A cyber espionage group known as Velvet Ant [1] [4] [5], with ties to China, has been targeting organizations in East Asia for a prolonged three-year period.
Description
The group has been using legacy F5 BIG-IP devices for internal command and control operations, deploying a reworked variant of the PlugX backdoor with an internal file server for C&C. This variant allows the group to use legacy servers and F5 BIG-IP devices as covert communication channels. Tools such as PMCD [4], EarthWorm [1] [2] [3] [4] [5], and Impacket have been utilized for lateral movement and network communication [4], showcasing the group’s adaptability and evasion tactics. The attackers were able to establish multiple footholds using various network entry points [3], including an old F5 BIG-IP appliance serving as an internal command and control (C2) server [3]. They stealthily stole sensitive information on clients and company finances for three years without detection [3]. Other malware deployed on the F5 BIG-IP appliance includes MCDP [3], SAMRID (EarthWorm) [3], and ESRDE [3]. Despite eradication efforts post-breach discovery [3], the attackers redeployed PlugX with new configurations to avoid detection [3], using compromised internal devices like F5 appliances to maintain access [3]. Recommendations for defense against sophisticated threat groups like Velvet Ant include restricting outgoing connections [3], implementing strict controls on management ports [3], upgrading security controls [3], deploying robust EDR systems [3], and enhancing device security through patch management and intrusion detection [3]. Recent incidents have shown that network devices, including Fortinet, SonicWall [3], Cisco [3], and Barracuda devices [3], have become popular targets for threat actors seeking initial network access [3]. State-sponsored actors have also exploited vulnerabilities in Palo Alto Networks devices to install backdoors for data theft [3].
Conclusion
The impact of cyber espionage groups like Velvet Ant targeting organizations in East Asia is significant, with sensitive information being stolen over a prolonged period. Mitigations such as upgrading security controls, deploying robust EDR systems [3], and enhancing device security are crucial in defending against such threats. The future implications of recent incidents involving network devices being targeted by threat actors highlight the need for continuous vigilance and proactive security measures to prevent data theft and unauthorized access.
References
[1] https://thehackernews.com/2024/06/china-linked-hackers-infiltrate-east.html
[2] https://innovatopia.jp/cyber-security/cyber-security-news/32037/
[3] https://www.hfrance.fr/des-pirates-utilisent-des-logiciels-malveillants-f5-big-ip-pour-voler-furtivement-des-donnees-pendant-des-annees.html
[4] https://www.redpacketsecurity.com/china-linked-hackers-infiltrate-east-asian-firm-for-3-years-using-f5-devices/
[5] https://vulners.com/thn/THN:00D2824EAAEE2061BED046B44A884DA4