China-linked hackers have been infiltrating a company in East Asia for three years using F5 devices

June 17, 2024NewsroomCyber ​​espionage/vulnerability

A suspected cyber espionage entity linked to China is credited with being behind a sustained attack on an unnamed organization located in East Asia spanning approximately three years, with the adversary persistently using older F5 BIG-IP devices and using them as an internal command and control system ( C&C) to avoid defense.

Cybersecurity firm Sygnia, which responded to the breach in late 2023, tracks activity under the name Velvet antcharacterizing them as having a solid ability to quickly adapt their tactics to countermeasures.

“Velvet Ant is a sophisticated and innovative threat actor,” the Israeli company said in a technical report shared with The Hacker News. “They collected sensitive information over a long period of time, focusing on customer and financial information.”

The attack chains include the use of a well-known backdoor called PlugX (also known as Korplug), a modular remote access trojan (RAT) that is widely used by spy operators linked to Chinese interests. PlugX is known to rely heavily on a technique called DLL file loading to infiltrate devices.

Sygnia said it also identified attempts by the threat actor to disable endpoint security software before installing PlugX, using open source tools such as Impacket used for lateral traffic.

Incident response and remediation efforts also identified a modified PlugX variant that used an internal file server for command and control, thereby allowing malicious traffic to mix with legitimate network activity.

“This meant that the threat actor had deployed two versions of PlugX on the network,” the company noted. “The first version, configured with an external C&C server, was installed on endpoints with direct Internet access, which made it easier to extract sensitive information. The second version had no C&C configuration and was only deployed on older servers.”

In particular, the second variant was found to use outdated F5 BIG-IP devices as a covert channel to communicate with an external command and control server by issuing commands through a reverse SSH tunnel, once again highlighting how compromising edge devices can allow threat actors to to gain durability for a longer time.

“All it takes for a mass exploitation incident to occur is a vulnerable edge service, i.e. software accessible from the Internet,” WithSecure said in a recent analysis.

“Such devices are often intended to enhance network security, but time and time again, vulnerabilities are discovered in them and attackers exploit them, providing a perfect base in the target network.”

Subsequent forensic analysis of the compromised F5 devices also revealed the presence of a tool called PMCD, which polls the threat actor’s C&C server every 60 minutes for commands to execute, as well as additional network packet capture programs and a SOCKS tunneling tool called EarthWorm that the actors used such as Gelsemium and Lucky Mouse.

The exact initial access vector – whether spear-phishing or exploiting known vulnerabilities in Internet-based systems – used to break into the target environment is currently unknown.

The development comes after the emergence of new China-linked clusters such as Unfading Sea Haze, Operation Diplomatic Specter and Operation Crimson Palace, which have been observed targeting Asia to collect sensitive information.