June 17, 2024 at 08:30AM
A suspected China-linked cyber espionage actor conducted a prolonged attack on an East Asian organization for three years, using legacy F5 BIG-IP appliances for internal command-and-control. Sygnia identified the threat, named Velvet Ant, as sophisticated and innovative, utilizing PlugX and DLL side-loading. The attack also involved disabling endpoint security software and leveraging out-of-date F5 devices as a covert channel.
Key takeaways from the meeting notes include the following:
1. A China-nexus cyber espionage actor, identified as “Velvet Ant,” has been conducting a prolonged attack against an unnamed organization in East Asia for about three years. They have utilized legacy F5 BIG-IP appliances as a command-and-control (C&C) for defense evasion purposes.
2. Cybersecurity company Sygnia has been tracking the activity of Velvet Ant and has characterized them as a sophisticated and innovative threat actor with robust capabilities for pivoting and adapting tactics to counter-remediation efforts.
3. The attack chains involve the use of a known backdoor called PlugX, which is a modular remote access trojan (RAT) widely used by espionage operators with ties to Chinese interests.
4. Sygnia has identified attempts by the threat actor to disable endpoint security software prior to installing PlugX, as well as the use of open-source tools like Impacket for lateral movement.
5. A reworked variant of PlugX has been deployed within the network, using an internal file server for C&C to blend in with legitimate network activity, and abusing out-of-date F5 BIG-IP devices as a covert channel to communicate with the external C&C server.
6. Forensic analysis of the hacked F5 devices has uncovered the presence of a tool named PMCD that polls the threat actor’s C&C server every 60 minutes to look for commands to execute, as well as additional programs for capturing network packets and a SOCKS tunneling utility dubbed EarthWorm.
7. The exact initial access vector used to breach the target environment is currently not known.
Additionally, the meeting notes mention the emergence of new China-linked clusters tracked as Unfading Sea Haze, Operation Diplomatic Specter, and Operation Crimson Palace, which have been observed targeting Asia with the goal of gathering sensitive information.