Chinese Cyber Espionage Reaches New Heights: US Internet Providers Compromised

ZeroSecurity — Tue, 03 Sep 2024 10:22:33 +0000

Chinese state-sponsored hackers have successfully infiltrated several major American internet service providers (ISPs) in recent months. This sophisticated campaign has granted the attackers unprecedented access to networks serving millions of customers, including potentially sensitive government and military personnel.

The Scale and Sophistication of the Attacks

Security experts and government officials familiar with the ongoing situation describe these intrusions as exceptionally aggressive and technically advanced. The hackers have managed to penetrate at least two large US providers and several smaller ones, demonstrating a significant escalation in China's cyber capabilities.

Brandon Wales, who recently held the position of executive director at the Cybersecurity and Infrastructure Security Agency (CISA), emphasized the gravity of the situation. "What we're seeing from China now is business as usual, but on a dramatically larger scale. The threat has increased by an order of magnitude," Wales stated.

Targeting High-Value Information

The choice of targets suggests a clear strategic focus. By compromising ISPs, the attackers gain access to a wealth of data flowing through these networks. Of particular concern is the potential surveillance of government employees, undercover operatives, and other groups of interest to Chinese intelligence services.

Mike Horka, a former FBI agent now working as a researcher at Lumen Technologies, noted the significance of this access. "This represents a privileged, high-level connection to interesting customers," Horka explained. He also pointed out that the hackers were willing to expend valuable zero-day vulnerabilities in these attacks, underscoring the
importance of the operation to Chinese interests.

Advanced Techniques and Possible Connections

The methods employed in these intrusions share similarities with those attributed to a notorious Chinese hacking group known as Volt Typhoon. This group has previously targeted critical infrastructure, including Pacific ports, raising concerns about China's ability to disrupt US military logistics in a potential conflict scenario.

One particularly sophisticated technique involved the exploitation of a previously unknown vulnerability in network management software from Versa Networks. This allowed the attackers to plant malware capable of intercepting user passwords within compromised ISP routers.

In a separate but related campaign, another Chinese state-sponsored group demonstrated the ability to manipulate Domain Name System (DNS) records within a compromised ISP. This powerful technique can be used to redirect users to malicious sites or insert backdoors for ongoing surveillance.

Broader Implications and Ongoing Threats

The breach of multiple ISPs represents a significant escalation in the cyber threat landscape. It provides potential avenues for widespread data collection, targeted surveillance, and even the possibility of disruptive attacks on critical infrastructure.

US cybersecurity officials, including former NSA director Gen. Paul Nakasone, have expressed ongoing concern about the activities of groups like Volt Typhoon.

The focus on gaining access for potential physical sabotage is particularly alarming, as it goes beyond traditional espionage into the realm of preparing for potential kinetic conflict.
Chinese Response and Denial

The Chinese Embassy in Washington has vehemently denied these
accusations.

In a statement, they claimed that "Volt Typhoon" is actually an independent ransomware group, not a state-sponsored entity. The embassy further alleged that US intelligence agencies and cybersecurity firms might be fabricating evidence to secure increased funding and contracts.

China-Linked APT Group Velvet Ant Exploits Cisco Zero-Day (CVE-2024-20399) Vulnerability

ZeroSecurity — Sat, 24 Aug 2024 05:04:26 +0000

Cybersecurity researchers at Sygnia have discovered that the China-linked Advanced Persistent Threat (APT) group known as Velvet Ant has successfully exploited a recently disclosed zero-day vulnerability in Cisco switches to compromise network appliances.
The Zero-Day Vulnerability: CVE-2024-20399

In July 2024, Cisco addressed a critical security flaw, identified as CVE-2024-20399, in its NX-OS software. This vulnerability, with a CVSS score of 6.0, allowed authenticated attackers to execute arbitrary commands as root on the underlying operating system of affected devices.

The vulnerability stems from insufficient validation of arguments passed to specific configuration CLI commands. Exploiting this flaw requires administrator credentials, highlighting the importance of robust credential management practices.
Velvet Ant’s Sophisticated Attack Strategy

Sygnia researchers observed Velvet Ant exploiting CVE-2024-20399 as a zero-day vulnerability in April 2024. The APT group leveraged valid administrator credentials to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the underlying Linux operating system.

Following the initial exploit, Velvet Ant deployed a custom malware dubbed “VELVETSHELL” by Sygnia. This malware operates on the underlying OS and remains undetected by typical security tools, demonstrating the group’s advanced capabilities.
VELVETSHELL: A Hybrid Malware Threat

Sygnia managed to reconstruct the VELVETSHELL malware from device memory, despite the threat actor’s attempts to delete it. The malware is a sophisticated hybrid of two open-source tools: TinyShell and 3proxy.
VELVETSHELL’s capabilities include:

Executing arbitrary commands
Downloading and uploading files
Establishing network traffic tunnels

These functionalities allow Velvet Ant to maintain persistent access and control over compromised systems, facilitating data exfiltration and ongoing espionage activities.
Impacted Cisco Devices

The vulnerability affects several Cisco device families, including:

MDS 9000 Series Multilayer Switches
Nexus 3000 Series Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode

Mitigation and Response

Cisco recommends that customers monitor the use of credentials for administrative users, particularly network-admin and vdc-admin accounts. The company has also provided the Cisco Software Checker to help customers determine if their devices are vulnerable to this flaw.

In response to the severity of the threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-20399 to its Known Exploited Vulnerabilities (KEV) catalog.
Evolving Tactics of APT Velvet Ant

Sygnia’s research reveals a clear evolution in Velvet Ant’s tactics over time. The group has progressed from operating on ordinary endpoints to targeting legacy servers, and now focusing on network appliances using zero-day exploits.

This shift towards compromising network appliances presents unique challenges for defenders. These devices typically prevent users from accessing the underlying operating system, making it extremely difficult to scan for indicators of compromise using traditional methods.