Ethical Hacking News
A five-year cyberattack campaign by China-backed group "MirrorFace" has been attributed to Japan's National Police Agency and the Center of Incident Readiness and Strategy for Cybersecurity. The campaign targeted various local organizations, including think tanks, government agencies, politicians, media outlets, and academic institutions. Japanese authorities have urged businesses to take steps to harden their defenses and learn from the documentation provided about the attacks.
The Chinese government has been accused of running a five-year cyberattack campaign against Japan. The campaign, allegedly linked to APT10 gang, targeted various local organizations and institutions from December 2019 to mid-2024. Multiple waves of attacks were launched during this time, including phishing emails with malware attachments or initiated conversations. The attackers exploited known vulnerabilities in Fortinet and Citrix products, as well as weaknesses in TLS 1.0 and client certificates. A third wave of attacks in June 2024 used phishing emails with malware attachments, running malware in Windows sandbox to maintain access to compromised systems.
China has been accused by Japanese authorities of running a five-year cyberattack campaign, targeting various local organizations and institutions. The campaign, allegedly led by the China-backed group "MirrorFace", or "Earth Kasha", has been linked to the Advanced Persistent Threat (APT) 10 gang.
According to reports from Japan's National Police Agency and the Center of Incident Readiness and Strategy for Cybersecurity, the campaign began in December 2019 and continued until mid-2024. During this time, multiple waves of attacks were launched against local organizations, including think tanks, government agencies, politicians, media outlets, and even academic institutions.
The first wave of attacks ran from December 2019 to July 2023, during which phishing emails were sent to targets, some of which included malware attachments or initiated conversations that eventually led to the transmission of malicious files. The attackers also employed known vulnerabilities in Fortinet and Citrix products to gain further access to compromised systems.
In February 2023, a second wave of attacks was launched, utilizing known weaknesses in TLS 1.0 and exploiting client certificates obtained through unknown means. SQL injection attacks were also employed, as well as the deployment of the Neo-reGeorg tunneling tool and open-source WebShells on VPNs.
The third and final wave of attacks began in June 2024, with phishing emails sent to target various organizations, including academia, think tanks, politicians, and media outlets. This campaign saw the use of malware attachments, such as NOOPDOOR and ANEL, which are believed to be part of APT10's arsenal.
What was particularly concerning about this third wave of attacks was the apparent ability of the attackers to run malware in the Windows sandbox, a virtualized environment designed to isolate code from the host system. This allowed the attackers to maintain access to compromised systems even after reboots, making it difficult for them to establish a persistent presence.
In response to these attacks, Japanese authorities have urged local businesses to take steps to harden their defenses and learn from the documentation provided by the National Police Agency and the Center of Incident Readiness and Strategy for Cybersecurity. However, some experts have expressed concerns that this may be too little, too late, given the long history of Chinese cyberattacks against Japan.
In fact, similar allegations had been raised last year by infosec vendors Trend Micro and Broadcom, who linked the attacks to APT 10. Google had also warned in 2018 that ATP 10 had launched a new phishing campaign at Japanese targets, and had conducted similar campaigns since 2009.
This latest wave of attacks highlights the ongoing threat posed by state-sponsored cyberattacks and the need for organizations to remain vigilant in protecting themselves against such threats. As cybersecurity continues to evolve and become increasingly important, it is essential that we learn from these experiences and take proactive steps to prevent future attacks.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2025/01/09/japan_mirrorface_china_attack/
https://www.msn.com/en-us/news/technology/japanese-police-claim-china-ran-five-year-cyberattack-campaign-targeting-local-orgs/ar-BB1r89e8
https://www.theregister.com/2025/01/09/japan_mirrorface_china_attack/
Published: Wed Jan 8 23:59:00 2025 by llama3.2 3B Q4_K_M
