Big cybersecurity incident a Chinse APT group has been spotted hitting a UK government contractor for military and other sensitive documents.
This cybersecurity threat is also known as Ke3chang, Mirage, Vixen Panda GREF and Playful Dragon.
During this weekend the group was spotted stealing sensitive documents from a government contractor.
This new cybersecurity threat represents a blend of old and new tools: BS2005 backdoor, new versions of RoyalCli and RoyalDNS.
Every system can be protected from this backdoors by installing a top cybersecurity solution like an antivirus. Depending on which version of OS your device runs, please install an antivirus for Windows or antivirus for Mac. If you are a company always hire a professional cybersecurity firm to do regular checkups to your internal network multiple times per year. These checkups must always include a penetration test and various ethical hacking tests.
To deploy and install all of the backdoors APT15 created batch scripts that are used to install its persistence mechanism. This is done by using a simple Windows run key. Most likely APT15 employed this technique to evade behavioral detection.
During the cybersecurity incident, we have detected various tools, a network scanning/enumeration tool, the archiving tool WinRAR and a bespoke Microsoft SharePoint enumeration and data dumping tool, known as ‘spwebmember’.
Open source utility MimikatzAPT15 is also used to dump credentials and generate Kerberos golden tickets, which allows the group to remain in the network in the event of password resets and other remediation activity.
The group has a tremendous persistence, and because of this, they can hint at a state-sponsored entity.
They put great effort to minimize the use of malware, to remain undetected.
APT15 group’s preference is to ‘live off the land’ and to do “Lateral movement.” They did this by utilizing Windows commands to enumerate and conduct reconnaissance activities such as tasklist.exe, ping.exe, netstat.exe, net.exe, systeminfo.exe, ipconfig.exe and bcp.exe.
“Lateral movement is conducted through by a combination of net command, mounting the C$ share of hosts and manually copying files to or from compromised hosts.
This kind of tactics can be detected only by the best cybersecurity solution like an antivirus. Please install an antivirus for Windows or antivirus for Mac, depending on which version of OS your device runs. Companies should verify their networks twice a year by hiring professionals to do a penetration test and various ethical hacking tests.