Hackers are increasingly carrying out financially motivated attacks, driven by the potential to profit from stolen data, ransom demands, and fraudulent activities. The evolving digital landscape in businesses has created more vulnerabilities that can be exploited to access sensitive financial information and execute transactions for financial gain.
A recent report from AttackIQ has shed light on the heightened activities of the Chinese Winnti group in financially motivated attacks. The Winnti group has been associated with cyber-espionage and financial activities linked to the Chinese government since 2010. Particularly during the COVID-19 pandemic, their focus on healthcare targets, with a key interest in medical research, has intensified.
Known for their supply chain attacks, the Winnti group utilizes their signature backdoor, ShadowPad, as well as the PlugX Remote Access Trojan (RAT) in their operations. Their tactics involve multiple stages, with detailed reconnaissance expanding from local systems to networks, followed by the deployment of their malware arsenal along with additional tools for lateral movement and data exfiltration.
In their “Operation CuckooBees,” which took place in May 2022, Winnti proceeded through various stages including malware execution, credential dumping, reconnaissance, and data exfiltration. Each stage involved specific techniques to infiltrate systems, gather information, and ultimately extract data for their financial gain.
A previous campaign, “Operation Harvest,” conducted in September 2021, also employed sophisticated tactics such as PlugX delivery, credential dumping, backdoor deployment, and data staging for exfiltration. These campaigns demonstrate the group’s persistent efforts to target organizations for financial gain through cyber attacks.
Moreover, the Winnti group’s 2022-08 campaign, which specifically targeted government entities, showcased a similar pattern of malware delivery, system discovery, and malware deployment for data exfiltration. Each stage of the campaign utilized specific attack techniques outlined by MITRE ATT&CK for system infiltration and reconnaissance.
To combat these threats, organizations need to focus on key mitigations such as monitoring for scheduled task abuse, DLL side-loading, Windows service manipulation, and system binary proxy execution. By implementing proper auditing, account management, software updates, and exploit protection, organizations can enhance their security posture against threats posed by the Winnti group and other similar threat actors.
Continuous testing and analysis of attack graphs are crucial in identifying and addressing vulnerabilities exploited by threat actors like the Winnti group. By staying vigilant and implementing robust security measures, organizations can protect themselves against financially motivated cyber attacks carried out by sophisticated threat actors with ties to nation-state entities.