The Chinese threat actor, APT27, which has been active since 2010 and has primarily focused on cyber-espionage campaigns for the Chinese has been linked to a ransomware attack. Researchers at Profero and Security Joes released a report on the incident outlining their analysis of ransomware operations that were seen targeting five online gambling companies. All five of the attacks were carried out using the malware samples linked to the DRBControl, a campaign from earlier this year that TrendMicro linked to APT27. The researchers found samples of the Clambling backdoor the ASPXSpy webshell, and PlugX remote access trojan, all having been used by APT27 in the past. The threat actor also leveraged an older Google Updater executable that was vulnerable to DLL side-loading and a vulnerability from 2017, CVE-2017-0213, to escalate privileges on the machine.
Analyst Notes
APT27 has been predominately known for its work on cyberespionage campaigns on behalf of the Chinese Government. This is not the first time that the group has switched tactics to financially motivated attacks through the use of ransomware. The group used older vulnerabilities in their attacks. Typically, it is common for threat actors to go back to old vulnerabilities when they are attempting to infiltrate companies with the hope that they did not apply security patches and updates. Whenever patches or updates become available, they should be applied immediately. Early detection of intrusions can prevent threat actors from having the opportunity to steal data and encrypt files with ransomware. The teams at Binary Defense stand ready to partner with organizations to provide strong security monitoring and detection capabilities that can stop attacks quickly. Companies should ensure that they have multiple sets of backup documents that get updated regularly to prevent a lapse in services or work in the event of a ransomware attack.
More can be read here: https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/
