Suspected Threat Actors: NICKEL (APT15)
The China-based threat actor NICKEL has been observed by Microsoft Threat Intelligence Center (MSTIC) attacking governmental organizations across various geographies. The MSTIC also observed some common activity with other threat actors groups tracked by the security community as APT15, APT25, and KeChang. The Microsoft Digital Crimes Unit (DCU) following a court order, was able to successfully seize a set of NICKEL-operated websites which resulted in disruption of their ongoing attacks targeting organizations in 29 countries. As per the advisory, NICKEL used exploits against vulnerable systems to compromise remote access services and appliances. Upon successful intrusion into the network, the threat actor used credential dumpers/ stealers to obtain legitimate credentials, created as well as deployed custom malware to maintain persistence, performed frequent and scheduled data collection along with exfiltration from victim networks.
As per MSTIC, this NICKEL activity was observed since at least September 2019 across several counties. Notably, NICKEL was able to achieve long-term access into target networks which allowed them to perform various activities such as regular data exfiltration. Given China’s growing influence across the world, its efforts to maintain bilateral relations, and pursuance of partnership in support of its Belt and Road Initiative, the researchers assess that the Chinese threat actors will continue to target organizations in government, diplomatic, and NGO sectors. Such activity will allow them to gain new insights to achieve objectives such as economic espionage or intelligence-gathering purposes.
U.S. Cyber Command demonstrated collective cyber defense capabilities with international partners during the CYBER FLAG 21-1 exercise, which ran from 15th to 20th Nov 2021 at the Joint Base Suffolk in Virginia.
The Cyber command stated that the exercise conducted demonstrated USCYBERCOM’s real-time virtual training environment with 12 countries, including the U.K., Sweden, Canada, Germany, Norway, and France. Germany physically participated in the event while the other foreign countries took part virtually.
During the exercise, participants detected simulated threats and then came up with network hardening approaches.
The Principal Director of cyber policy at the office of the Secretary of Defense said that threats in the cyber domain have no geographic boundaries, so cyber threats that can confront any given country can easily spill into another country.
According to a researcher, Chinese hackers, likely state-sponsored, have been extensively targeting government and private-sector organizations across Southeast Asia, including those closely involved with Beijing on infrastructure development projects. Specific targets were the Thai prime minister’s office and the Thai army, the Indonesian and Philippine navies, Vietnam’s national assembly and the central office of its Communist Party, and Malaysia’s Ministry of Defense.
The researcher specified that the high-profile military and government organizations in Southeast Asia had been compromised over the last nine months by cybercriminals using custom malware families such as FunnyDream and Chinoxy. Those custom malware are not publicly available but are believed to be used by multiple Chinese state-sponsored groups. The target also aligns with the political and economic goals of the Chinese government, bolstering the suspicion that it is state sponsored,
China’s Foreign Ministry did not immediately respond to a request for comment on the allegations. Chinese authorities have consistently denied any form of state-sponsored hacking in the past, instead saying China itself is a major target of cyberattacks.
Researchers have recently discovered 14 new types of cross-site data leakage attacks that affect several modern web browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari, Opera, and Tor Browser among others. Collectively dubbed as “XS-Leaks,” these browser bugs would enable an attacker-controlled website to harvest sensitive data from its visitors without their knowledge as they interact with other websites in the background. The cross-site bugs stem from side-channels built into the web platform that permits an attacker to gather this data from a cross-origin HTTP resource and impacts an array of popular browsers spanning across different operating systems including Windows, macOS, Android, and iOS.
As per the research, XS-Leaks are a class of vulnerabilities derived from the side channels. They take advantage of the web’s core principle of composability, which allows websites to interact with each other, and abuse legitimate mechanisms to infer information about the user. One way of looking at XS-Leaks is to highlight their similarity with cross-site request forgery (CSRF) techniques, with the main difference being that instead of allowing other websites to perform actions on behalf of a user, XS-Leaks can be used to infer information about a user.
The principle of an XS-Leak is to use such side-channels available on the web to reveal sensitive information about users, such as their data in other web applications, details about their local environment, or internal networks they are connected to.
According to the research, the root cause of most XS-Leaks is inherent to the design of the web. It is challenging to fix the root cause of XS-Leaks at the browser level because in many cases doing so would break existing websites. For this reason, browsers are now implementing various Defense Mechanisms to overcome these difficulties. Many of these defenses require websites to opt into a more restrictive security model, usually through the use of certain HTTP headers (e.g. Cross-Origin-Opener-Policy: same-origin), which often must be combined to achieve the desired outcome.
Active Attacks on Another Zoho ManageEngine Product
The vulnerability, tracked as CVE-2021-44515 is a type of authentication bypass vulnerability that could lead to arbitrary code in the Desktop Central MSP server. As per the advisory published by Zoho, the vulnerability “If exploited, the attackers can gain unauthorized access to the product by sending a specially crafted request leading to remote code execution”. Zoho disclosed that indications of exploitation of this vulnerability have been noticed, and strongly advise customers to update their installations to the latest build as soon as possible.
With this development, CVE-2021-44515 also joins the attackers’ arsenal with two other vulnerabilities identified as CVE-2021-44077 and CVE-2021-40539 that have been reported to be weaponized to compromise the corporate networks across the world.
Surprisingly, as per searchers – despite the active exploitation – there have not been any PoCs being publicly available as of December 6th.
However, researchers suspect attackers may have created their own PoC. A similar case was noticed in the case of another authentication bypass vulnerability in ManageEngine ServiceDesk Plus tracked as CVE-2021-44077. Which was linked to an APT group that has been leveraging vulnerabilities in different ManageEngine solutions in the last five months.