{"id":17108,"date":"2020-04-07T08:00:00","date_gmt":"2020-04-07T12:00:00","guid":{"rendered":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/?p=17108"},"modified":"2022-10-14T18:26:48","modified_gmt":"2022-10-14T22:26:48","slug":"new-blackberry-report-details-chinese-hacking","status":"publish","type":"post","link":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/security\/new-blackberry-report-details-chinese-hacking.html","title":{"rendered":"New Blackberry Report Details Chinese Hacking"},"content":{"rendered":"\n<p><a href=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/?s=Blackberry\">Blackberry<\/a>, the company once-known for ultra-secure email via phones with superior keyboards was overtaken by Apple and Android solutions in the market but in an incredible tech turnaround story, they became a solid cybersecurity organization. They provide intelligent security software and services to enterprises and governments around the world. They secure more than 500M endpoints including 150M cars on the road today.\u00a0<\/p>\n\n\n\n<p>They just released new research that examines how five related Advanced Persistent Threat (APT) groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and mobile devices running Android while remaining undetected for nearly a decade.<\/p>\n\n\n\n<p>The report, titled <a href=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2020\/04\/Decade-of-the-RATs-Report-BlackBerry-Research-and-Intelligence1.pdf\">Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android<\/a>, provides further insight into pervasive economic espionage operations targeting intellectual property, a subject that the Department of Justice recently said is the focus of more than 1000 open investigations in all of the 56 FBI field offices. <\/p>\n\n\n\n<p>The cross-platform aspect\nof the attacks is also of particular concern in light of security challenges posed\nby the sudden increase in remote workers. The tools identified in these ongoing\nattack campaigns are already in place to take advantage of work-from-home\nmandates, and the diminished number of personnel onsite to maintain security of\nthese critical systems compounds the risks. While the majority of the workforce\nhas left the office as part of containment efforts in response to the COVID-19\noutbreak, intellectual property remains in enterprise data centers, most of\nwhich run on Linux.<\/p>\n\n\n\n<p>Linux runs nearly all of the top 1 million\nwebsites online, 75% of all web servers, 98% of the world\u2019s\nsupercomputers and 75% of major cloud service providers <em>(Netcraft, 2019,\nLinux Foundation, 2020)<\/em>. Most large organizations rely on Linux to run\nwebsites, proxy network traffic and store valuable data. The BlackBerry report\nexamines how APTs have leveraged the \u201calways on, always available\u201d nature of\nLinux servers to establish a \u201cbeachhead for operations\u201d across a wide swath of\ntargets. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1280\" height=\"1247\" src=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2020\/04\/eric-cornelius.jpg\" alt=\"\" class=\"wp-image-17110\" srcset=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2020\/04\/eric-cornelius.jpg 1280w, https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2020\/04\/eric-cornelius-768x748.jpg 768w\" sizes=\"(max-width: 1280px) 100vw, 1280px\" \/><figcaption> Eric Cornelius, Chief Product Architect at BlackBerry <\/figcaption><\/figure>\n\n\n\n<p>\u201cLinux is not typically user-facing, and most security companies focus their engineering and marketing attention on products designed for the front office instead of the server rack, so coverage for Linux is sparse,\u201d said Eric Cornelius, Chief Product Architect at BlackBerry. \u201cThese APT groups have zeroed in on that gap in security and leveraged it for their strategic advantage to steal intellectual property from targeted sectors for years without anyone noticing.\u201d<\/p>\n\n\n\n<p>Other key findings in the report include: <\/p>\n\n\n\n<ul><li>The APT groups examined in this report are likely comprised of civilian contractors working in the interest of the Chinese government who readily share tools, techniques, infrastructure, and targeting information with one another and their government counterparts.<\/li><li>The APT groups have traditionally pursued different objectives and focused on a wide array of targets; however, it was observed that there is a significant degree of coordination between these groups, particularly where targeting of Linux platforms is concerned.<\/li><li>The research identifies two new examples of Android malware, continuing a trend seen in a previous report from BlackBerry researchers, titled\u00a0<em><a href=\"https:\/\/www.blackberry.com\/uk\/en\/forms\/enterprise\/mobile-malware-report\">Mobile Malware and APT Espionage: Prolific, Pervasive, and Cross-Platform<\/a>,<\/em> which examined how APT groups have been leveraging mobile malware in combination with traditional desktop malware in ongoing cross-platform surveillance and espionage campaigns. <\/li><\/ul>\n\n\n\n<ul><li>The report also delves into the curious case of a mobile remote access trojan (RAT) that was developed by an APT group nearly two years prior to the commercial availability of a popular remote administration penetration testing tool that has strikingly similar code structure and characteristics, raising questions about the origins of each.<\/li><\/ul>\n\n\n\n<ul><li>The report examines several new variants of well-known malware that are getting by network defenders through the use of code-signing certificates for adware, a tactic that the attacker&#8217;s hope will increase infection rates as AV red flags are dismissed as just another blip in a constant stream of adware alerts. <\/li><li>The research also highlights a shift by attackers towards the use of cloud service providers for command-and-control (C2) and data exfiltration communications which appear to be trusted network traffic.<\/li><\/ul>\n\n\n\n<ul><li>The research also provides analysis of attacks designed to elude defenders through the use of Windows\u00ae malware that uses adware code-signing certificates, a tactic that the attackers hope will increase infection rates as any red flags are dismissed as just another blip in a constant stream of adware alerts.<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"500\" height=\"500\" src=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2020\/04\/John-McClurg.jpg\" alt=\"\" class=\"wp-image-17113\" srcset=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2020\/04\/John-McClurg.jpg 500w, https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2020\/04\/John-McClurg-90x90.jpg 90w, https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2020\/04\/John-McClurg-300x300.jpg 300w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><figcaption> John McClurg, Chief Information Security Officer at BlackBerry <\/figcaption><\/figure><\/div>\n\n\n\n<p>\u201cThis research paints a picture of an espionage effort targeting the very backbone of large organizations\u2019 network infrastructure that is more systemic than has been previously acknowledged,\u201d says John McClurg, Chief Information Security Officer at BlackBerry. \u201cThis report opens another chapter in the Chinese IP theft story, providing us with new lessons to learn.\u201d<\/p>\n\n\n\n<p>More details of the report include:<\/p>\n\n\n\n<p><strong>Strategic Intelligence Assessments:<\/strong><\/p>\n\n\n\n<p><strong>\u2022 <\/strong><strong>Targeting Linux: <\/strong>Adversaries assessed to be\nacting in the interests of the Chinese government have strategically targeted\nLinux servers for years precisely because the Linux operating system is not\ntypically a primary focus of security solutions. Defensive coverage within\nLinux environments is immature at best, and robust endpoint protection (EPP)\nand endpoint detection and response (EDR) products are often inadequately\nutilized or lack the capabilities to defend them. It was assessed that thegroups\nexamined in this report are using Linux servers as a \u201cnetwork beachhead\u201d for\nother operations \u2013 that is, as a highly available attack vector that is\nalways-on and poorly defended.<\/p>\n\n\n\n<p><strong>\u2022 <\/strong><strong>APT Groups Coordinating: <\/strong>Persistent\nthreats rarely operate in a single domain, and thefive groups assessed to be\nrelated to the APT originally identified as WINNTI GROUP in previously\npublished research are no exception. Many of the techniques used in one\noperating environment have been readily translated for use in others. Cross-platform\nand open-source tools are more readily available now than ever, and the APT groups\nexamined in this report have already exploited this fact.<\/p>\n\n\n\n<p><strong>\u2022 <\/strong><strong>Objective Blending and Overlap: <\/strong>BlackBerry researchers observed the continued blending of\nfinancially motivated and targeted espionage activity by the five groups under\nexamination in this report. The more traditional criminal approaches to network\nexploitation are equally effective in their intelligence gathering as they are\nin generating revenue. Attacks that look like dragnet, \u201cspray and pray\u201d efforts\ncan also yield targeted reconnaissance intelligence for other operations, and strategic\nplatform and supply-chain compromises are becoming increasingly commonplace.<\/p>\n\n\n\n<p><strong>\u2022 <\/strong><strong>Attackers for Hire: <\/strong>It is assessed with high\nconfidence that the APT groups examined in this report are likely comprised of\ncivilian contractors working in the interest of the Chinese government who\nreadily share tools, techniques, infrastructure, and targeting information with\none another and their government counterparts. This reflects a highly agile\ngovernment\/contractor ecosystem with few of the bureaucratic or legal hurdles\nthat can be observed in Western nations with similar capabilities and provides\na level of plausible deniability for the Chinese government.<\/p>\n\n\n\n<p><strong>Tactical Intelligence Assessments:<\/strong><\/p>\n\n\n\n<p><strong>\u2022 <\/strong><strong>The WINNTI Approach: <\/strong>Five APT groups acting in\nthe interest of the Chinese government and assessed to be employing\nWINNTI-style tooling have taken strategic aim at Linux servers that serve a\ncritical role in enterprise network environments and have done so while\nremaining relatively undetected for nearly a decade. These groups target Red\nHat Enterprise, CentOS, and Ubuntu Linux environments systemically across a\nwide array of industry verticals for the purposes of espionage and intellectual\nproperty theft. The APT groups examined include the original WINNTI GROUP, PASSCV,\nBRONZE UNION, CASPER (LEAD), and a newly identified group BlackBerry researchers\nare tracking as WLNXSPLINTER. All five groups are assessed to be related given the\ndistinct similarities in their tools, tactics and procedures (TTPs) employed\nand referred to in this report as the WINNTI approach.<\/p>\n\n\n\n<p><strong>\u2022 <\/strong><strong>The Linux Connection: <\/strong>The APT groups examined in\nthis report have traditionally pursued different objectives and focused on a\nwide array of targets. However, it was observed that there is a significant\ndegree of coordination between these groups, particularly where targeting of\nLinux platforms is concerned, and it is assessed that any organization with a\nlarge Linux distribution should not assume they are outside of the target sets\nfor any of these groups.<\/p>\n\n\n\n<p><strong>\u2022 <\/strong><strong>The XOR DDoS Botnet Connection: <\/strong>It was also observed that the malware used by WINNTI GROUP very\nclosely resembles that used in the massive Linux XOR Dubonnet first identified\nin September of 2014, to the extent that BlackBerry researchers have judged the\nbotnet to have been a tool developed by this group.<\/p>\n\n\n\n<p><strong>\u2022 <\/strong><strong>Code Similarities: <\/strong>A PASSCV Android implant\nexamined in this report very closely resembles code marketed as the penetration\ntesting tool NetWare for Android, yet the malware is shown to have been\ncompiled nearly two years before the commercial Net Wire tool was first made\navailable for purchase.<\/p>\n\n\n\n<p><strong>\u2022 <\/strong><strong>Hiding in Plain Sight: <\/strong>The APT groups examined in\nthis report have shifted from signing malware certificates stolen from video\ngame companies to signing malware with certificates stolen from adware vendors,\nresulting in very low detection rates. Itis assessed that this was being done\nto bypass network defenders by hiding malware within the high volume of\ninnocuous adware alerts large organizations typically receive in any given day.<\/p>\n\n\n\n<p><strong>\u2022 <\/strong><strong>Cloud Migration: <\/strong>It has been observed that\nthere has been a shift in infrastructure hosting towards the more frequent\nadoption of established, legitimate cloud services, presenting a challenge to\ndefenders\u2019 assumptions regarding the monitoring of trusted network traffic within\ntheir organizations\u2019 networks.<\/p>\n\n\n\n<p><strong>See the ONLY cybersecurity companies that&nbsp;<a href=\"https:\/\/www.itexpo.com\/east\/exhibitor-list.aspx\">matter&nbsp;<\/a>at the&nbsp;<\/strong><a href=\"http:\/\/www.itexpo.com\/\"><strong>ITEXPO<\/strong><\/a><strong>&nbsp;#TECHSUPERSHOW<\/strong>. See video below for more.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>This Event has been&nbsp;<a href=\"https:\/\/www.itexpo.com\/east\/testimonials.aspx\">called the&nbsp;<strong>BEST SHOW in 5 YEARS<\/strong>&nbsp;and the&nbsp;<strong>Best TECHNOLOGY EVENT of 2020<\/strong><\/a>.<\/p><\/blockquote>\n\n\n\n<p>2020 participants included: Amazon, Cisco, Google, IBM, ClearlyIP, Avaya, Vonage, 8\u00d78, Comcast Business, BlueJeans, CoreDial, Dell, Edify, Epygi, FreeSWITCH, Grandstream, Granite,&nbsp;Intrado, Frontier Business, Fujitsu, Jenne, West, Konftel, Intelisys, Martello, NetSapiens, OOMA, Oracle, OpenVox, Peerless Network, Phone Sentry, Phone.com, Poly, QuestBlue, RingByName, Sangoma, SingTel, SkySwitch, Spracht, Spectrum, Sprint, Tallac, Tech Data, Telarus, TCG, Teledynamics, Teli, Telinta, Telispire, Telstra, TransNexus, Unified Office, Vital PBX, VoIP Supply, Voxbone, VoIP.MS, Windstream, XCALY, XORCOM, Yealink, Yubox, and ZYCOO.&nbsp;<a href=\"https:\/\/www.itexpo.com\/east\/exhibitor-list.aspx\"><strong>Full List.<\/strong><\/a><\/p>\n\n\n\n<p><strong>Join 8K others with $25B+ in IT buying power who plan 2021 budgets! Including 3,500+ resellers!<\/strong><\/p>\n\n\n\n<p>A unique experience with a collocated&nbsp;<a href=\"http:\/\/www.futureofworkexpo.com\/\">Future of Work Expo<\/a>,&nbsp;<a href=\"http:\/\/www.sdwanexpo.com\/\">SD-WAN Expo<\/a>,&nbsp;and&nbsp;<a href=\"http:\/\/www.mspexpo.com\/\">MSP Expo<\/a>\u2026<\/p>\n\n\n\n<p>June 22-25, 2021, Miami\u00a0<a href=\"https:\/\/www.itexpo.com\/east\/registration.aspx\">Register now<\/a>\u00a0and you could win a Tesla on Feb 12th.<\/p>\n\n\n\n<figure class=\"wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"ITEXPO 2020 Intro 2\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/sZ8nZlOb5Hg?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Blackberry, the company once-known for ultra-secure email via phones with superior keyboards was overtaken by Apple and Android solutions in the market but in an incredible tech turnaround story, they became a solid cybersecurity organization. They provide intelligent security software and services to enterprises and governments around the world. They secure more than 500M endpoints<\/p>\n","protected":false},"author":44,"featured_media":17112,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[156],"tags":[2556,259,1796,2825,2826,1839,226],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/17108"}],"collection":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/comments?post=17108"}],"version-history":[{"count":4,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/17108\/revisions"}],"predecessor-version":[{"id":17116,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/17108\/revisions\/17116"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media\/17112"}],"wp:attachment":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media?parent=17108"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/categories?post=17108"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/tags?post=17108"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}