Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/3/2020
04:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

DHS Urges 'Highest Priority' Attention on Old Chinese Malware Threat

"Taidoor" is a remote access tool that has been used in numerous cyber espionage campaigns since at least 2008.

The US government Monday urged enterprise organizations to pay the "highest priority" attention to malicious activity involving "Taidoor," a Chinese remote access Trojan that has been used in various cyber-espionage campaigns since at least 2008.

In a Malware Analysis Report (MAR) dated August 3, the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) said that security researchers from multiple federal agencies had observed Chinese government actors using a variant of the malware in recent attacks.

An analysis of the activity shows that the attackers are using Taidoor variants in conjunction with proxy servers to maintain persistence on compromised networks and to enable further exploitation, according to the CISA. The CISA report included a complete list of indicators of compromise and suggested mitigation and response measures organizations can take to protect against the newly resurfaced threat.

"Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch)," the advisory noted. "Give the activity the highest priority for enhanced mitigation."

The CISA alert is the latest involving heighted threat activity from China-based actors. Just last month, the US government indicted two Chinese nationals on charges connected to the theft of intellectual property and business secrets, including COVID-19 research from organizations in the US and elsewhere. Earlier this year, the US government indicted four members of China's military for allegedly being involved in the Equifax hack of May 2017. The indictments follow years of US accusations about China-based actors conducting systematic and widespread espionage campaigns against US corporations, government agencies, military and defense entities, and academic institutions.

Taidoor is a malware tool that multiple security vendors — including FireEye, Trend Micro and Symantec — have reported on over the years. Researchers have observed the malware being used in cyber-espionage campaigns targeting corporate organizations, think tanks, and government agencies in Taiwan and other countries with interests in Taiwan, including the US.

Substantial Threat
A detailed Trend Micro technical analysis of the malware in 2012 described Taidoor at the time as exploiting a wide variety of old and new vulnerabilities — including zero-days in multiple products including Adobe Reader, Acrobat, Flash Player, Microsoft Word, PowerPoint, and Excel. One zero-day-vulnerability that Taidoor exploited was "Sandworm," a remote code execution flaw in Windows that was disclosed in 2014

In initial campaigns the China-based government actors behind Taidoor have used phishing emails with malicious attachments to distribute the malware. One of their tricks involved the use of a decoy document that would behave as a recipient might expect it to, while executing a malicious payload in the background. In later campaigns, the operators of Taidoor stopped using emails to drop the malware directly on a victim's system. Instead, they used the rogue emails to drop a downloader on a system that later would go out and grab the malware from a remote command and control servers. A September 2013 FireEye report described a further evolution in tactics where instead of hosting the malware in a remote command-and-control servers, the attackers began hosting it as encrypted text in Yahoo blog posts.

It is not entirely clear what specific malicious activity involving Taidoor triggered the new warning from CISA this week. So far, at least, none of the vendors that have previously tracked the malware have reported a resurgence in Taidoor activity.

A FireEye spokeswoman says researchers at the company are still looking into what might be going on.

"We've seen Taidoor used extensively over the last 10+ years, while it has become less common recently, we expect it is still in use," adds Ben Read, senior manager of analysis at FireEye's Mandiant Threat Intelligence group. According to Read, FireEye has observed the malware being used in attacks against law firms, nuclear power suppliers, airlines, East Asian governments, engineering firms, and organizations within the defense industrial sector.

Symantec did not immediately respond to a Dark Reading inquiry. Trend Micro says it is working on getting comments from its researchers in Asia and Europe.

Related Content:

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.