Articles

People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection

• Adversarial Tactics
• The actor exploits vulnerabilities in widely used software, including ManageEngine ADSelfService Plus and FatPipe WARP, IPVPN, MPVPN..
• The actor uses webshells for persistence and exfiltration, with some of the webshells derived from the Awen webshell.
• The actor uses compromised Small-Office Home-Office (SOHO) devices (e.g., routers) to obfuscate the source of the activity.
• The actor uses built-in network administration tools for discovery, lateral movement, and collection activities. These tools include certutil, dnscmd, ldifde, makecab, net user/group/use, netsh, nltest, ntdsutil, PowerShell, req query/save, systeminfo, tasklist, wevtutil, wmic, and xcopy.
• The actor selectively clears Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity.
• The actor uses open-source "hacktools" tools, such as Fast Reverse Proxy (frp), Impacket, Mimikatz.exe, and Remote administration tools

• Recommended Mitigations
• Enable logging on edge devices, including system logs, to identify potential exploitation and lateral movements
• Enable network-level logging, such as sysmon, webserver, middleware, and network device logs.
• Be aware of the common types of compromised SOHO devices and the common CVEs for these devices. The most common types include ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe, and Zyxel USG devices.
• Be aware of the common vulnerabilities exploited by the actor and the mitigation guidance provided in the joint Cybersecurity Advisory, “Top CVEs Actively Exploited by People’s Republic of China State-Sponsored Cyber Actors”

• QSEC Mesh Networks for Defense Against State-Sponsored Cyber Attacks
• End-to-End Encryption: QSEC provides strong encryption with public keys, ensuring that data transmitted over the network is secure. This would prevent an attacker from gaining access to unencrypted data.
• Peer-to-Peer Connections: In a mesh network, devices connect directly to each other, reducing the need for central servers that can be targeted by attackers.
• Reduced Attack Surface: QSEC is designed with a minimalistic approach, resulting in less code and subsequently, a smaller attack surface. This makes it harder for attackers to find vulnerabilities to exploit.
• Improved Anonymity: With QSEC, network traffic is routed through multiple peers, making it difficult for an attacker to track the data's origin and destination.
• Resistance to IP Address Leaks: QSEC's use of public keys for routing decisions prevents IP address leaks, a common vulnerability that could be exploited in other VPN protocols.
• Automatic Key Rotation: QSEC automatically rotates encryption keys, making it difficult for an attacker to decrypt data even if they manage to get hold of a key.

close