Ethical Hacking News
A Chinese state-sponsored hacking group known as MirrorFace has been targeting Japanese government officials, politicians, and private organizations since 2019. This group's activities have raised significant concerns about the potential theft of sensitive information on advanced Japanese technologies and national security intelligence.
Japanese citizens face significant threats from Chinese state-sponsored hackers known as MirrorFace, targeting government officials, politicians, and private organizations. MirrorFace employs tactics like exploiting vulnerabilities in networking equipment, phishing emails, and malware-laden attachments to compromise systems. The hackers' primary goal is to steal sensitive information on advanced Japanese technologies and gather national security intelligence. Vulnerabilities such as CVE-2023-28461, CVE-2023-27997, and CVE-2023-3519 are exploited by MirrorFace, often left unpatched or inadequately secured by organizations. MirrorFace uses malware families like LODEINFO and ANEL to steal data, create persistent backdoors, and execute malicious PowerShell commands. The hackers use Windows Sandbox and Visual Studio Code tunnels to evade detection and maintain persistence in networks. The NPA recommends monitoring for suspicious activity, patching vulnerabilities, and implementing robust cybersecurity measures.
Japanese citizens have been facing a significant threat to their personal information and national security in recent years, courtesy of a sophisticated group of hackers known as MirrorFace. According to a report released by the National Police Agency (NPA) and the Cabinet Cyber Security Center in Japan, this Chinese state-sponsored hacking group has been actively targeting Japanese government officials, politicians, and private organizations since 2019.
The NPA's investigation into MirrorFace's activities revealed that these hackers employ various tactics to compromise their targets' systems, including exploiting vulnerabilities in networking equipment, phishing emails, and malware-laden attachments. The primary goal of these attacks is to steal sensitive information on advanced Japanese technologies and gather national security intelligence.
In all cases, the hackers exploit well-known flaws in networking equipment, including CVE-2023-28461 in Array Networks, CVE-2023-27997 in Fortinet appliances, and CVE-2023-3519 in Citrix ADC/Gateway. These vulnerabilities are often left unpatched or inadequately secured by organizations, making them an easy target for sophisticated hackers.
Once inside the network, MirrorFace's malware families, including LODEINFO, ANEL, NOOPDOOR, and others, can be used to steal data, create persistent backdoors for long-term access, and even execute malicious PowerShell commands. The hackers also make use of Visual Studio Code tunnels, which are set up by the ANEL malware on compromised systems to receive commands to execute on infected systems.
The NPA highlights two evasion methods MirrorFace uses to persist in networks without raising any alarms. Firstly, these hackers utilize Windows Sandbox feature to execute LOADEINFO within an isolated environment, bypassing antivirus detection. This allows them to run malware that communicates with remote command and control (C2) servers while maintaining local filesystem access to the host via shared folders.
Secondly, MirrorFace uses Visual Studio Code tunnels, which are a documented tactic previously attributed to other Chinese state-sponsored hackers like STORM-0866 and Sandman APT. These tunnels enable the hackers to receive commands to execute on infected systems, usually in the form of PowerShell commands.
The NPA recommends that system administrators monitor for suspicious PowerShell logs, unauthorized communications with VSCode domains, and unusual sandbox activity. While it is not possible to log commands executed in Windows Sandbox, organizations can configure Windows policies on the host to audit process creation to detect when the Windows Sandbox is launched and what configuration file was used.
This report highlights the need for increased vigilance from Japanese organizations and government agencies against MirrorFace's sophisticated attacks. It also underscores the importance of timely patching of vulnerabilities, proper cybersecurity measures, and robust incident response strategies to mitigate these threats.
In a world where nation-state sponsored hacking is on the rise, it is crucial that we understand the tactics, techniques, and procedures (TTPs) employed by groups like MirrorFace and take proactive steps to protect ourselves against their sophisticated attacks.
Related Information:
Published: Thu Jan 9 11:59:29 2025 by llama3.2 3B Q4_K_M
