This group is known for using various malware strains and distributing them in complex attack chains. According to the Cybereason report, it all starts with the exploitation of multiple vulnerabilities in an enterprise resource planning tool. Hackers then search for a file identified as gthread-3.6.dll in the VMware Tools folder; this allows you to inject other payloads such as webshells and credential dump tools.

Threat actors also strive to hide their malicious activity; among the techniques used by APT41, the use of the Windows Server Common Log File System (CLFS) stands out, since it uses an undocumented file format that can be accessed through APIs but cannot be analyzed, allowing hackers to hide their malicious payloads, bypassing detection during years: “The attackers stole intellectual property such as confidential documents, blueprints, diagrams, formulas and proprietary data related to the manufacturing industry.”

Experts add that the attacks targeted technology and manufacturing companies, especially in East Asia, Western Europe and North America, all considered industrial hotspots globally.   

Industrial espionage is a practice commonly associated with hacking groups sponsored by China and its all-powerful Communist Party. In the past, the United States and other nation states have accused the Asian giant of facilitating cyberattack campaigns for the theft of confidential records, either by financing their activities or by simply turning a blind eye to these groups and operations.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How Chinese cyber army steals intellectual property from your company appeared first on Information Security Newspaper | Hacking News.

Identified as skip-2.0, this malware is capable of blocking Microsoft SQL (MSSQL) Server versions 11 and 12; subsequently, hackers connect to any account on the server using a “magic word”, hiding their activity from any security log.

Mathieu Tartare, ESET’s digital forensics expert, mentioned: “This backdoor allows threat actors to gain persistence on the victim’s server, in addition to bypassing detection, as many of the mechanisms of activity logging in the system are disabled using this special password”.

In fact, Winnti is a generic name that the cybersecurity community uses to refer to at least five different groups of Chinese-sponsored hackers. These threat actors have been using a similar set of tools for at least eight years, when a group of experts from Kaspersky Lab detected a Trojan identified as Winnti present on some online video game servers.

ESET’s digital forensics experts also mentioned that the skip-2.0 malware bears some similarities to PortReuse and ShadowPad, two backdoors previously used by Winnti. In previous cyberattack campaigns, these backdoors were used to infect the servers of a major mobile software and hardware manufacturer.

Skip-2.0 attack process

When the malicious payload is dropped to the compromised MSSQL server, the backdoor begins injecting the malicious code into the sqlserv.exe process using sqllang.dll, which involves some functions used to register an authentication. In this way, the malware bypasses the MSSQL server authentication mechanism, allowing threat actors to login, regardless of whether the password for the entered account is not correct.

“The hook in this function is responsible for checking if the password provided by the user matches the hacker’s “magic word”; in that case, the original function will not be called and the hook will return a value of ‘0’, allowing the connection without using the actual password,” the experts added.

ESET experts tested the attack on various versions of the server, finding that it only works successfully on versions 11 and 12. According to digital forensics specialists from the International Institute of Cyber Security (IICS), although these MSSQL server versions were released almost 6 years ago, their use remains very common, so a large number of sysadmins could be exposed to infection.

In conclusion, the ESET report believes that due to its features and the benefits it provides, Winnti hackers could start large-scale infection campaigns using this malware. The only negative aspect to this new attack is that administrator privileges are required to get it concrete, so hackers still need to devise a first stage of attack before using skip-2.0 malware.

The post Chinese hackers could install backdoors on Microsoft SQL 11 and 12 servers using a “magic word” appeared first on Information Security Newspaper | Hacking News.