Over the past year, a known cyberespionage group from China has been targeting satellite communications companies, telecom operators and defense firms from the United States and Southeast Asia.
The group, tracked as Thrip by researchers from Symantec, has been operating since 2013 and uses a combination of custom-made malware. However, in the latest attacks, it also began abusing popular system administration tools including PowerShell, PsExec, WinSCP, LogMeIn and Mimikatz to perform lateral movement, a tactic known as “living off the land” in the security industry.
In fact, it was the group’s use of PsExec, a Microsoft Sysinternals utility, inside the network of a large telecom operator from Southeast Asia in January that raised an alert in a Symantec product that uses machine learning to discover threats.
The subsequent investigation led to the uncovering of additional victims that had been compromised by the group since last year, including a satellite communications operator, an organization involved in geospatial imaging and mapping, two other telecom firms and a defense contractor.
The attackers seemed particularly interested in the operational side of the companies, targeting systems that are used to monitor and control satellites or that run specialized software including MapXtreme GIS (Geographic Information System), Google Earth server and Garmin imaging software.
“This suggests to us that Thrip’s motives go beyond spying and may also include disruption,” the Symantec researchers warned in a blog post.
In the case of telecom operators, evidence also suggests the attackers were not interested in their customers, but in the companies themselves.
While investigating the latest attacks, the Symantec researchers discovered a new version of Rikamanu, a custom Trojan program associated with the group, that allows stealing credentials and other information from infected computers.
The researchers also found a completely new malware program they dubbed Infostealer.Catchamas, which is based on Rikamanu but has additional features and capabilities including the ability to steal information from the latest browsers.
Other malware programs associated with Thrip’s past activity but not seen in the latest attacks are a keylogger called Mycicil, a backdoor program called Spedear and another Trojan known as Syndicasec.
“From the initial alert triggered by TAA, we were able to follow a trail that eventually enabled us to see the bigger picture of a cyber espionage campaign originating from computers within China and targeting multiple organizations in the U.S. and Southeast Asia,” the Symantec researchers concluded. “Espionage is the group’s likely motive but given its interest in compromising operational systems, it could also adopt a more aggressive, disruptive stance should it choose to do so.”
Critical Vulnerabilities Patched in Industrial Ethernet Switches
Four serious vulnerabilities were found and patched in industrial Ethernet switches made by Phoenix Contact, an electrical engineering and automation company. If left unpatched, some of the flaws could allow attackers to execute malicious commands and code on the networking devices, which are used in facilities from various industries.
The most serious vulnerability is tracked as CVE-2018-10730 and has a CVSS of 9.1 out of 10, according to researchers from Positive Technologies, who found the flaws. By exploiting this vulnerability attackers could execute rogue commands on the switches, including a command to disconnect all devices which would cause disruptions on industrial networks.
Another vulnerability, CVE-2018-10731 (CVSS 9.0), allows unauthorized access to OS files on the switches, while a third flaw, CVE-2018-10728 (CVSS 8.1), can be exploited to execute arbitrary code, perform denial-of-service or disable web and telnet services. The fourth vulnerability, CVE-2018-10729 (CVSS 5.3), allows attackers to read the configuration files of the affected switches.
The flaws affect FL SWITCH models 3xxx, 4xxx and 48xx. Phoenix Contact has released firmware version 1.34 to fix the vulnerabilities, so users are advised to update the firmware on their devices as soon as possible.