Grayfly campaigns have released the novel malware against firms in Taiwan, Vietnam, the US and Mexico and are focusing on Exchange and MySQL servers.
The novel backdoor approach referred to as SideWalk, seen in campaigns targeting US media and merchants late very last thirty day period, has been tied to an adversary that is been all around for very a while: specifically, China-linked Grayfly espionage team.
ESET scientists, who named and discovered the new “SparklingGoblin” state-of-the-art persistent danger (APT) actor at the rear of SideWalk, described at the time that the group is an offshoot of one more APT – Winnti Group – 1st identified in 2013 by Kaspersky.
ESET also stated that the SideWalk backdoor is related to 1 made use of by Winnti (aka APT41, Barium, Wicked Panda or Wicked Spider, an APT acknowledged for country condition-backed cyberespionage and economical cybercrime) called CrossWalk (Backdoor.Motnug). Both CrossWalk and SideWalk are modular backdoors used to exfiltrate method info and can operate shellcode sent by the command-and-control (C2) server.
According to a report released by Symantec on Thursday, the SideWalk malware has been deployed in modern Grayfly campaigns in opposition to companies in Taiwan, Vietnam, the US and Mexico. Symantec’s Danger Hunter Group has observed current campaigns that have associated exploits targeting Exchange and MySQL servers.
Other than attacking organizations in the IT, media and finance sectors, the team also has zeroed in on the telecoms sector, according to the report.
Indicted but Undeterred
The US indicted various users of APT41 in September 2020, all of them Chinese residents and nationals. A Federal grand jury billed them with pulling off dozens of crimes, including allegedly facilitating ” the theft of source code, program code-signing certificates, purchaser-account facts and worthwhile small business information,” which in switch “facilitated other prison strategies, like ransomware and cryptojacking.”
As the Division of Justice (DOJ) mentioned at the time, just one of the defendants – Jiang Lizhi – allegedly bragged about getting a “working relationship” with the Chinese Ministry of Point out Security: a marriage that would give him and his alleged co-conspirators a diploma of state defense.
In accordance to Symantec scientists, the SideWalk campaign indicates that the arrests and the publicity can not have produced significantly of a dent in the group’s activity.
You may possibly know Grayfly superior by its also-recognized-as’s, which include GREF and Wicked Panda. Symantec mentioned that even however the Grayfly APT is from time to time labeled APT41, its scientists look at Grayfly to be a distinct arm of APT41 that’s devoted to espionage. This is comparable to how Symantec independently tracks other sub-groups of APT41, this kind of as Blackfly, the APT’s cybercrime arm.
Grayfly, a qualified attack team, has been all-around due to the fact at least March 2017, employing the CrossWalk/Backdoor.Motnug (aka TOMMYGUN) backdoor. The group has also wielded a custom made loader referred to as Trojan.Chattak, Cobalt Strike (aka Trojan.Agentemis, the respectable, commercially out there software utilized by network penetration testers and, more and more, by crooks) and ancillary equipment in its attacks.
Scientists have observed Grayfly concentrating on a selection of nations in Asia, Europe, and North The united states across a wide variety of industries, including food items, fiscal, health care, hospitality, manufacturing and telecommunications. Lately, it is ongoing to torment telecoms, but it is also been heading soon after the media, finance and IT service vendors.
Grayfly’s regular modus operandi is to goal publicly experiencing web servers to put in web shells for original intrusion before spreading additional in the network, Symantec claimed. Immediately after it has penetrated a network, Grayfly then may well install its personalized backdoors on to far more methods. That presents the operators distant obtain to the network and proxy connections that permit them to access really hard-to-reach segments of a target’s network, according to the writeup.
Strolling the Slippery SideWalk
Symantec scientists noticed that in the current SideWalk campaign, Grayfly appeared to be especially interested in attacking uncovered Microsoft Trade or MySQL servers, suggesting that “the initial vector may possibly be the exploit of multiple vulnerabilities in opposition to public-going through servers.”
In reality, the Cybersecurity & Infrastructure Security Agency (CISA) a short while ago set out an urgent notify about a surge in ProxyShell attacks, as attackers launched 140 web shells in opposition to 1,900 unpatched Microsoft Exchange servers. Security researchers at Huntress claimed viewing ProxyShell vulnerabilities getting actively exploited through the thirty day period of August to set up backdoor access as soon as the ProxyShell exploit code was revealed on Aug. 6: A number of weeks later on, the surge strike.
In at minimum just one of the SideWalk attacks that Symantec scientists observed, the suspicious Trade action was adopted by PowerShell commands utilized to install an unidentified web shell. That may perhaps seem familiar, supplied that 1 of the vulnerabilities Huntress described past thirty day period was CVE-2021-34523: a bug that allows destructive actors to execute arbitrary code post-authentication on Microsoft Trade servers owing to a flaw in the PowerShell assistance not properly validating accessibility tokens.
The Grayfly attackers executed the malicious SideWalk backdoor following the web shell was installed. Then, they deployed a tailor-designed model of the open-resource, credential-dumping software Mimikatz that Symantec claimed has been made use of in before Grayfly attacks. Symantec’s report does a deep dive on the technological details, which include indicators of compromise.
Expect much more to occur, researchers said, considering that this fly isn’t likely to excitement off: “Grayfly is a able actor, very likely to go on to pose a risk to corporations in Asia and Europe across a range of industries, such as telecommunications, finance, and media. It is likely this group will proceed to establish and make improvements to its personalized equipment to enrich evasion ways along with applying commodity equipment these as publicly accessible exploits and web shells to aid in their attacks.”
It’s time to evolve menace looking into a pursuit of adversaries. Sign up for Threatpost and Cybersixgill for Threat Looking to Catch Adversaries, Not Just Halt Attacks and get a guided tour of the dark web and understand how to observe danger actors right before their following attack. Sign up NOW for the Reside discussion on September 22 at 2 PM EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, alongside with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.
Some elements of this write-up are sourced from: