HomeCyber BalkansChinese Winnti Group Escalates financially motivated attacks

Chinese Winnti Group Escalates financially motivated attacks

Published on

spot_img

Hackers are increasingly carrying out financially motivated attacks, driven by the potential to profit from stolen data, ransom demands, and fraudulent activities. The evolving digital landscape in businesses has created more vulnerabilities that can be exploited to access sensitive financial information and execute transactions for financial gain.

A recent report from AttackIQ has shed light on the heightened activities of the Chinese Winnti group in financially motivated attacks. The Winnti group has been associated with cyber-espionage and financial activities linked to the Chinese government since 2010. Particularly during the COVID-19 pandemic, their focus on healthcare targets, with a key interest in medical research, has intensified.

Known for their supply chain attacks, the Winnti group utilizes their signature backdoor, ShadowPad, as well as the PlugX Remote Access Trojan (RAT) in their operations. Their tactics involve multiple stages, with detailed reconnaissance expanding from local systems to networks, followed by the deployment of their malware arsenal along with additional tools for lateral movement and data exfiltration.

In their “Operation CuckooBees,” which took place in May 2022, Winnti proceeded through various stages including malware execution, credential dumping, reconnaissance, and data exfiltration. Each stage involved specific techniques to infiltrate systems, gather information, and ultimately extract data for their financial gain.

A previous campaign, “Operation Harvest,” conducted in September 2021, also employed sophisticated tactics such as PlugX delivery, credential dumping, backdoor deployment, and data staging for exfiltration. These campaigns demonstrate the group’s persistent efforts to target organizations for financial gain through cyber attacks.

Moreover, the Winnti group’s 2022-08 campaign, which specifically targeted government entities, showcased a similar pattern of malware delivery, system discovery, and malware deployment for data exfiltration. Each stage of the campaign utilized specific attack techniques outlined by MITRE ATT&CK for system infiltration and reconnaissance.

To combat these threats, organizations need to focus on key mitigations such as monitoring for scheduled task abuse, DLL side-loading, Windows service manipulation, and system binary proxy execution. By implementing proper auditing, account management, software updates, and exploit protection, organizations can enhance their security posture against threats posed by the Winnti group and other similar threat actors.

Continuous testing and analysis of attack graphs are crucial in identifying and addressing vulnerabilities exploited by threat actors like the Winnti group. By staying vigilant and implementing robust security measures, organizations can protect themselves against financially motivated cyber attacks carried out by sophisticated threat actors with ties to nation-state entities.

Source link

Latest articles

OAuth Client ID Spoofing Allows Attackers to Validate Stolen Microsoft Entra Credentials

New Technique in Cybersecurity: OAuth Client ID Spoofing Poses Threat to Cloud Environments In an...

Industry Response to Gold Eagle Vulnerability Management Plan

The tech industry is currently navigating a landscape of cautious optimism following the U.S....

23andMe Encounters New Security Requirements in $18 Million Data Breach Settlement

Major Settlement Reached Between 23andMe and Coalition of Attorneys General In a significant development stemming...

More like this

OAuth Client ID Spoofing Allows Attackers to Validate Stolen Microsoft Entra Credentials

New Technique in Cybersecurity: OAuth Client ID Spoofing Poses Threat to Cloud Environments In an...

Industry Response to Gold Eagle Vulnerability Management Plan

The tech industry is currently navigating a landscape of cautious optimism following the U.S....