Chinese Intruders Penetrate an East Asian Business for 3 Years by Employing F5 Devices


Chinese Intruders Penetrate an East Asian Business for 3 Years by Employing F5 Devices

A cyberespionage actor with a suspected connection to China has been identified as the perpetrator of a long-term assault against an unidentified company located in East Asia. The attack lasted for approximately three years, during which time the adversary established persistence by utilizing legacy F5 BIG-IP appliances and utilized it as an inner command-and-control (C&C) for the purpose of defense evasion.

Velvet Ant is the name of the activity that is being tracked by the cybersecurity company Sygnia, which reacted to the incursion in late 2023. Velvet Ant is characterized as having a substantial capacity to quickly pivot and modify their methods to counter-remediation attempts.

“Velvet Ant is a skilled and creative threat actor,” the Israeli company stated in a technical assessment that was handed over to  News4Hackers. “They gathered confidential data over an extended duration of time, concentrating on client and financial details.”

PlugX, also known as Korplug, is a modular remote access trojan (RAT) that has been frequently used by espionage operators with ties to Chinese interests.  The attack chains entail the usage of a known backdoor that is known as PlugX. It is well known that PlugX relies significantly on a method known as DLL side-loading in order to penetrate connected devices.

In addition, Sygnia stated that it discovered attempts made by the threat actor to disable endpoint security software prior to installing PlugX. Additionally, it discovered that open-source tools like Impacket were utilized for lateral movement.

Additionally, as part of the incident response and cleanup efforts, a modified variation of PlugX was discovered. This variant utilized an internal file server for command and control, which enabled the malicious traffic to blend in with regular network activity.

“This indicated that a malicious threat actor installed two versions of PlugX within the network,” the business stated in its announcement. “The initial version, which was deployed on endpoints that had direct internet connectivity and was configured with an external command and control server, made it easier to steal important information. The second version did not have a command and control configuration, and it was only installed on older servers.”

In particular, it was discovered that the second variant had exploited outdated F5 BIG-IP devices as a covert channel to communicate with the external command and control server. This was accomplished by issuing commands through a reverse SSH tunnel. This exemplifies, once more, how compromising edge appliances can enable threat actors to gain persistence for extended periods of time.

“There is simply one element that is needed for an extensive exploitation scenario to take place, and that is a vulnerable edge service, meaning a piece of software that is accessible from the internet,” According to a recent analysis conducted by WithSecure.

“Equipment like these are frequently designed to make an existing network safer, but yet time and again flaws have been found in these gadgets and abused by intruders, offering a perfect foothold in a target network.”

Subsequent forensic analysis of the hacked F5 devices has also revealed the presence of a tool known as PMCD, which polls the command and control server of the threat actor every sixty minutes in order to search for commands to execute. Additionally, additional programs for capturing network packets and a SOCKS tunneling utility known as EarthWorm, which has been utilized by actors such as Gelsemium and Lucky Mouse, have also been discovered.

The precise first access vector that was utilized to infiltrate the target environment is presently unknown. This could be spear-phishing or the exploitation of known security holes in systems that are open to the internet.

The revelation comes as a result of the appearance of new China-linked clusters that have been tracked as Unfading Sea Haze, Operation Diplomatic Specter, and Operation Crimson Palace. These clusters have been seen targeting Asia with the intention of obtaining sensitive information.

one year cyber security diploma course

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space.  Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM.  Naager entered the field of content in an unusual way.  He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts.  He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field.  In the bottom line, he frequently writes for Craw Security.


DISGOMOJI Malware is Employed by Pakistani Hackers in Indian Government Cyber Attacks

Sleepy Pickle is a Fresh Attack Technique that targets Machine Learning Models

Pune Woman lost ₹1.6 Cr to Cybercriminals Posing as a “National Security Threat”

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?