense describes as “mangled” — but also the same configuration strings, with default variables named and organized in the same way for both types of malicious code.

The Trojan first communicates with a command and control server, controlled by the cybercriminal, request three additional .tar.gz files. These files, however, are PE32 executables which provide the Trojan with a Windows keylogger, a mail credential viewer, and a browser credential viewer module.

It is also noteworthy that these modules were developed by other third parties and cannot be attributed to the original creator of the Houdini worm. Furthermore, reports reveal that the malware is being actively sold in underground forums and the black market. The price point for the infection is said to be at $50 per month subscription basis. Sellers are marketing their product by waxing eloquent about WSH Rat’s Windows XP and Windows 10 compatibility, evasion techniques, credentials-stealing capabilities, among others.

New malware variants are sprouting

Only recently, researchers from Google has discovered a Linux-based strain of another prevalent malware, Winnti, which was attributed to the high-value attack against a Vietnamese gaming company a few years back by some Chinese hackers.

Researchers made the discovery from the Chronicle, Alphabet’s cybersecurity department. The researchers revealed that they found a Linux variant of the Winnti malware that works as a backdoor on infected hosts, granting attackers access to compromised systems.

According to the Chronicle, the malware that they have discovered comes in two parts: a rootkit to disguise the malware in the infected host and the actual backdoor Trojan. Further analysis the discovered Linux variant of the Winnti malware bears a lot of similarities to the malware’s Windows version. Other connections with the Windows version also included the similar way in which the Linux variant handled outbound communications with its command-and-control (C&C) server — which was a mixture of multiple protocols (ICMP, HTTP, and custom TCP and UDP protocols).

Continue Reading

Technology

‘Pavlok’ SmartTech Bracelet Stops Bad Habits With Electric Shocks

Need a stronger approach to stopping your bad habits? Pavlok is ready to zap you into good behavior. Click To Tweet

Published

on

Photo: Fitnish Media | Unsplash.com

Studies suggest that it takes 21 days to make or break habits. The truth is, it’s not the longevity that most people struggle with — it’s the consistency. Enter Pavlok, a wearable tech that uses aversive conditioning — a kind of negative reinforcement — to keep you from your bad habits is now available in Amazon.

How does it work?

Pavlok is made of two parts: a one-size-fits-all wristband and an app that is available in Android and iOS. The band uses electric shocks, ranging from low to high setting, to enforce negative stimuli when you engage in your bad habits. It is the digital form of snapping your wrist with a rubber band when you bite your nails or sneak a quick cigarette break.

According to its Amazon webpage, Pavlok has sold more than 50,000 units since its official launch in 2015. Behavioral Technology Group Inc., the company responsible for the product, has since released two versions of Pavlok. It has also released a new product called Shock Clock, an alarm clock that zaps its user awake.

History of Pavlok

Maneesh Sethi, the CEO, and founder of Behavioral Technology Group, Inc. claims to have the idea for Pavlok when he created an experiment back in 2014. He shared in a blog post that he hired a girl from Craiglist to slap him whenever he went on Facebook. Based on his experiment, he increased his productivity and concluded that aversive conditioning worked for him.

In 2014, Sethi put up Pavlok on crowdfunding website Indiegogo to create their initial prototype. It targeted to get funding of $50,000 and walked away with more than $250,000 with a total of 1,763 backers.

Despite success in crowdfunding, Pavlok’s popularity soared only on May 20, 2016, when it was featured on the last episode of Shark Tank‘s season 7. Sethi refused Kevin O’ Leary’s offer because he doesn’t want to work with him. Even though Sethi’s venture on the popular hit show was amiss, he continued working on his digital aversive conditioning technique.

Mixed Reviews

Users on Amazon and blogs have mixed reviews with this unconventional wearable tech. Testimonials are available on Pavlok’s website, boasting success on breaking bad habits like nail biting, stopping cookie addiction, and eating too many sugary snacks.

While others swear by the results, others felt that Pavlok’s expectations fell short. With Pavlok 1, users have to manually zap themselves when they engage in a bad habit. Users reported that after some time, they learned to ignore the electric shocks or forget to zap themselves.

As an improvement, Pavlok included a feature which would allow your friends to zap you when they caught you red-handed. Aside from that, they integrated an IFTTT feature, which would allow users to input conditions for when they will receive their shocks. For example, if you are trying to remove your nail biting habit, you can simply input Pavlok to zap you when you lift your hand to your mouth. Of course, it only works when you use the hand which has the Pavlok device.

Future of Wearable Tech

Pavlok is just one of the hundreds of wearable tech designed to improve users’ quality of life. Apple is set to release Apple Watch OS 6, which includes a menstrual cycle tracker. It is a much-awaited update after the launching of Apple Watch Series 4 last September 2018.

Starkey, a company focused on producing hearing aids, launched Livio AI last year as well. It is a hearing aid marketed for people who do not need any hearing aids. It features integrated sensors to detect noisy environments and lessen them, thereby reducing the user’s exposure to noise pollution. It also boasts an almost perfect language translation app that lets you understand 27 languages.

With the rise in popularity of these products, wearable tech has a bright future.

Continue Reading

Trending