Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/9/2019
01:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Public Exposure Does Little to Slow China-Based Thrip APT

Over the past year, the cyber-espionage group has attacked at least 12 other companies in the military, telecom, and satellite sectors, Symantec says.

China-based advanced persistent threat group (APT) Thrip continues to pose a major threat to organizations in the satellite, telecommunications, and military sectors in Southeast Asia more than a year after Symantec first exposed its activities.

Far from being deterred by the exposure, the group has continued its attacks unabated on companies in the region. Since June 2018, Thrip has attacked at least 12 high-level targets in multiple countries, including Hong Kong, Indonesia, Malaysia, and the Philippines, Symantec said in an update on Thrip's activities this week.

Thrip, which is known for leveraging legitimate tools such as PsExec, PowerShell, and LogMeIn in its attacks, also has added more custom weapons to its arsenal. According to Symantec, the Chinese group recently began using a previously unseen backdoor called Hannotog to try and gain persistent remote access on compromised systems. Hannotog takes advantage of the built-in Windows Management Instrumentation (WMI) component in Windows as part of its execution on victim networks.

Thrip also is using Sagerunex, another backdoor, recent attacks, suggesting a strong link between Thrip and Billbug Group (aka Lotus Blossom), a well-known Chinese cyber-espionage group that has been operating since at least early 2009. Sagerunex appears to be a more evolved version of malware dubbed Evora, which Billbug has been known to use. Based on this and other available telemetry it appears Thrip is a subgroup of Billbug, Symantec said.

For organizations on its radar, Thrip presents a clear and present danger, says Vikram Thakur, technical director at Symantec.

"Attackers will continue to target organizations regardless of public exposure of their campaigns and tools," he says. "[Organizations] in targeted market segments should take note of the techniques leveraged by Thrip and ensure they have appropriate tools to both instrument and respond in case the attacker turns their way." 

One complicating factor is Thrip's heavy use of legitimate and dual-use tools for lateral movement, credential theft malware execution, and other malicious activities. By hiding its attack traffic in a sea of legitimate traffic, the group — like a growing number of other threat actors — has made it much harder for organizations to stop them using typical antimalware and theft detection tools.

Beyond Cyber Espionage?
Thrip's main motive continues to be cyber espionage, Thakur says. But in at least a few of its attacks, the group appears to have gained a dangerous level of access to operational systems.

In one attack on a satellite communications provider that Symantec investigated last year, Thrip actors seemed particularly interested in infecting computers that monitored and controlled satellites. In another attack involving a Southeast Asian geospatial imaging and mapping company, Thrip once again went after operational systems. That time, the group attacked systems using for critical application development tasks and those running imaging software and Google Earth Server.

Thakur says Symantec is not sure what exactly the attackers would have been able to do with their access to these systems. "Our visibility stops at attackers being able to get onto machines," he notes.

Data from attacks on at least three other communications firms in Southeast Asia suggested Thrip was primarily targeting the companies themselves and not their customers, Symantec said.

For the moment, at least, Thrip appears solely focused on organizations in Southeast Asia. But there's no telling when that might change. "While we don't have any evidence of US targeting in the past year of Thrip's activity, this can change at any moment," Thakur warns. "We always urge peers within targeted verticals to take note of ongoing attacks and bolster their own defenses in the event the attackers change targeting."  

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Phishers' Latest Tricks for Reeling in New Victims."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.