BLUE
Login
PostsUsersHashtags
Ssimslegacy.bsky.social

Congrats! I love to read 💖 What sort of stuff are you in to? I'm reading a really fun cozy mystery series right now if that's your jam; just finished book 7. www.amazon.com/Eastwind-Wit...

1
EDedulac.bsky.social

The Eastwind flew faster still (from The Garden of Paradise) https://www.wikiart.org/en/edmund-dulac/the-eastwind-flew-faster-still-from-the-garden-of-paradise

The Eastwind flew faster still (from The Garden of Paradise)
0
Iidzhang3.bsky.social

卡賓斯基報告,國際知名的中國黑客團隊APT27、APT31對俄羅斯政府展開間諜攻擊 媒體報導 www.theregister.com/2024/08/15/s...securelist.ru/eastwind-apt...

0
PGjbhall56.bsky.social

The Russia-based security biz claimed the malware used in the ongoing, targeted attacks – dubbed EastWind – has links to two China-nexus groups tracked as APT27 and APT31. www.theregister.com/2024/08/15/s...

China-linked cyber-spies infect Russian govt, IT sector
China-linked cyber-spies infect Russian govt, IT sector

No, no, go ahead, don't let us stop you, Xi

0
Cpotato.software

'EastWind' Potato-Spy Campaign Combines Various Chinese APT Tools

0
UWborlingon.bsky.social

1/2 China launched a series of cyberattacks on Russian government organizations and IT companies. Some of the attack methods were previously unknown (meaning new). Is this what a “friendship without limits” looks like? With friends like these, who needs enemies?

Article from 11 August 2024 from BleepingComputer. Headline: Chinese hacking groups target Russian government, IT firms. By Bill Toulas. A series of targeted cyberattacks that started at the end of July 2024, targeting dozens of systems used in Russian government organizations and IT companies, are linked to Chinese hackers of the APT31 and APT 27 groups. Kaspersky, who discovered the activity, dubbed the campaign "EastWind," reporting that it employs an updated version of the CloudSorcerer backdoor spotted in a similar cyberespionage campaign from May 2024, also targeting Russian government entities. It should be noted that the CloudSorcerer activity isn't bound to Russia, as Proofpoint recorded an attack targeting a U.S.-based think tank in May 2024. https://www.bleepingcomputer.com/news/security/chinese-hacking-groups-target-russian-government-it-firms/amp/
EastWind toolkit The initial infection relies on phishing emails carrying RAR archive attachments named after the target, which employ DLL side loading to drop a backdoor on the system from Dropbox while opening a document for deception. The backdoor can navigate the filesystem, execute commands, exfiltrate data, or introduce additional payloads on the compromised machine. Kaspersky's observations reveal that the attackers used the backdoor to introduce a trojan named 'GrewApacha, which has been associated with APT31. The most recent variant of GrewApacha features some improvements compared to the last analyzed version from 2023, including using two command servers instead of one, storing their address in a base64-encoded string on GitHub profiles from where the malware reads it. Link: https://www.bleepingcomputer.com/news/security/chinese-hacking-groups-target-russian-government-it-firms/amp/
Another malware loaded by the backdoor is a refreshed version of CloudSorcerer packed with VMProtect for evasion. CloudSorcerer uses an encryption protection mechanism designed to prevent its execution on non-targeted systems by employing a unique key generation process tied to the victim's machine. Upon execution, a utility (GetKey.exe) generates a unique four-byte number from the system's current state and encrypts it using the Windows CryptProtectData function to derive a unique, system-bound ciphertext. If execution of the malware is attempted on any other machine, the generated key will differ, so the CloudSorcerer payload decryption will fail. Link: https://www.bleepingcomputer.com/news/security/chinese-hacking-groups-target-russian-government-it-firms/amp/
The new version of CloudSorcerer also uses public profile pages to get its initial C2 address but has now switched from GitHub to using Quora and the Russian social media network LiveJournal for this purpose. The third implant seen in the EastWind attacks, introduced through CloudSorcered, is PlugY, a previously unknown backdoor. PlugY features high versatility in its C2 communications and the ability to execute commands for file operations, shell command execution, screen capturing, key-logging, and clipboard monitoring. Kaspersky's analysis indicates that the code used in PlugY has been previously seen in attacks by the APT27 threat group. Also, a library used for C2 communications through the UDP protocol is found only in DRBControl and PlugX, which are malware tools extensively used by Chinese threat actors. Link: https://www.bleepingcomputer.com/news/security/chinese-hacking-groups-target-russian-government-it-firms/amp/
1
HomePopularExplore