#AxisOfEasy 236: Researchers Found Daxin, The ‘Most Advanced’ Backdoor Ever Deployed By Chinese Threat Actors


Weekly Axis Of Easy #236


Last Week’s Quote was “It  is not in the nature of politics that the best men should be elected.  The best men do not want to govern their fellowmen” was by George MacDonald.  No guesses! No winner!

This Week’s Quote:  “I wanted to change the world. But I have found that the only thing one can be sure of changing is oneself.” … by???

THE RULES: No searching up the answer, must be posted to the blog – the place to post the answer is at the bottom of the post, in the comments section.

The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.


 

In this issue:

  • Hackers stole employee and internal data from Nvidia 
  • Researchers found Daxin, the ‘most advanced’ backdoor ever deployed by Chinese threat actors 
  • Hackers used the Ukrainian military server and impersonated NATO email invitations to target European governments and refugee movements.
  • Toyoda to shut down all Japan plants following a cyberattack on a supplier
  • DDoS attackers weaponize TCP Middlebox Reflection for amplified attacks
 

Elsewhere online:

  • Make sure you’re on the latest versions of Firefox
  • Twitter censors tweets about Ukraine conflict
  • Ice cream machine technician has filed a lawsuit against McDonald’s for $900 million
  • Teabot Trojan attacks Google Play Store apps again 
  • Russia says it will partially restrict access to Facebook for allegedly violating its users’ freedoms
  • Cyberattack Takes Down New York State Ethics Commission

 

Hackers stole employee and internal data from Nvidia

A ransomware attack on Nvidia’s networks has been revealed, with the company admitting in a recent statement that its internal data was stolen. Following the breach’s discovery, the U.S chip giant notified law enforcement, hardened its network, and engaged cybersecurity incident response experts.

According to the statement, they “have not seen any evidence of ransomware being deployed to Nvidia systems, or that this is related to the conflict between Russia and Ukraine. However, we are aware that the threat actor is leaking employee credentials and some Nvidia proprietary information online.”  

Lapsus is thought to be the group behind the attack as it claims to have 1TB of Nvidia data in its possession. In screenshots posted on Twitter, the group claims to have “complete silicon, graphics, and computer chip files for all recent Nvidia GPUs,” and it’s threatening to release information about the company’s Lite Hash Rate technology.

Read: https://www.infosecurity-magazine.com/news/nvidia-admits-hackers-stole/ 


Researchers found Daxin, the ‘most advanced’ backdoor ever deployed by Chinese threat actors

Symantec researchers found an advanced piece of malware called Daxin, an advanced backdoor installed on hardened corporate networks with advanced threat detection capabilities.

A ‘Backdoor’ allows threat actors to steal data from compromised computer systems or further compromise a device by executing commands. In Daxin’s case, the backdoor monitors network traffic for specific patterns, hijacking legitimate TCP connections and communicating with a command and control server.

“Daxin’s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish communication on networks with strict firewall rules. It may also lower the risk of detection by SOC analysts monitoring for network anomalies,” according to the Symantec report.
Symantec’s analysts have found evidence linking Daxin to the Chinese state-backed hacking group Slug (aka Owlproxy). The malware has been actively used in attacks since 2019, but it was first sampled in 2013. According to the Symantec Threat Hunter team, it is “one of the most advanced backdoors ever seen deployed by Chinese actors.”

Read: https://www.bleepingcomputer.com/news/security/chinese-cyberspies-target-govts-with-their-most-advanced-backdoor/ 


Hackers used the Ukrainian military server and impersonated NATO email invitations to target European governments and refugee movements

Proofpoint researchers identified an email phishing campaign originating from a compromised Ukrainian armed service member, which posed as a NATO meeting invitation and attempted to download malicious Lua malware. The scammers targeted European government personnel managing transportation and population movement in Europe.

On February 24, 2022, Proofpoint detected an email sent from an ukr[.] net email account that included a macro-enabled XLS file containing SunSeed malware. The lures in the email were very timely, following a NATO Security Council meeting on February 23, 2022.

Proofpoint observed email messages sent to European governmental entities and found a clear preference for targeting individuals with expertise related to transportation, financial and budget allocation, administration, and population movement within Europe.

Researchers have observed several technical indicators that suggest this campaign may be attributed to the threat actor TA445. However, we have not yet observed substantial technical overlaps that would allow us to attribute this campaign to this actor directly.

This activity represents an effort to target NATO entities with compromised Ukrainian military accounts independent of attribution conclusions. These techniques are not groundbreaking, but they can be effective when deployed collectively.

Read: https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails?&web_view=true 


Toyoda to shut down all Japan plants following a cyberattack on a supplier

On Monday, Nikkei reported that Toyota Motor Corp. would shut down all its Japanese factories on Tuesday. This results from a suspected cyberattack on one of its top suppliers.

Toyota’s decision to halt 28 lines at 14 plants could affect around 10,000 vehicles, or about 5% of its production in Japan each day. Toyota’s subsidiaries Daihatsu Motor and Hino Motor will also stop some operations on Tuesday.

Depending on the severity of the cyberattack, it may be resolved as early as Wednesday. As a result of the incident, Toyota will be hindered in its attempts to return to total production after its operations were halted in January and February due to semiconductor shortages, labor issues, and COVID-related disruptions.

Read:
https://www.zerohedge.com/markets/toyota-halt-all-japan-plants-supplier-hit-cyberattack 


DDoS attackers weaponize TCP Middlebox Reflection for amplified attacks

New DDoS attacks have been detected for the first time in the wild, leveraging vulnerable content filtering systems and firewalls to reflect traffic to a victim machine.

A distributed reflective denial-of-service (DRDoS) attack is a form of DDoS that involves sending a flood of DNS or NTP requests containing forged source IP addresses. This causes the destination server to deliver the responses back to the spoofed host, exhausting any bandwidth available to the target.

Because of UDP’s connectionless nature, conventional DoS amplification attacks rely on UDP reflection vectors. However, the unconventional attack uses TCP non-compliance in middleboxes to show off TCP-based reflective amplification attacks.

According to research published in August 2021, the attack vector “exploits weaknesses in TCP implementations in middleboxes and censorship infrastructure to carry out reflected Denial of Service (DoS) attacks against targets.”

The first wave of “noticeable” DRDoS attacks has struck around February 17. The campaign targeted Akamai customers with high traffic, peaking at 11 Gbps and 1.5 million packets per second.

Read:
https://thehackernews.com/2022/03/hackers-begin-weaponizing-tcp-middlebox.html?&web_view=true 


Elsewhere online:


Make sure you’re on the latest versions of Firefox

Read: https://www.bleepingcomputer.com/news/security/mozilla-firefox-9702-fixes-two-actively-exploited-zero-day-bugs/

Twitter censors tweets about Ukraine conflict


Read: https://www.zerohedge.com/geopolitical/twitter-says-it-will-consider-censoring-emerging-narratives-about-ukraine-war


Ice cream machine technician has filed a lawsuit against McDonald’s for $900 million

Read: https://www.wired.com/story/kytch-ice-cream-machine-hackers-sue-mcdonalds-900-million/

Teabot Trojan attacks Google Play Store apps again

Read: https://thehackernews.com/2022/03/teabot-android-banking-malware-spreads.html?&web_view=true 

Russia says it will partially restrict access to Facebook for allegedly violating its users’ freedoms

Read: https://www.zerohedge.com/technology/russia-partially-restrict-access-facebook-violating-fundamental-human-rights-freedoms 

Cyberattack Takes Down New York State Ethics Commission

Read: https://www.infosecurity-magazine.com/news/cyber-attack-on-new-york-ethics/?&web_view=true

 

Previously on #AxisOfEasy

If you missed the previous issues, they can be read online here:

 

 

 

 

3 thoughts on “#AxisOfEasy 236: Researchers Found Daxin, The ‘Most Advanced’ Backdoor Ever Deployed By Chinese Threat Actors

Leave a Reply

Your email address will not be published. Required fields are marked *