Ethical Hacking News
A sophisticated Chinese cyberattack campaign, known as the "MirrorFace" group, carried out a five-year campaign of targeted attacks against local organizations in Japan. The attackers used phishing emails, malware, and other tactics to breach the security of various sectors. This incident highlights the ongoing threat posed by Chinese cyberattacks and the need for stronger cybersecurity defenses.
Chinese-backed cyber attackers, known as "MirrorFace" or "Earth Kasha," carried out a five-year campaign of targeted attacks against local organizations in Japan. The attack campaign used phishing emails, malware, and other tactics to breach the security of think tanks, government agencies, politicians, media organizations, and various sectors. The attackers were attributed to the Advanced Persistent Threat (APT) 10 gang and used various malware strains, including LODEINFO, LilimRAT, NOOPDOOR, and ANEL. Japanese authorities warned local businesses to harden their defenses after discovering the attacks, but experts argue that it may be too little, too late. The attack campaign is believed to have been carried out by the Chinese government or its agents with the aim of gathering intelligence on sensitive information. The use of the Windows sandbox to run malware is particularly worrying as it allows attackers to avoid detection by traditional security measures.
Japanese authorities have confirmed that China-backed cyber attackers, known as the "MirrorFace" group, carried out a five-year campaign of targeted attacks against local organizations in Japan. The alleged attack campaign, which began in 2019 and continued into 2024, saw the use of phishing emails, malware, and other tactics to breach the security of think tanks, government agencies, politicians, media organizations, and even semiconductor, manufacturing, information, and communications sectors.
According to a report published by Japan's National Police Agency and Center of Incident Readiness and Strategy for Cybersecurity, the attacks were attributed to the MirrorFace group, also known as "Earth Kasha." The agencies claimed that the attackers used various malware strains, including LODEINFO, LilimRAT, NOOPDOOR, and ANEL, which are believed to be part of the Advanced Persistent Threat (APT) 10 gang.
The first wave of attacks ran from December 2019 to July 2023, during which time phishing emails were sent to targets at think tanks, government agencies, politicians, and media organizations. The messages sometimes included malware in attached files or initiated conversations that led to the download of malicious software. The attackers also employed a technique called "LODEINFO," which allowed them to run malware within the Windows sandbox.
The second campaign ran from February 2023 into mid-2024, during which time the attackers exploited known weaknesses in TLS 1.0 and used client certificates to authenticate themselves. They also employed SQL injection attacks and installed the Neo-reGeorg tunneling tool and open-source WebShells on VPNs. The third campaign kicked off in June 2024, involving phishing emails that sent documents enabling macros to run in Microsoft Office apps.
Japanese authorities have warned local businesses to learn from the documentation provided by the agencies about the attacks and harden their defenses. However, experts argue that this may be too little, too late, as similar allegations were raised last year by infosec vendors Trend Micro and Broadcom.
In 2018, Google warned that APT 10 had launched a new phishing campaign against Japanese targets, and had conducted similar campaigns since 2009. The attack campaign is believed to have been carried out by the Chinese government or its agents, with the aim of gathering intelligence on sensitive information.
The MirrorFace group's use of the Windows sandbox to run malware is particularly worrying, as it allows attackers to avoid detection by traditional security measures. This technique is often used by sophisticated threat actors, including nation-state hackers.
The incident highlights the ongoing threat posed by Chinese cyberattacks and the need for Japan and other countries to strengthen their cybersecurity defenses. It also underscores the importance of international cooperation in addressing this issue, as the attack campaign appears to have been carried out with support from the Chinese government or its agents.
In response to the attack, Japanese authorities have taken steps to enhance the country's cybersecurity capabilities, including the implementation of new security measures to protect against similar attacks. The incident serves as a reminder that cybersecurity threats are a global issue and require a coordinated response from governments, industries, and individuals around the world.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2025/01/09/japan_mirrorface_china_attack/
https://thehackernews.com/2023/04/limerat-malware-analysis-extracting.html
https://blog.kowatek.com/2023/04/27/limerat-malware-analysis-extracting-the-config/
Published: Wed Jan 8 22:48:10 2025 by llama3.2 3B Q4_K_M
