China: Following on the heels of last week’s announcement from the Australian government concerning the prolonged cyber-attack, new details have been revealed linking Chinese threat actors to the attacks. A recent update on the investigation has revealed that the attackers were targeting public facing infrastructure with remote code execution exploits, primarily against unpatched versions of Telerik user interface. The Australian Cyber Security Centre (ACSC) has issued four warnings this year involving the exploitation of critical vulnerabilities in Telerik UI (CVE-2019-18935, CVE-2017-9248, CVE-2017-11317, and CVE-2017-11357). The ACSC also stated that the attackers exploited a VIEWSTATE deserialization vulnerability in Microsoft Internet Information Services to upload a web shell, as well as a 2019 SharePoint vulnerability (CVE-2019-0604), and a Citrix vulnerability (CVE-2019-19781). A list of IOCs was provided by the ACSC. Among the IOCs was one sample which was linked to Korplug by ESET, although this particular sample is actually PlugX. The two malware families share a specific DLL side-loading technique. PlugX has been tied to Chinese operations since 2008—however, a builder for PlugX version one has been publicly available for many years, so attribution based on use of one malware family is not definitive.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in